Closed Bug 1892748 Opened 10 months ago Closed 9 months ago

Reject most control characters in cookie attributes

Categories

(Core :: Networking: Cookies, task, P2)

Product:
Core
Component:
Networking: Cookies
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
127 Branch
Tracking Flags:
Tracking Status
firefox127 --- fixed

People

(Reporter: longsonr, Assigned: longsonr)

References

Details

(Whiteboard: [necko-triaged])

Attachments

(1 file, 1 obsolete file)

Bug 1892748 Part 1 - Reject control characters in cookie attributes. r=dveditz
48 bytes, text/x-phabricator-request
Details | Review

We ignore null characters in cookies but https://www.rfc-editor.org/rfc/rfc2616.html#section-3.3.1 does not treat null any differently from any other control character.
Cookie data that contains control characters should be ignored.

Assignee: nobody → longsonr
Status: NEW → ASSIGNED
Attachment #9397875 - Attachment description: Bug 1892748 Part 1 - Reject control characters in cookies. r=dveditz → Bug 1892748 Part 1 - Reject control characters in cookie attributes. r=dveditz
Severity: -- → N/A
Type: defect → task
Priority: -- → P2
Whiteboard: [necko-triaged]
Summary: Reject most control characters in cookies → Reject most control characters in cookie attributes

(In reply to Robert Longson [:longsonr] from comment #0)

We ignore null characters in cookies but https://www.rfc-editor.org/rfc/rfc2616.html#section-3.3.1 does not treat null any differently from any other control character.
Cookie data that contains control characters should be ignored.

Nobody ever implemented that 1999 spec as written; it's the wrong specification to reference. It was obsoleted by the 2011 rfc6265, created to document reality as much as possible and with cross-vendor agreements and compromises where implementations differed. Another dozen years later and we're actually aiming our implementation at the in-progress update to 6265, supported by a whole raft of Web Platform Tests to achieve and maintain cross-vendor interoperability.

That said, this bug report is correct: we should rejecting cookies with control characters other than HTAB anywhere in the cookie string according to step 1 at https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-13#section-5.5

Attachment #9397875 - Attachment description: Bug 1892748 Part 1 - Reject control characters in cookie attributes. r=dveditz → Bug 1892748 Part 1 - Reject control characters in cookies. r=dveditz
Attachment #9397875 - Attachment description: Bug 1892748 Part 1 - Reject control characters in cookies. r=dveditz → Bug 1892748 Part 1 - Reject control characters in cookie attributes. r=dveditz
Pushed by longsonr@gmail.com: https://hg.mozilla.org/integration/autoland/rev/3d8324880910 Part 1 - Reject control characters in cookie attributes. r=dveditz,cookie-reviewers https://hg.mozilla.org/integration/autoland/rev/11097fcc4f76 Part 2 - Reject cookies that end in a terminator character. r=dveditz,cookie-reviewers
See Also: → 1797231

Shouldn't we have a pref for this?

Safari and Chrome already pass these WPTs so it seems unlikely we'd have any incompatibilities.

https://hg.mozilla.org/mozilla-central/rev/3d8324880910
https://hg.mozilla.org/mozilla-central/rev/11097fcc4f76

Status: ASSIGNED → RESOLVED
Closed: 9 months ago
status-firefox127: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 127 Branch
See Also: → 1895439
Regressions: 1901325

(In reply to Robert Longson [:longsonr] from comment #7)

Safari and Chrome already pass these WPTs so it seems unlikely we'd have any incompatibilities.

😔

We said the same thing about "lax by default" and "none requires secure", too, but that didn't stop some web sites from sending different cookies to Firefox that broke things just the same.

See Also: → 1903400
Attachment #9397876 - Attachment is obsolete: true
Attachment #9397876 - Attachment is obsolete: true
See Also: → 1920444
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: