Closed Bug 328692 Opened 15 years ago Closed 15 years ago

Fix for Bug 319846 doesn't prevent overlong attribute names

Categories

(Core :: Security, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: dveditz)

Details

(Keywords: fixed1.8.1, verified1.7.13, verified1.8.0.2, Whiteboard: [sg:dos][rft-dl])

Attachments

(2 files)

The fix for Bug 319846 prevents overlong attribute values, but doesn't prevent
overlong attribute names.

I should have seen this when I was playing with Bug 319846 and Bug 319847.
Attached file testcase
Flags: blocking1.8.0.2+
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.8?
Whiteboard: [sg:dos]
If someone tries to persist an attribute whose namelength > 512 simply reject it. Unlike values, where truncating might make some sense if it's a text area or something, truncating the attribute name turns it into a different attribute so there's really no point in keeping it at all.

Even 512 feels too generous. no legit attribute name should be anywhere near that long, but the specs don't provide any limits. It's possible someone's carrying info in attribute names the way we sometimes do in pref names.
Attachment #213341 - Flags: superreview?(benjamin)
Attachment #213341 - Flags: review?(mrbkap)
Attachment #213341 - Flags: approval1.8.0.2?
Attachment #213341 - Flags: approval1.7.13?
Attachment #213341 - Flags: approval-branch-1.8.1?(benjamin)
Attachment #213341 - Flags: approval-aviary1.0.8?
Comment on attachment 213341 [details] [diff] [review]
reject overlong attribute names

I wish there was some way to avoid that strlen.
Attachment #213341 - Flags: review?(mrbkap) → review+
a=timr for drivers.  Extension of 319846 which as already declared blockers and fixed for 1.0.8/1.7.13. Some fix that was already reviewed. But stilla superview would be good. Benjamin?
Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
Attachment #213341 - Flags: superreview?(benjamin)
Attachment #213341 - Flags: superreview+
Attachment #213341 - Flags: approval-branch-1.8.1?(benjamin)
Attachment #213341 - Flags: approval-branch-1.8.1+
Comment on attachment 213341 [details] [diff] [review]
reject overlong attribute names

a=timr for drivers.
Attachment #213341 - Flags: approval1.7.13?
Attachment #213341 - Flags: approval1.7.13+
Attachment #213341 - Flags: approval-aviary1.0.8?
Attachment #213341 - Flags: approval-aviary1.0.8+
Comment on attachment 213341 [details] [diff] [review]
reject overlong attribute names

a=timr for drivers.
Comment on attachment 213341 [details] [diff] [review]
reject overlong attribute names

a=timr for drivers.  This is a simple completion of a previous approved security patch.
Attachment #213341 - Flags: approval1.8.0.2? → approval1.8.0.2+
Fixed on trunk, moz17, aviary101, moz18 and moz180 branches
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
verified using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060227 Firefox/1.0.8 and Mozilla 1.7.13 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060228. Adding relevant keywords.
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates)
Whiteboard: [sg:dos] → [sg:dos][rft-dl]
verified on the 1.8.0.2 branch using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060306 Firefox/1.5.0.2. Adding keyword.
Group: security
You need to log in before you can comment on or make changes to this bug.