[Webkit-unassigned] [Bug 201077] New: [GTK][WPE] webkit_settings_set_user_agent() allows content forbidden in HTTP headers

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Aug 23 06:43:38 PDT 2019


            Bug ID: 201077
           Summary: [GTK][WPE] webkit_settings_set_user_agent() allows
                    content forbidden in HTTP headers
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: aperez at igalia.com
                CC: bugs-noreply at webkitgtk.org

The following call will succeed, and result in invalid characters
being sent over the wire:

   webkit_settings_set_user_agent(settings, "\x1B");  /* Escape character */

As a reminder: the HTTP specification indicates that headers must
contain only visible, printable characters (so control characters
like 0x1B are forbidden).

If an user-agent string with an embeeded newline character is set,
libsoup will actually warn:

   soup_message_headers_append: assertion 'strpbrk (value, "\r\n") == NULL' failed

I am not sure what libsoup does (maybe it ignores setting the header?),
but at any rathe an HTTP header must *not* contain newlines embedded in
their values.

It would be good to have some validation to ensure that WebKitSettings
never ends up with an user-agent string configured which would result
in incorrect requests being sent to servers. The particular case of
control characters is something I have observed after an use-after-free
ended up setting some garbage string as user-agent, and some servers
would start mysteriously returning HTTP 400 (that is: “Bad Request”).

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190823/97a1c45e/attachment.html>

More information about the webkit-unassigned mailing list