Closed Bug 176774 Opened 22 years ago Closed 18 years ago

XML-RPC needs to listen to redirects

Categories

(Core :: XML, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla1.3alpha

People

(Reporter: hjtoi-bugzilla, Assigned: samuel)

References

Details

(Keywords: fixed1.8.1, Whiteboard: [sg:want] see comment 3 and comment 6)

XML-RPC tries to limit itself to http and https protocols, but this can be
subverted by doing a server side redirect. To prevent this, XML-RPC needs to
listen to redirects. Implement nsIHttpEventSink, and in onRedirect check the
scheme again, blocking redirects to non http(s) URLs.

You can look at XMLHttpRequest implementation on how it did this.

Also, if you don't do it already, you should implement auth prompt in case the
connection requires login & password. See method
nsXMLHttpRequest::GetInterface() for a sample. One caveat, see bug 176051 (btw,
Darin, I might need some help there).
nsIAuthPrompt is implemented, but i wanted add one more comment.  if you have a
same origin policy for xml-rpc requests, then you need to make sure that a HTTP
redirect doesn't subvert that policy.
Can XML-RPC be used from Web pages? Are we shipping it by default? (It looks
like it's built by default.)
It can't be used by web pages (except by signed script). We build and ship it by
default.
Not a blocker since this can't be used by untrusted content.
Whiteboard: [sg:mustfix]
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.3alpha
Depends on: 197087
removing  sg:mustfix
Whiteboard: [sg:mustfix]
xml-rpc will be using XMLHttpRequest as per bug 197087.  That will handle the redirects safely and resolve this bug, right?
Whiteboard: [sg:want] see comment 3 and comment 6
fixed by bug 197087
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Group: security
Keywords: fixed1.8.1
You need to log in before you can comment on or make changes to this bug.