[Webkit-unassigned] [Bug 201077] New: [GTK][WPE] webkit_settings_set_user_agent() allows content forbidden in HTTP headers
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Aug 23 06:43:38 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=201077
Bug ID: 201077
Summary: [GTK][WPE] webkit_settings_set_user_agent() allows
content forbidden in HTTP headers
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebKitGTK
Assignee: webkit-unassigned at lists.webkit.org
Reporter: aperez at igalia.com
CC: bugs-noreply at webkitgtk.org
The following call will succeed, and result in invalid characters
being sent over the wire:
webkit_settings_set_user_agent(settings, "\x1B"); /* Escape character */
As a reminder: the HTTP specification indicates that headers must
contain only visible, printable characters (so control characters
like 0x1B are forbidden).
If an user-agent string with an embeeded newline character is set,
libsoup will actually warn:
soup_message_headers_append: assertion 'strpbrk (value, "\r\n") == NULL' failed
I am not sure what libsoup does (maybe it ignores setting the header?),
but at any rathe an HTTP header must *not* contain newlines embedded in
their values.
It would be good to have some validation to ensure that WebKitSettings
never ends up with an user-agent string configured which would result
in incorrect requests being sent to servers. The particular case of
control characters is something I have observed after an use-after-free
ended up setting some garbage string as user-agent, and some servers
would start mysteriously returning HTTP 400 (that is: “Bad Request”).
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190823/97a1c45e/attachment.html>
More information about the webkit-unassigned
mailing list