Insecure processing of HTTP responses without Content-Type set

RESOLVED WONTFIX

Status

()

Core
Networking
RESOLVED WONTFIX
2 years ago
2 years ago

People

(Reporter: plastunovaa, Unassigned)

Tracking

44 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.82 Safari/537.36

Steps to reproduce:

1. Imagine a server which will give you some txt error on every request if there is no hendler for it. 
For example, http://www.example.com/aaaa and http://www.example.com/aaaa.html will give you pages with same context, say text like: Error page not found %url

2.Server will not set the content-type header (for some reasons) for such pages

3. If someone could alter the url to something like this: http://www.example.com/aaaa.html?<script>alert(1)</script>
then XSS will occure, since firefox will render the text without content-type header based only on extension of requested resource


I found it pretty serious as many web developers rely on browser's rendering capibilites (for example, look at latest chrome or internet explorer)



Actual results:

So, shortly:
FIrefox browser will render document without content-type header in repsonce based only on the extension of the requested document (html vs anything else)


Expected results:

I think, the best solution is to render such documents as text/plain regardless of document's extension
I don't think we're basing this on the extension, but probably "sniffing" the content as allowed in the HTTP spec for documents without a Content-Type:
https://www.w3.org/Protocols/rfc2616/rfc2616-sec7.html#sec7.2.1

Breaking that behavior and switching to text/plain (or worse, the application/octet-stream suggested in the spec) will break lots of real-world pages.

Echoing user input back in an error message like this is a well known (perhaps the most basic) XSS vector that server authors need to deal with.
Group: firefox-core-security

Updated

2 years ago
Component: Untriaged → Networking
Product: Firefox → Core
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.