Closed
Bug 1387355
Opened 7 years ago
Closed 4 years ago
EventSource: ignore IDs with U+0000
Categories
(Core :: DOM: Networking, enhancement, P3)
Core
DOM: Networking
Tracking
()
RESOLVED
FIXED
81 Branch
Tracking | Status | |
---|---|---|
firefox81 | --- | fixed |
People
(Reporter: annevk, Assigned: farooqbckk)
References
(Blocks 1 open bug)
Details
(Whiteboard: [necko-triaged])
Attachments
(1 file, 2 obsolete files)
Change to standard: https://github.com/whatwg/html/pull/2849 Proposed tests (still need review): https://github.com/w3c/web-platform-tests/pull/6584 It seems good to fix this as this is the only way for someone to smuggle a U+0000 into a header value.
Updated•7 years ago
|
Priority: -- → P2
Comment 1•6 years ago
|
||
Moving to p3 because no activity for at least 1 year(s). See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
Reporter | ||
Updated•6 years ago
|
Component: DOM → DOM: Networking
Is this important? Or a good-first-bug maybe?
Flags: needinfo?(amarchesini)
Reporter | ||
Comment 3•6 years ago
|
||
It seems bad to violate HTTP invariants, but we managed thus far, so a bit of both?
Comment 4•6 years ago
|
||
annevk gave a good answer, but it also seems that we support it: we pass the WPT. maybe already fixed?
Flags: needinfo?(amarchesini)
Reporter | ||
Comment 5•6 years ago
|
||
Hmm yeah, https://hg.mozilla.org/mozilla-central/rev/c9f228c158d7 looks like it might be it. Simply ignoring 0x00 seems a little dangerous though.
Reporter | ||
Comment 6•6 years ago
|
||
I realized that bug 1453318 would obviate the need for that check, though it would also require changing the passing condition of the test mentioned in comment 0 (it'd simply error).
Depends on: 1453318
Updated•6 years ago
|
Flags: needinfo?(kershaw)
Updated•6 years ago
|
Priority: P3 → P2
Updated•6 years ago
|
Whiteboard: [necko-triaged]
Comment 7•6 years ago
|
||
(In reply to Anne (:annevk) from comment #5) > Hmm yeah, https://hg.mozilla.org/mozilla-central/rev/c9f228c158d7 looks like > it might be it. Simply ignoring 0x00 seems a little dangerous though. Maybe we can close this bug, since this is already fixed. What do yoy think, Anne?
Flags: needinfo?(kershaw) → needinfo?(annevk)
Comment 8•6 years ago
|
||
(In reply to Kershaw Chang [:kershaw] from comment #7) > (In reply to Anne (:annevk) from comment #5) > > Hmm yeah, https://hg.mozilla.org/mozilla-central/rev/c9f228c158d7 looks like > > it might be it. Simply ignoring 0x00 seems a little dangerous though. > > Maybe we can close this bug, since this is already fixed. > What do yoy think, Anne? I just found that our current code [1] does have a problem. We current ignore the char if it is \0. If we get "id: 1\02", the parser set the id to "12". According to the spec, we should ignore this value. So, clear the ni and assign this to myself. [1] https://searchfox.org/mozilla-central/rev/17f55aee76b7c4610a974cffd3453454e0c8de7b/dom/base/EventSource.cpp#1761-1763
Assignee: nobody → kershaw
Flags: needinfo?(annevk)
Comment 9•6 years ago
|
||
The original code only skip the NULL character, but according to the spec we should ignore the whole field.
Updated•6 years ago
|
Attachment #9024540 -
Attachment is obsolete: true
Comment 10•6 years ago
|
||
The original code only skip the NULL character, but according to the spec we should ignore the whole field.
Reporter | ||
Comment 11•6 years ago
|
||
Kershaw, Olli, https://github.com/web-platform-tests/wpt/pull/14095 has a PR to modify the test to demonstrate the issue in Firefox. Other browsers (Chrome, Safari) pass these tests. (Also, my earlier comments were a bit confused as this doesn't directly impact the HTTP layer in Firefox (and per code inspection that already has guards for 0x00 and friends), this is only about parsing the text/event-stream format.)
Updated•5 years ago
|
Priority: P2 → P3
Comment 13•4 years ago
|
||
Farooq, perhaps you'd be interested in this :)
Flags: needinfo?(farooqbckk)
Updated•4 years ago
|
Assignee: nobody → kershaw
Status: NEW → ASSIGNED
Updated•4 years ago
|
Attachment #9024543 -
Attachment is obsolete: true
Updated•4 years ago
|
Assignee: kershaw → nobody
Status: ASSIGNED → NEW
Assignee | ||
Comment 15•4 years ago
|
||
Updated•4 years ago
|
Assignee: nobody → farooqbckk
Status: NEW → ASSIGNED
Updated•4 years ago
|
Attachment #9167368 -
Attachment description: Bug 1387355 - EventSource: ignore IDs with U+0000. r=annevk → Bug 1387355 - EventSource: ignore IDs with U+0000. r=smaug
Updated•4 years ago
|
Attachment #9167368 -
Attachment description: Bug 1387355 - EventSource: ignore IDs with U+0000. r=smaug → Bug 1387355 - EventSource: ignore IDs with U+0000. r=annevk
Updated•4 years ago
|
Attachment #9167368 -
Attachment description: Bug 1387355 - EventSource: ignore IDs with U+0000. r=annevk → Bug 1387355 - EventSource: ignore IDs with U+0000. r=smaug
Comment 16•4 years ago
|
||
Pushed by opettay@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2aa24254daa1 EventSource: ignore IDs with U+0000. r=smaug
Comment 17•4 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox81:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•