Closed
Bug 460115
Opened 16 years ago
Closed 16 years ago
Setting "Authorization" request header to value without a space results in crash [@ libc-2.6.so@0x6fbcc]
Categories
(Core :: Networking: HTTP, defect)
Core
Networking: HTTP
Tracking
()
RESOLVED
FIXED
People
(Reporter: toddsf, Assigned: timeless)
Details
(Keywords: crash)
Crash Data
Attachments
(1 file)
1.41 KB,
patch
|
Biesinger
:
review+
Biesinger
:
superreview+
|
Details | Diff | Splinter Review |
No description provided.
Reporter | ||
Comment 1•16 years ago
|
||
(apologies about the premature submission) If a client sets the "Authorization" field to a value that doesn't contain a space, the result is a crash as, for example, here: http://crash-stats.mozilla.com/report/index/ddf890a3-9a61-11dd-a2b3-001cc45a2ce4 That appears to be because Necko expects space between the auth-type (e.g., "Basic" or "Digest") and the credentials. That space does indeed appear to be required by the spec (and is certainly present by convention), but protecting against its absence still seems like a good idea. THe problem appears to be here: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp&rev=1.333&mark=2152#2152 nsCAutoString buf(Substring(val, strchr(val, ' '))); If the value for the authorization header (val) doesn't contain a space, bad things ensue. I gather the desire is to strip off the auth type (why? to save memory?) but a safer approach might be: const char *space = strchr(val, ' '); nsCAutoString buf(space ? Substring(val, space) : val);
Summary: Setting "Authorization" request header to value without a space crashes → Setting "Authorization" request header to value without a space results in crash
Signature libc-2.6.so@0x6fbcc UUID ddf890a3-9a61-11dd-a2b3-001cc45a2ce4 Time 2008-10-14 19:34:48-07 Uptime 63 Product Firefox Version 3.0.1 Build ID 2008070206 OS Linux OS Version 0.0.0 Linux 2.6.23.17-88.fc7 #1 SMP Thu May 15 00:02:29 EDT 2008 x86_64 GNU/Linux CPU x86 CPU Info GenuineIntel family 10 model 15 stepping 6 Crash Reason SIGSEGV Crash Address 0x23dbcc Comments Crashing Thread Frame Module Signature Source 0 libc-2.6.so libc-2.6.so@0x6fbcc 1 libxul.so nsACString_internal::Assign mozilla/xpcom/string/src/nsSubstring.cpp:406 2 libxul.so nsCAutoString::nsCAutoString nsTString.h:530 3 libxul.so nsHttpChannel::StoreAuthorizationMetaData mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp:2152
Severity: normal → critical
Keywords: crash
OS: Linux → All
Hardware: Other → All
Summary: Setting "Authorization" request header to value without a space results in crash → Setting "Authorization" request header to value without a space results in crash [@ libc-2.6.so@0x6fbcc]
Comment 4•16 years ago
|
||
Comment on attachment 343363 [details] [diff] [review] recycle code This seems like a good patch for the branches as well.
Attachment #343363 -
Flags: superreview+
Attachment #343363 -
Flags: review?(cbiesinger)
Attachment #343363 -
Flags: review+
Attachment #343363 -
Flags: approval1.9.0.4?
Attachment #343363 -
Flags: approval1.8.1.18?
Attachment #343363 -
Flags: approval1.8.0.15?
Comment 5•16 years ago
|
||
Comment on attachment 343363 [details] [diff] [review] recycle code This needs checkin on trunk and baking, but we'll consider it for the next branch release.
Attachment #343363 -
Flags: approval1.9.0.5?
Attachment #343363 -
Flags: approval1.9.0.4?
Attachment #343363 -
Flags: approval1.8.1.19?
Attachment #343363 -
Flags: approval1.8.1.18?
Updated•16 years ago
|
Attachment #343363 -
Flags: approval1.9.0.5?
Attachment #343363 -
Flags: approval1.8.1.19?
Attachment #343363 -
Flags: approval1.8.0.15?
Comment 6•16 years ago
|
||
Comment on attachment 343363 [details] [diff] [review] recycle code Please re-request approval after this has landed on trunk.
Updated•16 years ago
|
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
fixed in changeset 1ba5609a213a
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Attachment #343363 -
Flags: approval1.9.0.5?
Attachment #343363 -
Flags: approval1.8.1.19?
Attachment #343363 -
Flags: approval1.8.0.15?
Updated•16 years ago
|
Flags: in-testsuite?
Updated•16 years ago
|
Attachment #343363 -
Flags: approval1.9.0.5?
Attachment #343363 -
Flags: approval1.8.1.19?
Attachment #343363 -
Flags: approval1.8.0.15?
Comment 8•16 years ago
|
||
Comment on attachment 343363 [details] [diff] [review] recycle code This needs a testcase (automated for 1.9.0) before we'll take it on the branches.
Updated•16 years ago
|
Flags: wanted1.9.0.x+ → wanted1.9.0.x?
Updated•13 years ago
|
Crash Signature: [@ libc-2.6.so@0x6fbcc]
You need to log in
before you can comment on or make changes to this bug.
Description
•