Fix for Bug 319846 doesn't prevent overlong attribute names

RESOLVED FIXED

Status

()

RESOLVED FIXED
13 years ago
13 years ago

People

(Reporter: moz_bug_r_a4, Assigned: dveditz)

Tracking

({fixed1.8.1, verified1.7.13, verified1.8.0.2})

Trunk
x86
Windows XP
fixed1.8.1, verified1.7.13, verified1.8.0.2
Points:
---
Bug Flags:
blocking1.7.13 +
blocking-aviary1.0.8 +
blocking1.8.0.2 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos][rft-dl])

Attachments

(2 attachments)

(Reporter)

Description

13 years ago
The fix for Bug 319846 prevents overlong attribute values, but doesn't prevent
overlong attribute names.

I should have seen this when I was playing with Bug 319846 and Bug 319847.
(Reporter)

Comment 1

13 years ago
Created attachment 213279 [details]
testcase
(Assignee)

Updated

13 years ago
Flags: blocking1.8.0.2+
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.8?
Whiteboard: [sg:dos]
(Assignee)

Comment 2

13 years ago
Created attachment 213341 [details] [diff] [review]
reject overlong attribute names

If someone tries to persist an attribute whose namelength > 512 simply reject it. Unlike values, where truncating might make some sense if it's a text area or something, truncating the attribute name turns it into a different attribute so there's really no point in keeping it at all.

Even 512 feels too generous. no legit attribute name should be anywhere near that long, but the specs don't provide any limits. It's possible someone's carrying info in attribute names the way we sometimes do in pref names.
Attachment #213341 - Flags: superreview?(benjamin)
Attachment #213341 - Flags: review?(mrbkap)
Attachment #213341 - Flags: approval1.8.0.2?
Attachment #213341 - Flags: approval1.7.13?
Attachment #213341 - Flags: approval-branch-1.8.1?(benjamin)
Attachment #213341 - Flags: approval-aviary1.0.8?
Comment on attachment 213341 [details] [diff] [review]
reject overlong attribute names

I wish there was some way to avoid that strlen.
Attachment #213341 - Flags: review?(mrbkap) → review+

Comment 4

13 years ago
a=timr for drivers.  Extension of 319846 which as already declared blockers and fixed for 1.0.8/1.7.13. Some fix that was already reviewed. But stilla superview would be good. Benjamin?
Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+

Updated

13 years ago
Attachment #213341 - Flags: superreview?(benjamin)
Attachment #213341 - Flags: superreview+
Attachment #213341 - Flags: approval-branch-1.8.1?(benjamin)
Attachment #213341 - Flags: approval-branch-1.8.1+

Comment 5

13 years ago
Comment on attachment 213341 [details] [diff] [review]
reject overlong attribute names

a=timr for drivers.
Attachment #213341 - Flags: approval1.7.13?
Attachment #213341 - Flags: approval1.7.13+
Attachment #213341 - Flags: approval-aviary1.0.8?
Attachment #213341 - Flags: approval-aviary1.0.8+

Comment 6

13 years ago
Comment on attachment 213341 [details] [diff] [review]
reject overlong attribute names

a=timr for drivers.

Comment 7

13 years ago
Comment on attachment 213341 [details] [diff] [review]
reject overlong attribute names

a=timr for drivers.  This is a simple completion of a previous approved security patch.
Attachment #213341 - Flags: approval1.8.0.2? → approval1.8.0.2+
(Assignee)

Comment 8

13 years ago
Fixed on trunk, moz17, aviary101, moz18 and moz180 branches
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Keywords: fixed-aviary1.0.8, fixed1.7.13, fixed1.8.0.2, fixed1.8.1
Resolution: --- → FIXED
verified using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060227 Firefox/1.0.8 and Mozilla 1.7.13 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060228. Adding relevant keywords.
Keywords: fixed-aviary1.0.8, fixed1.7.13 → verified-aviary1.0.8, verified1.7.13
Marking [rft-dl] (ready for testing in Firefox 1.5.0.2 release candidates)
Whiteboard: [sg:dos] → [sg:dos][rft-dl]
verified on the 1.8.0.2 branch using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060306 Firefox/1.5.0.2. Adding keyword.
Keywords: fixed1.8.0.2 → verified1.8.0.2
(Assignee)

Updated

13 years ago
Group: security
You need to log in before you can comment on or make changes to this bug.