Closed
Bug 460115
Opened 16 years ago
Closed 16 years ago
Setting "Authorization" request header to value without a space results in crash [@ libc-2.6.so@0x6fbcc]
Categories
(Core :: Networking: HTTP, defect)
Core
Networking: HTTP
Tracking
()
RESOLVED
FIXED
People
(Reporter: toddsf, Assigned: timeless)
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
1.41 KB,
patch
|
Biesinger
:
review+
Biesinger
:
superreview+
|
Details | Diff | Splinter Review |
No description provided.
Reporter | ||
Comment 1•16 years ago
|
||
(apologies about the premature submission)
If a client sets the "Authorization" field to a value that doesn't contain a space, the result is a crash as, for example, here:
http://crash-stats.mozilla.com/report/index/ddf890a3-9a61-11dd-a2b3-001cc45a2ce4
That appears to be because Necko expects space between the auth-type (e.g., "Basic" or "Digest") and the credentials. That space does indeed appear to be required by the spec (and is certainly present by convention), but protecting against its absence still seems like a good idea.
THe problem appears to be here: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp&rev=1.333&mark=2152#2152
nsCAutoString buf(Substring(val, strchr(val, ' ')));
If the value for the authorization header (val) doesn't contain a space, bad things ensue. I gather the desire is to strip off the auth type (why? to save memory?) but a safer approach might be:
const char *space = strchr(val, ' ');
nsCAutoString buf(space ? Substring(val, space) : val);
Summary: Setting "Authorization" request header to value without a space crashes → Setting "Authorization" request header to value without a space results in crash
Signature libc-2.6.so@0x6fbcc
UUID ddf890a3-9a61-11dd-a2b3-001cc45a2ce4
Time 2008-10-14 19:34:48-07
Uptime 63
Product Firefox
Version 3.0.1
Build ID 2008070206
OS Linux
OS Version 0.0.0 Linux 2.6.23.17-88.fc7 #1 SMP Thu May 15 00:02:29 EDT 2008 x86_64 GNU/Linux
CPU x86
CPU Info GenuineIntel family 10 model 15 stepping 6
Crash Reason SIGSEGV
Crash Address 0x23dbcc
Comments
Crashing Thread
Frame Module Signature Source
0 libc-2.6.so libc-2.6.so@0x6fbcc
1 libxul.so nsACString_internal::Assign mozilla/xpcom/string/src/nsSubstring.cpp:406
2 libxul.so nsCAutoString::nsCAutoString nsTString.h:530
3 libxul.so nsHttpChannel::StoreAuthorizationMetaData mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp:2152
Severity: normal → critical
Keywords: crash
OS: Linux → All
Hardware: Other → All
Summary: Setting "Authorization" request header to value without a space results in crash → Setting "Authorization" request header to value without a space results in crash [@ libc-2.6.so@0x6fbcc]
Comment 4•16 years ago
|
||
Comment on attachment 343363 [details] [diff] [review]
recycle code
This seems like a good patch for the branches as well.
Attachment #343363 -
Flags: superreview+
Attachment #343363 -
Flags: review?(cbiesinger)
Attachment #343363 -
Flags: review+
Attachment #343363 -
Flags: approval1.9.0.4?
Attachment #343363 -
Flags: approval1.8.1.18?
Attachment #343363 -
Flags: approval1.8.0.15?
Comment 5•16 years ago
|
||
Comment on attachment 343363 [details] [diff] [review]
recycle code
This needs checkin on trunk and baking, but we'll consider it for the next branch release.
Attachment #343363 -
Flags: approval1.9.0.5?
Attachment #343363 -
Flags: approval1.9.0.4?
Attachment #343363 -
Flags: approval1.8.1.19?
Attachment #343363 -
Flags: approval1.8.1.18?
Updated•16 years ago
|
Attachment #343363 -
Flags: approval1.9.0.5?
Attachment #343363 -
Flags: approval1.8.1.19?
Attachment #343363 -
Flags: approval1.8.0.15?
Comment 6•16 years ago
|
||
Comment on attachment 343363 [details] [diff] [review]
recycle code
Please re-request approval after this has landed on trunk.
Updated•16 years ago
|
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
fixed in changeset 1ba5609a213a
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Attachment #343363 -
Flags: approval1.9.0.5?
Attachment #343363 -
Flags: approval1.8.1.19?
Attachment #343363 -
Flags: approval1.8.0.15?
Updated•16 years ago
|
Flags: in-testsuite?
Updated•16 years ago
|
Attachment #343363 -
Flags: approval1.9.0.5?
Attachment #343363 -
Flags: approval1.8.1.19?
Attachment #343363 -
Flags: approval1.8.0.15?
Comment 8•16 years ago
|
||
Comment on attachment 343363 [details] [diff] [review]
recycle code
This needs a testcase (automated for 1.9.0) before we'll take it on the branches.
Updated•16 years ago
|
Flags: wanted1.9.0.x+ → wanted1.9.0.x?
Updated•14 years ago
|
Crash Signature: [@ libc-2.6.so@0x6fbcc]
You need to log in
before you can comment on or make changes to this bug.
Description
•