Closed Bug 1380148 Opened 7 years ago Closed 6 years ago

HttpChannelChild will happily produce bogus null security info

Categories

(Core :: Networking: HTTP, enhancement, P3)

53 Branch
enhancement

Tracking

()

RESOLVED FIXED
mozilla66
Tracking Status
firefox-esr52 --- wontfix
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix
firefox66 --- fixed

People

(Reporter: bzbarsky, Assigned: valentin)

References

Details

(Whiteboard: [necko-triaged])

Attachments

(1 file)

HttpChannelChild::OnStartRequest does:

  if (!securityInfoSerialization.IsEmpty()) {
    NS_DeserializeObject(securityInfoSerialization,
                         getter_AddRefs(mSecurityInfo));
  }

Note the lack of checking of whether NS_DeserializeObject succeeded.  When someone introduces a bug that makes it fail (see bug 1380132) we happily treat everything as insecure and _cache_ it that way in serviceworkers and whatnot.

We should probably show an error page or something in this situation.  Or something.

Similar issue in HttpChannelChild::Redirect1Begin.
Blocking bug 1332190 because its try builds are somewhat suspect while we ignore these errors.
Blocks: 1332190
Is it on your radar, Honza?
Flags: needinfo?(honzab.moz)
Jason, can you please find someone to work on this?
Assignee: nobody → jduell.mcbugs
Flags: needinfo?(honzab.moz)
Whiteboard: [necko-active]
This bug doesn't need to block 1332190. My understanding of the description is that this bug is filed to add some missing error checking which is needed with or without 1332190. Bug 1332190 caused bug 1332190 which is being addressed.
No longer blocks: 1332190
Bulk priority update: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
P2 but would be nice to have ASAP.
Severity: critical → normal
Priority: P1 → P2
Whiteboard: [necko-active]
Whiteboard: [necko-triaged]
Moving to p3 because no activity for at least 1 year(s).
See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
Assignee: jduell.mcbugs → valentin.gosu
Pushed by valentin.gosu@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/bf2f21326169
Assert if securityInfo deserialization fails r=mayhemer
https://hg.mozilla.org/mozilla-central/rev/bf2f21326169
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Depends on: 1513458
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: