Closed Bug 1777206 Opened 3 years ago Closed 3 years ago

document.cookie does not reject invalid control characters

Categories

(Core :: Networking: Cookies, defect, P2)

Product:
Core
Component:
Networking: Cookies
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1797235

People

(Reporter: haxatron1, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][necko-triaged])

A sibling domain or a MITM can set cookies containing invalid control characters such as \f. On most server technology, such as Apache, requests containing illegal control characters will return a 400 Bad Request. As such attacker that can control sibling domain (eTLD+1) can inject such cookies into the cookie store and cause a situation where the Firefox client can no longer communicate with the main domain

Steps to reproduce:

  1. Set cookie using document.cookie = "a=b\f"
  2. Visit a website running Apache httpd.
  3. Receive 400 Bad request. The Firefox client can no longer communicate with the Apache server so long as there is a current cookie store.

For reference, Chrome will now reject cookies set via document.cookie containing such control characters.

Flags: sec-bounty?

Notes: May be regarded as an annoyance, as a user can clear the cookie store containing the illegal cookie via a click of a button, but am submitting here just in case.

the current illegal charset also doesn't include the \x7f character which also causes problems with Apache, while chrome rejects \x7f from cookies.

Group: firefox-core-security → network-core-security
Component: Security → Networking: Cookies
Product: Firefox → Core
See Also: → CVE-2013-6167

There's been a big difference between early HTTP specs (headers must be only ASCII!) and what browsers and servers have accepted because we want to support a world audience has been pretty vast. But there are more modern specs (converging on allowing UTF-8) and we definitely shouldn't be allowing control characters.

Not sure this needs to be a hidden bug -- its been known for a while.

If we don't already have this on file as part of our efforts to match RFC 6265bis then we can use this for it.

Group: network-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Blocks: cookie
Severity: -- → S3
Priority: -- → P2
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][necko-triaged]

I'm sorry, we lost track of this one (my fault, see comment 4). We will match the bounty of the bug that was filed after yours

Group: core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
Duplicate of bug: CVE-2022-46876
Flags: sec-bounty? → sec-bounty+
Keywords: sec-moderate
Resolution: --- → DUPLICATE

The bounty is much appreciated! Thanks alot!

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.