Last Comment Bug 267295 - servers with improper hostname syntax can set cookies
: servers with improper hostname syntax can set cookies
Status: RESOLVED WONTFIX
:
Product: Core
Classification: Components
Component: Networking: Cookies (show other bugs)
: Trunk
: x86 Windows XP
: -- enhancement (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
:
Mentors:
: 331778 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-02 03:57 PST by Alessio
Modified: 2016-01-25 13:36 PST (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Alessio 2004-11-02 03:57:43 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910

I recently discovered there's a quite old patch from Microsoft for Internet
Explorer which blocks cookies coming from a server with improper syntax, e.g. an
hostname containing an underscore: let's say we have a machine named
my_test.mydomain.com, Internet Explorer doesn't accept cookies set by that machine.
Mozilla does. Is this correct?
Microsoft says that's the right behavior...
Of course I'm not saying Mozilla should imitate IE, I'm just wondering if this
security issue is something related only to the Microsoft platform or not. :)

Fo further details, read carefully here:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;316112
and here:
http://www.microsoft.com/technet/security/bulletin/MS01-055.mspx

Reproducible: Always
Steps to Reproduce:
Comment 1 Alessio 2004-11-02 08:04:55 PST
I forgot to say this Explorer behavior is due to security reasons (but i don't
know which malicious hack could be done by sending cookies from server with
improper names... anyway i believe Microsoft knows ;) )
Comment 2 benc 2004-11-04 08:03:59 PST
We could add a check for valid domains in cookies, but we might do that
elsewhere already.

We still allow somewhat unlimited acess to the hostname via file: urls w/
javascript cookies.

file://illegal_host/filewithjscookie.html

I'm working on a FQDN validator in JS.
Comment 3 Alessio 2004-11-08 14:18:22 PST
PS: I tried with Firefox, Konqueror and Opera too and they have the same
behavior of Mozilla... anyway I'm still wondering how can a cookie coming from a
server with improper hostname syntax lead to security problems, as Microsoft asserts
Comment 4 benc 2004-11-11 08:53:59 PST
Many security problems arise from data structure problems, and in the area of
networking, we have subsystems that have disjoint handling of namespaces.

For example, we used to have different hostname parsers for modules that were
chained together. That meant if you send a really weird hostname, it might look
like "a" to one module and "b" to another.

Not to generalize about a complex area I know little about, but for the security
issues I have helped on, the root cause is usually bad code vs. smart hacker.
Comment 5 zug_treno 2006-03-26 13:47:22 PST
*** Bug 331778 has been marked as a duplicate of this bug. ***
Comment 6 frantisek holop 2006-03-26 14:24:00 PST
(In reply to comment #3)
> PS: I tried with Firefox, Konqueror and Opera too and they have the same
> behavior of Mozilla... anyway I'm still wondering how can a cookie coming from a
> server with improper hostname syntax lead to security problems, as Microsoft asserts

it may be not a high risk security issue, but surely underscore is an illegal
character in a FQDN.

it is certainly not a high priority bug, it just breaks the RFC.
http://www.camtp.uni-mb.si/books/Internet-Book/DNS_NameFormat.html
Comment 7 Patrick McManus [:mcmanus] 2016-01-25 13:36:35 PST
our behavior, afaict, matches chrome.. so wontfix for compat.

Note You need to log in before you can comment on or make changes to this bug.