Closed
Bug 429781
Opened 16 years ago
Closed 16 years ago
Update XMLHttpRequest blocked header list
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
FIXED
mozilla1.9.1a1
People
(Reporter: abarth-mozilla, Assigned: abarth-mozilla)
Details
(Keywords: fixed1.9.0.2)
Attachments
(1 file, 2 obsolete files)
|
3.65 KB,
patch
|
sicking
:
review+
sicking
:
superreview+
mtschrep
:
approval1.9-
samuel.sidler+old
:
approval1.9.0.2+
|
Details | Diff | Splinter Review |
The XMLHttpRequest spec <http://www.w3.org/TR/XMLHttpRequest/> was recently updated to block more dangerous headers. We should update our implementation to block them as well. I've attached a first pass at implementing this, but I haven't had a chance to test the patch yet. Is there an existing test suite for the blocked header list?
|
Assignee | |
Comment 1•16 years ago
|
||
Oops. Here is the patch.
|
||
Comment 2•16 years ago
|
||
One test is http://mxr.mozilla.org/mozilla/source/content/base/test/test_bug308484.html?force=1 any others ought to be in that general area.
Assignee: dveditz → jonas
|
|
Assignee | |
Comment 3•16 years ago
|
||
Thanks. Here's an updated patch with tests. I can't run the tests from this machine, but I'll try to do that in the next couple of days.
Attachment #316527 -
Attachment is obsolete: true
Comment on attachment 316528 [details] [diff] [review] Patch with tests Looks good to me. Wish we had a better way of testing the head of a string, but I couldn't find anything that worked well here.
Attachment #316528 -
Flags: superreview+
Attachment #316528 -
Flags: review+
Also, it's your patch so you should have the honors of owning the bug :)
Assignee: jonas → hk9565
Comment on attachment 316528 [details] [diff] [review] Patch with tests Requesting approval. Technically this is something we could take in a dot-release, but the patch is super safe so I see no reason not to take it asap.
Attachment #316528 -
Flags: approval1.9?
|
||
Comment 7•16 years ago
|
||
Minor issue with the tests: "aCCept-chaEset" should read "aCCept-chaRset"
Hmm.. so how come the test is still passing? Or is it not?
|
|
Assignee | |
Comment 9•16 years ago
|
||
As mentioned in comment 0 and comment 3, I haven't had a chance to test the patch yet. I'll test it today.
|
|
Assignee | |
Comment 10•16 years ago
|
||
Hum... Turns out "Find" is not a member of |header| because nsACString in this file refers to nsTAString and not to the nsACString defined in nsStringAPI.h. Jonas, how can we test if the header name starts with one of the banned prefixes?
|
||
Comment 11•16 years ago
|
||
Comment on attachment 316528 [details] [diff] [review] Patch with tests Renom once the comments about failing tests are addressed.
Attachment #316528 -
Flags: approval1.9? → approval1.9-
|
|
Assignee | |
Comment 12•16 years ago
|
||
I got some help on the string issues from the IRC channel. This patch builds and passes the supplied test.
Attachment #316528 -
Attachment is obsolete: true
Attachment #316904 -
Flags: review?(jonas)
Comment on attachment 316904 [details] [diff] [review] Fixed path Excellent! See comment 6 for why we should take this in RC1
Attachment #316904 -
Flags: superreview+
Attachment #316904 -
Flags: review?(jonas)
Attachment #316904 -
Flags: review+
Attachment #316904 -
Flags: approval1.9?
|
||
Comment 14•16 years ago
|
||
Comment on attachment 316904 [details] [diff] [review] Fixed path a1.9+=damons
Attachment #316904 -
Flags: approval1.9? → approval1.9+
|
|
Assignee | |
Comment 15•16 years ago
|
||
Is there anything more to do for this patch besides committing it?
Nope, I can do that as soon as the tree goes green.
I checked this in. Leaving for Adam to mark fixed
|
|
Assignee | |
Updated•16 years ago
|
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Backed out. Looked like this might have caused some orange. Or it was just a random failure :( http://tinderbox.mozilla.org/showlog.cgi?tree=Firefox&errorparser=unittest&logfile=1209773100.1209777310.20904.gz&buildtime=1209773100&buildname=Linux%20qm-centos5-01%20dep%20unit%20test&fulltext=
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Comment 19•16 years ago
|
||
I'm not that familiar with tinderbox. Can you help me understand which tests failed? I search the output for "INFO FAIL" but I didn't find anything. I see the line "TinderboxPrint: mochitest<br/>FAIL", but I don't understand what caused that. Thanks.
So tinderbox went green before the backout took effect, so the problem was just temporary rather than because of this patch :( I'll reland again tomorrow.
|
||
Updated•16 years ago
|
Whiteboard: [missed 1.9 checkin]
|
||
Comment 21•16 years ago
|
||
Jonas looks like we missed this - we'll have to take for 3.0.1
Comment on attachment 316904 [details] [diff] [review] Fixed path Reasking for approval. Patch is very safe so if we respin I think we should take this.
Attachment #316904 -
Flags: approval1.9+ → approval1.9?
|
|
||
Comment 23•16 years ago
|
||
Comment on attachment 316904 [details] [diff] [review] Fixed path we are closed down for showstoppers. We can get this in 3.0.1 if needed.
Attachment #316904 -
Flags: approval1.9? → approval1.9-
|
|
Assignee | |
Comment 24•16 years ago
|
||
Jonas, Is there a tree that's appropriate for this patch now?
Comment on attachment 316904 [details] [diff] [review] Fixed path Yes, this should land on trunk and on the 1.9.0 branch.
Attachment #316904 -
Flags: approval1.9.0.1?
|
|
||
Updated•16 years ago
|
Attachment #316904 -
Flags: approval1.9.0.1? → approval1.9.0.2?
|
||
Comment 26•16 years ago
|
||
Landed in 15889:0f1b3785d279.
Status: REOPENED → RESOLVED
Closed: 16 years ago → 16 years ago
Resolution: --- → FIXED
Whiteboard: [missed 1.9 checkin]
Target Milestone: --- → mozilla1.9.1a1
|
|
||
Updated•16 years ago
|
Flags: in-testsuite+
|
||
Comment 27•16 years ago
|
||
Comment on attachment 316904 [details] [diff] [review] Fixed path Approved for 1.9.0.2. Please land in CVS. a=ss
Attachment #316904 -
Flags: approval1.9.0.2? → approval1.9.0.2+
|
|
||
Updated•16 years ago
|
Keywords: checkin-needed
|
|
||
Comment 28•16 years ago
|
||
dveditz, can you land this?
|
|
Assignee | |
Comment 29•16 years ago
|
||
I got an email from Samuel Sidler asking me to land this patch, but I don't have commit privileges. Jonas or dveditz, can you land this? Thanks.
|
|
||
Updated•16 years ago
|
Whiteboard: [needs 1.9 landing]
|
||
Comment 30•16 years ago
|
||
This patch did not apply cleanly to CVS. Please provide an updated patch.
Keywords: checkin-needed
|
|
Assignee | |
Comment 31•16 years ago
|
||
I'm out of the country and won't be able to provide an updated patch until I return in a couple weeks. The change is very simple. I don't understand why the patch didn't apply cleanly as the last thing that happened to both of these files was that this patch was applied and then backed out due to flakiness in another test. If you like, you can just revert the last changes to content/base/src/nsXMLHttpRequest.cpp and content/base/test/test_bug308484.html to "un-back out" the patch.
|
|
||
Comment 32•16 years ago
|
||
checked-in to 1.9 "branch" (cvs trunk)
Keywords: fixed1.9.0.2
Whiteboard: [needs 1.9 landing]
You need to log in
before you can comment on or make changes to this bug.
Description
•