Closed
Bug 152697
Opened 22 years ago
Closed 22 years ago
no limit on the size of a HTTP header
Categories
(Core :: Networking: HTTP, defect, P3)
Core
Networking: HTTP
Tracking
()
VERIFIED
FIXED
mozilla1.2alpha
People
(Reporter: darin.moz, Assigned: darin.moz)
References
()
Details
(Keywords: testcase)
Attachments
(1 file)
4.53 KB,
patch
|
dougt
:
review+
dveditz
:
superreview+
|
Details | Diff | Splinter Review |
as we discussed during one of the recent security review meetings, the HTTP code should limit the size of the HTTP headers it accepts. not doing so could be considered a DoS vulnerability or at the very least cause the browser to consume large amounts of memory. marking as security-sensitive for now. maybe this one doesn't need to be private.
Assignee | ||
Updated•22 years ago
|
Severity: normal → major
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → mozilla1.0.1
Assignee | ||
Comment 1•22 years ago
|
||
simple patch to limit the mLineBuf used to build up header lines. i chose a rather arbitrary header limit of 10k. i think that should be plenty big.
Comment 2•22 years ago
|
||
Comment on attachment 88429 [details] [diff] [review] v1 patch add a commet so that we know what the reason is for 10k. looks fine.
Attachment #88429 -
Flags: review+
Assignee | ||
Comment 3•22 years ago
|
||
will do, thx.
Assignee | ||
Comment 4•22 years ago
|
||
not critical enough for 1.0.1, pushing out to 1.2alpha
Target Milestone: mozilla1.0.1 → mozilla1.2alpha
Updated•22 years ago
|
Group: security?
Assignee | ||
Updated•22 years ago
|
Comment 5•22 years ago
|
||
Comment on attachment 88429 [details] [diff] [review] v1 patch >+ if (mLineBuf.Length() + len > MAX_LINEBUF_LENGTH) { >+ NS_WARNING("excessively long header received, canceling transaction"); >+ return NS_ERROR_ABORT; >+ } Would it be possible to log this instead or in addition to the debug-only NS_WARNING? If the case ever comes up it might help debug the server problem. sr=dveditz either way
Attachment #88429 -
Flags: superreview+
Assignee | ||
Comment 6•22 years ago
|
||
yup, i'll change that to a PR_LOG before checking in. since HTTP logging is compiled into nightly builds, we'll be able to easily check for this case using regular nightly builds.
Assignee | ||
Comment 7•22 years ago
|
||
fixed-on-trunk
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment 8•22 years ago
|
||
verified - win NT4, linux, mac osX internal testcase attached, 15k Etag from win NT http.log 185[7f1920]: nsHttpTransaction::ParseHead [count=3508] 185[7f1920]: excessively long header received, canceling transaction [trans=2b85a90] 185[7f1920]: nsHttpTransaction: listener returned [rv=80004004]
Comment 9•22 years ago
|
||
Darin, btw when stepping through the protos http header test suite (ie. the java server which injects buffer overflow tests), excessively large header tests are skipped. Is this because the http transaction is never completed? I am seeing in the log that the transaction and connection are destroyed in this case.
Assignee | ||
Comment 10•22 years ago
|
||
tever: yes, that would be this patch kicking in. the request is canceled, and therefore the underlying connection is also closed.
Comment 11•22 years ago
|
||
ok thanks, that's what i thought.
You need to log in
before you can comment on or make changes to this bug.
Description
•