[Webkit-unassigned] [Bug 68560] New: [Qt] HTTP header injection vulnerability (QWebPage::userAgentForUrl)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 21 12:45:30 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=68560
Summary: [Qt] HTTP header injection vulnerability
(QWebPage::userAgentForUrl)
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Keywords: Qt
Severity: Normal
Priority: P2
Component: Platform
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: jarred at sencha.com
Created an attachment (id=108210)
--> (https://bugs.webkit.org/attachment.cgi?id=108210&action=review)
userAgentForUrl stripping
This is an interesting issue, that isn't any one particular tier's fault.
When working with PhantomJS (based on QtWebKit), where the user is able to provide their own user agent, we discovered that the user (or attacker?) can set the user agent in such a way to add another HTTP header implicitly to the ResourceRequest:
userAgent = 'My User Agent\nX-My-New-Header: oh noes!';
Which will result in sending the HTTP request w/ headers:
User-Agent: My User Agent
X-My-New-Header: oh noes!
Clearly, this could be problematic. HTTPHeaderMap doesn't filter the values at all (relying on platform network stack?). QNetworkRequest clearly just writes the headers onto the stream without a care. This is either everyone's fault or no one's fault. While XMLHttpRequest does a validity check of header values (to make sure they don't contain \r or \n) since it's a scriptable API, internal header management does not validate, falling back to the platform's network stack to handle it properly. Though this is an edge case, QWebPage is offering to the consumer of the QtWebKit API the ability to set the user agent header and doesn't protect it.
Attached is a patch that does the obvious and strips out newline chars to protect this particular scenario, from within WebCore. But, maybe some handling belongs in QNetwork as well, which would make this a temporary patch. Or such behavior is acceptable in QNetwork, which means the validation should occur on a higher tier.
Input on this matter is welcomed!
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list