servers with improper hostname syntax can set cookies

RESOLVED WONTFIX

Status

()

Core
Networking: Cookies
--
enhancement
RESOLVED WONTFIX
13 years ago
a year ago

People

(Reporter: Alessio, Unassigned)

Tracking

Trunk
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910

I recently discovered there's a quite old patch from Microsoft for Internet
Explorer which blocks cookies coming from a server with improper syntax, e.g. an
hostname containing an underscore: let's say we have a machine named
my_test.mydomain.com, Internet Explorer doesn't accept cookies set by that machine.
Mozilla does. Is this correct?
Microsoft says that's the right behavior...
Of course I'm not saying Mozilla should imitate IE, I'm just wondering if this
security issue is something related only to the Microsoft platform or not. :)

Fo further details, read carefully here:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;316112
and here:
http://www.microsoft.com/technet/security/bulletin/MS01-055.mspx

Reproducible: Always
Steps to Reproduce:
Assignee: dveditz → darin
Component: Security: General → Networking: Cookies
QA Contact: core.networking.cookies
(Reporter)

Comment 1

13 years ago
I forgot to say this Explorer behavior is due to security reasons (but i don't
know which malicious hack could be done by sending cookies from server with
improper names... anyway i believe Microsoft knows ;) )

Comment 2

13 years ago
We could add a check for valid domains in cookies, but we might do that
elsewhere already.

We still allow somewhat unlimited acess to the hostname via file: urls w/
javascript cookies.

file://illegal_host/filewithjscookie.html

I'm working on a FQDN validator in JS.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: servers with improper name syntax can set cookies → servers with improper hostname syntax can set cookies
(Reporter)

Comment 3

13 years ago
PS: I tried with Firefox, Konqueror and Opera too and they have the same
behavior of Mozilla... anyway I'm still wondering how can a cookie coming from a
server with improper hostname syntax lead to security problems, as Microsoft asserts

Comment 4

13 years ago
Many security problems arise from data structure problems, and in the area of
networking, we have subsystems that have disjoint handling of namespaces.

For example, we used to have different hostname parsers for modules that were
chained together. That meant if you send a really weird hostname, it might look
like "a" to one module and "b" to another.

Not to generalize about a complex area I know little about, but for the security
issues I have helped on, the root cause is usually bad code vs. smart hacker.

Comment 5

11 years ago
*** Bug 331778 has been marked as a duplicate of this bug. ***

Comment 6

11 years ago
(In reply to comment #3)
> PS: I tried with Firefox, Konqueror and Opera too and they have the same
> behavior of Mozilla... anyway I'm still wondering how can a cookie coming from a
> server with improper hostname syntax lead to security problems, as Microsoft asserts

it may be not a high risk security issue, but surely underscore is an illegal
character in a FQDN.

it is certainly not a high priority bug, it just breaks the RFC.
http://www.camtp.uni-mb.si/books/Internet-Book/DNS_NameFormat.html

Updated

11 years ago
Assignee: darin → nobody
our behavior, afaict, matches chrome.. so wontfix for compat.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.