XML-RPC needs to listen to redirects

RESOLVED FIXED in mozilla1.3alpha

Status

()

RESOLVED FIXED
16 years ago
11 years ago

People

(Reporter: hjtoi-bugzilla, Assigned: samuel)

Tracking

({fixed1.8.1})

Trunk
mozilla1.3alpha
fixed1.8.1
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:want] see comment 3 and comment 6)

XML-RPC tries to limit itself to http and https protocols, but this can be
subverted by doing a server side redirect. To prevent this, XML-RPC needs to
listen to redirects. Implement nsIHttpEventSink, and in onRedirect check the
scheme again, blocking redirects to non http(s) URLs.

You can look at XMLHttpRequest implementation on how it did this.

Also, if you don't do it already, you should implement auth prompt in case the
connection requires login & password. See method
nsXMLHttpRequest::GetInterface() for a sample. One caveat, see bug 176051 (btw,
Darin, I might need some help there).

Comment 1

16 years ago
nsIAuthPrompt is implemented, but i wanted add one more comment.  if you have a
same origin policy for xml-rpc requests, then you need to make sure that a HTTP
redirect doesn't subvert that policy.
Can XML-RPC be used from Web pages? Are we shipping it by default? (It looks
like it's built by default.)
It can't be used by web pages (except by signed script). We build and ship it by
default.
Not a blocker since this can't be used by untrusted content.
Whiteboard: [sg:mustfix]
(Assignee)

Updated

16 years ago
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.3alpha
(Assignee)

Updated

16 years ago
Depends on: 197087

Comment 5

15 years ago
removing  sg:mustfix
Whiteboard: [sg:mustfix]
(Assignee)

Comment 6

13 years ago
xml-rpc will be using XMLHttpRequest as per bug 197087.  That will handle the redirects safely and resolve this bug, right?
Whiteboard: [sg:want] see comment 3 and comment 6
(Assignee)

Comment 7

12 years ago
fixed by bug 197087
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Group: security
Keywords: fixed1.8.1
You need to log in before you can comment on or make changes to this bug.