Closed Bug 176774 Opened 23 years ago Closed 19 years ago

XML-RPC needs to listen to redirects

Categories

(Core :: XML, defect)

Product:
Core
Component:
XML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.3alpha

People

(Reporter: hjtoi-bugzilla, Assigned: samuel)

References

Details

(Keywords: fixed1.8.1, Whiteboard: [sg:want] see comment 3 and comment 6)

XML-RPC tries to limit itself to http and https protocols, but this can be subverted by doing a server side redirect. To prevent this, XML-RPC needs to listen to redirects. Implement nsIHttpEventSink, and in onRedirect check the scheme again, blocking redirects to non http(s) URLs. You can look at XMLHttpRequest implementation on how it did this. Also, if you don't do it already, you should implement auth prompt in case the connection requires login & password. See method nsXMLHttpRequest::GetInterface() for a sample. One caveat, see bug 176051 (btw, Darin, I might need some help there).
nsIAuthPrompt is implemented, but i wanted add one more comment. if you have a same origin policy for xml-rpc requests, then you need to make sure that a HTTP redirect doesn't subvert that policy.
Can XML-RPC be used from Web pages? Are we shipping it by default? (It looks like it's built by default.)
It can't be used by web pages (except by signed script). We build and ship it by default.
Not a blocker since this can't be used by untrusted content.
Whiteboard: [sg:mustfix]
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.3alpha
Depends on: 197087
removing sg:mustfix
Whiteboard: [sg:mustfix]
xml-rpc will be using XMLHttpRequest as per bug 197087. That will handle the redirects safely and resolve this bug, right?
Whiteboard: [sg:want] see comment 3 and comment 6
fixed by bug 197087
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Group: security
Keywords: fixed1.8.1
You need to log in before you can comment on or make changes to this bug.