Closed
Bug 267295
Opened 20 years ago
Closed 8 years ago
servers with improper hostname syntax can set cookies
Categories
(Core :: Networking: Cookies, enhancement)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: io, Unassigned)
References
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 I recently discovered there's a quite old patch from Microsoft for Internet Explorer which blocks cookies coming from a server with improper syntax, e.g. an hostname containing an underscore: let's say we have a machine named my_test.mydomain.com, Internet Explorer doesn't accept cookies set by that machine. Mozilla does. Is this correct? Microsoft says that's the right behavior... Of course I'm not saying Mozilla should imitate IE, I'm just wondering if this security issue is something related only to the Microsoft platform or not. :) Fo further details, read carefully here: http://support.microsoft.com/default.aspx?scid=kb;EN-US;316112 and here: http://www.microsoft.com/technet/security/bulletin/MS01-055.mspx Reproducible: Always Steps to Reproduce:
Updated•20 years ago
|
Assignee: dveditz → darin
Component: Security: General → Networking: Cookies
QA Contact: core.networking.cookies
I forgot to say this Explorer behavior is due to security reasons (but i don't know which malicious hack could be done by sending cookies from server with improper names... anyway i believe Microsoft knows ;) )
We could add a check for valid domains in cookies, but we might do that elsewhere already. We still allow somewhat unlimited acess to the hostname via file: urls w/ javascript cookies. file://illegal_host/filewithjscookie.html I'm working on a FQDN validator in JS.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: servers with improper name syntax can set cookies → servers with improper hostname syntax can set cookies
PS: I tried with Firefox, Konqueror and Opera too and they have the same behavior of Mozilla... anyway I'm still wondering how can a cookie coming from a server with improper hostname syntax lead to security problems, as Microsoft asserts
Many security problems arise from data structure problems, and in the area of networking, we have subsystems that have disjoint handling of namespaces. For example, we used to have different hostname parsers for modules that were chained together. That meant if you send a really weird hostname, it might look like "a" to one module and "b" to another. Not to generalize about a complex area I know little about, but for the security issues I have helped on, the root cause is usually bad code vs. smart hacker.
*** Bug 331778 has been marked as a duplicate of this bug. ***
Comment 6•18 years ago
|
||
(In reply to comment #3) > PS: I tried with Firefox, Konqueror and Opera too and they have the same > behavior of Mozilla... anyway I'm still wondering how can a cookie coming from a > server with improper hostname syntax lead to security problems, as Microsoft asserts it may be not a high risk security issue, but surely underscore is an illegal character in a FQDN. it is certainly not a high priority bug, it just breaks the RFC. http://www.camtp.uni-mb.si/books/Internet-Book/DNS_NameFormat.html
Updated•18 years ago
|
Assignee: darin → nobody
Comment 7•8 years ago
|
||
our behavior, afaict, matches chrome.. so wontfix for compat.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•