Closed Bug 1731522 Opened 3 years ago Closed 3 years ago

HTTP/2 header name CRLF injection

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Version:
Firefox 92
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
93 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox-esr91 --- wontfix
firefox92 --- wontfix
firefox93 --- fixed

People

(Reporter: websec02.g02, Assigned: manuel)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36

Steps to reproduce:

Unlike http/1.1, HTTP/2 header name can contain CRLF by its encoding syntax.

If the following response headers (represented in JSON key-value pairs) are returned from HTTP/2 server, Firefox saves "hello" cookie probably because Firefox internally place them into http/1.1 message without header name validation.

{
  'aaa:aaa\r\nset-cookie:hello=111;path=/;': 'vvv',
  date: 'Mon, 20 Sep 2021 05:30:02 GMT'
}

Chrome, Safari and IE raise error when given response header name or value contains CR or LF. I guess this is the behavior expected by RFC 7540 section 10.3.

Sorry. This bug is fixed in Firefox 93.

HTTP headers with spaces in the name in HTTP2 should send ERR_HTTP2_PROTOCOL_ERROR
https://bugzilla.mozilla.org/show_bug.cgi?id=1663836

Group: firefox-core-security → network-core-security
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
Status: UNCONFIRMED → NEW
status-firefox92: --- → affected
status-firefox93: --- → unaffected
status-firefox94: --- → unaffected
status-firefox-esr91: --- → affected
Ever confirmed: true

(In reply to Takeshi Terada from comment #1)

Sorry. This bug is fixed in Firefox 93.

HTTP headers with spaces in the name in HTTP2 should send ERR_HTTP2_PROTOCOL_ERROR
https://bugzilla.mozilla.org/show_bug.cgi?id=1663836

Yes, I think this is fixed.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED

Can we get a rating on this bug? Do we need to backport bug 1663836 to ESR91?

Assignee: nobody → mbucher
Group: network-core-security → core-security-release
status-firefox92: affectedwontfix
status-firefox93: unaffectedfixed
status-firefox94: unaffected → ---
status-firefox-esr78: --- → wontfix
Depends on: 1663836
Flags: needinfo?(kershaw)
Flags: in-testsuite+
Target Milestone: --- → 93 Branch

(In reply to Ryan VanderMeulen [:RyanVM] from comment #3)

Can we get a rating on this bug? Do we need to backport bug 1663836 to ESR91?

I think this bug is not really serious, since we already have this flaw for a while.
It'd be good to backport bug 1663836 to ESR, since it's a simple fix and should not cause any regression.
I'll ask Manual to do this.

Flags: needinfo?(kershaw)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.