Closed Bug 1028765 Opened 11 years ago Closed 8 years ago

FxA's HTTP client should sanitize email addresses sent from the server

Tracking

()

Status:

RESOLVED WONTFIX

People

(Reporter: spenrose, Unassigned)

References

Details

Sam Penrose

Reporter

Description

•

11 years ago

The Firefox Accounts Authentication server can return 400/120 indicating that the email address submitted by the client was correct except for case. The server will include the canonical spelling. To prevent injection attacks by a compromised server, the HTTP client should sanitize that "canonical" value.

Sam Penrose

Reporter

Comment 1

•

11 years ago

If the client knows the email address it submitted, can it simply compare the value returned by 400/120 for case-sensitive equality? If it can, should it?

Christiane Ruetten [INACTIVE]

Updated

•

11 years ago

Blocks: 997361

Julie McCracken (:julie)

Updated

•

8 years ago

Status: NEW → RESOLVED

Closed: 8 years ago

Resolution: --- → WONTFIX

BMO Automation

Updated

•

8 years ago

Product: Core → Firefox

You need to log in before you can comment on or make changes to this bug.

Bugzilla

FxA's HTTP client should sanitize email addresses sent from the server

Categories

(Firefox :: Firefox Accounts, defect)

Tracking

()

People

(Reporter: spenrose, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated

Updated

Updated