Closed Bug 1380148 Opened 7 years ago Closed 5 years ago

HttpChannelChild will happily produce bogus null security info

Categories

(Core :: Networking: HTTP, enhancement, P3)

Product:
Core
Component:
Networking: HTTP
Version:
53 Branch
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla66
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix
firefox66 --- fixed

People

(Reporter: bzbarsky, Assigned: valentin)

References

Details

(Whiteboard: [necko-triaged])

Attachments

(1 file)

Bug 1380148 - Assert if securityInfo deserialization fails r=mayhemer!
47 bytes, text/x-phabricator-request
Details | Review 
HttpChannelChild::OnStartRequest does:

  if (!securityInfoSerialization.IsEmpty()) {
    NS_DeserializeObject(securityInfoSerialization,
                         getter_AddRefs(mSecurityInfo));
  }

Note the lack of checking of whether NS_DeserializeObject succeeded.  When someone introduces a bug that makes it fail (see bug 1380132) we happily treat everything as insecure and _cache_ it that way in serviceworkers and whatnot.

We should probably show an error page or something in this situation.  Or something.

Similar issue in HttpChannelChild::Redirect1Begin.
Blocking bug 1332190 because its try builds are somewhat suspect while we ignore these errors.
Blocks: 1332190
Is it on your radar, Honza?
Flags: needinfo?(honzab.moz)
Jason, can you please find someone to work on this?
Assignee: nobody → jduell.mcbugs
Flags: needinfo?(honzab.moz)
Whiteboard: [necko-active]
This bug doesn't need to block 1332190. My understanding of the description is that this bug is filed to add some missing error checking which is needed with or without 1332190. Bug 1332190 caused bug 1332190 which is being addressed.
No longer blocks: 1332190
Bulk priority update: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
P2 but would be nice to have ASAP.
Severity: critical → normal
status-firefox55: --- → affected
status-firefox56: --- → affected
status-firefox57: --- → affected
status-firefox-esr52: --- → affected
Priority: P1 → P2
Whiteboard: [necko-active]
Whiteboard: [necko-triaged]
Moving to p3 because no activity for at least 1 year(s).
See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
Assignee: jduell.mcbugs → valentin.gosu
Pushed by valentin.gosu@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/bf2f21326169
Assert if securityInfo deserialization fails r=mayhemer
https://hg.mozilla.org/mozilla-central/rev/bf2f21326169
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox66: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Depends on: 1513458
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: