[Webkit-unassigned] [Bug 68560] [Qt] HTTP header injection vulnerability (QWebPage::userAgentForUrl)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 21 14:10:34 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=68560
--- Comment #5 from Jarred Nicholls <jarred at sencha.com> 2011-09-21 14:10:34 PST ---
(In reply to comment #3)
> I fail to see an attack scenario... How could an attacker provide the user-agent? Maybe I'm missing a feature from your PhanonJS, or maybe you don't want to trust the end user at all? Could you please provide a real world attack scenario?
>
> Finally, if this (or any other bug you find) is indeed a security vulnerability, please open a bug against the Security component. This way the bug is kept private while we fix it and give some time to all vendors to fix their applications and distribute the patches to end users (in this case the only vendor would be QtWebKit).
>
> More details about the WebKit security policy here: http://www.webkit.org/security/
I consider this more of a straight up bug in handling the result from userAgentFromUrl - not so much a security problem.
My scenario: because PhantomJS exposes a global "phantomjs" variable in the context of a web site (as a tool its often used to scrape web sites), a site could detect its presence and set the user agent overriding some identity headers (cookies, preflight origin w/ CORS? etc.) and who the heck knows what could come next.
Niche, and no big deal. But, nevertheless, userAgentFromUrl shouldn't return an invalid header value; at least that we can all agree with.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list