[webkit-qt] [Qt] HTTP header injection vulnerability (QWebPage::userAgentForUrl)

Jarred Nicholls jarred at sencha.com
Thu Sep 22 06:00:06 PDT 2011

On Thu, Sep 22, 2011 at 3:16 AM, Ariya Hidayat <ariya.hidayat at gmail.com>wrote:

> "vulnerability" is a too strong word for this case.

Right.  It's not really a security issue and more of a straight up ugly bug.
 If I set my user agent to "blah blah\nwhoops I left a newline in there" I
wouldn't expect my result to be "blah blah" when I pull the header on the
server side.

> The way I look it is more like enforcing this contract:
>  Setting a user agent should not falsify any other part of the HTTP
> header sent to the server.
> Note that some advanced QtWebKit-based browser may want to give its
> user the option to set a custom user agent. While it does make sense
> to enforce that contract at the level of the API user (i.e. in the
> said browser), it still does make sense to enforce it also within
> (Qt)WebKit.
> --
> Ariya Hidayat, http://ariya.ofilabs.com
> _______________________________________________
> webkit-qt mailing list
> webkit-qt at lists.webkit.org
> http://lists.webkit.org/mailman/listinfo.cgi/webkit-qt


Jarred Nicholls, Senior Software Architect
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-qt/attachments/20110922/a28056f8/attachment-0001.html>

More information about the webkit-qt mailing list