User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 I recently discovered there's a quite old patch from Microsoft for Internet Explorer which blocks cookies coming from a server with improper syntax, e.g. an hostname containing an underscore: let's say we have a machine named my_test.mydomain.com, Internet Explorer doesn't accept cookies set by that machine. Mozilla does. Is this correct? Microsoft says that's the right behavior... Of course I'm not saying Mozilla should imitate IE, I'm just wondering if this security issue is something related only to the Microsoft platform or not. :) Fo further details, read carefully here: http://support.microsoft.com/default.aspx?scid=kb;EN-US;316112 and here: http://www.microsoft.com/technet/security/bulletin/MS01-055.mspx Reproducible: Always Steps to Reproduce:
13 years ago
I forgot to say this Explorer behavior is due to security reasons (but i don't know which malicious hack could be done by sending cookies from server with improper names... anyway i believe Microsoft knows ;) )
PS: I tried with Firefox, Konqueror and Opera too and they have the same behavior of Mozilla... anyway I'm still wondering how can a cookie coming from a server with improper hostname syntax lead to security problems, as Microsoft asserts
Many security problems arise from data structure problems, and in the area of networking, we have subsystems that have disjoint handling of namespaces. For example, we used to have different hostname parsers for modules that were chained together. That meant if you send a really weird hostname, it might look like "a" to one module and "b" to another. Not to generalize about a complex area I know little about, but for the security issues I have helped on, the root cause is usually bad code vs. smart hacker.
*** Bug 331778 has been marked as a duplicate of this bug. ***
(In reply to comment #3) > PS: I tried with Firefox, Konqueror and Opera too and they have the same > behavior of Mozilla... anyway I'm still wondering how can a cookie coming from a > server with improper hostname syntax lead to security problems, as Microsoft asserts it may be not a high risk security issue, but surely underscore is an illegal character in a FQDN. it is certainly not a high priority bug, it just breaks the RFC. http://www.camtp.uni-mb.si/books/Internet-Book/DNS_NameFormat.html
our behavior, afaict, matches chrome.. so wontfix for compat.