Closed
Bug 683699
Opened 13 years ago
Closed 13 years ago
Ignore non-digit chars at end of Content-Length header
Categories
(Core :: Networking: HTTP, defect)
Core
Networking: HTTP
Tracking
()
RESOLVED
WONTFIX
mozilla9
People
(Reporter: exien.ow, Unassigned)
References
Details
(Keywords: regression)
Attachments
(2 files)
|
1.05 KB,
patch
|
Details | Diff | Splinter Review | |
|
348 bytes,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0) Gecko/20100101 Firefox/7.0 Build ID: 20110824172139 Steps to reproduce: Since Firefox 7.0, map images on playdiplomacy.com no longer load (works fine in Firefox 6.0) Actual results: This is an example image that loads fine in all browsers except Firefox 7.0 and instead returns a "Corrupted Content Error" http://www.playdiplomacy.com/view_image.php?game_id=31706&gdate=0¤t_phase=O Viewing a page with the image and inspecting with Firebug shows an "Aborted" http status: http://www.playdiplomacy.com/game_play_details.php?game_id=31706 Expected results: The image should render.
|
||
Comment 1•13 years ago
|
||
Works for me: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.2.21) Gecko/20110830 Firefox/3.6.21 Mozilla/5.0 (X11; Linux x86_64; rv:6.0.1) Gecko/20100101 Firefox/6.0.1 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.107 Safari/535.1 Opera/9.80 (X11; Linux x86_64; U; en) Presto/2.9.168 Version/11.51 Reproduced: Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20100101 Firefox/7.0 Mozilla/5.0 (X11; Linux x86_64; rv:8.0a2) Gecko/20110831 Firefox/8.0a2 Mozilla/5.0 (X11; Linux x86_64; rv:9.0a1) Gecko/20110831 Firefox/9.0a1
|
|
||
Comment 2•13 years ago
|
||
Last good nightly: 2011-05-31 First bad nightly: 2011-06-01 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a18b9861a868&tochange=5c6d107ede5a Local track down using Linux x86_64 (no error message, but also no image): The first bad revision is: changeset: 70383:42d996c34679 user: Patrick McManus <mcmanus@ducksong.com> date: Tue May 31 19:51:51 2011 -0400 summary: bug 597706 - response header smuggling r=honzab http://hg.mozilla.org/mozilla-central/rev/42d996c34679
Component: General → Networking: HTTP
Product: Firefox → Core
QA Contact: general → networking.http
|
|
||
Comment 3•13 years ago
|
||
http://redbot.org/?uri=http%3A%2F%2Fwww.playdiplomacy.com%2Fview_image.php%3Fgame_id%3D31706%26gdate%3D0%26current_phase%3DO HTTP/1.1 200 OK Date: Thu, 01 Sep 2011 01:12:27 GMT Server: Apache Set-Cookie: PHPSESSID=ce82983cb86aeac438d3a2bb005aee63; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre- check=0 Pragma: no-cache Content-Length: 138944 bytes Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/png "The Content-Length header's syntax isn't valid." http://www.apps.ietf.org/rfc/rfc2616.html#sec-14.13 So, is "bytes" the problem?
|
||
Comment 4•13 years ago
|
||
> Pragma: no-cache
> Content-Length: 138944 bytes
>
>
> "The Content-Length header's syntax isn't valid."
>
> http://www.apps.ietf.org/rfc/rfc2616.html#sec-14.13
>
> So, is "bytes" the problem?
yes, that's an invalid content-length response header. FF7 does not tolerate that because manipulating content-length is at the heart of http response smuggling attacks.
The admin for that URL should recv some evangelism love.|
|
||
Comment 5•13 years ago
|
||
I've sent an email to contact@PLAYdiplomacy.com.
|
|
||
Updated•13 years ago
|
Assignee: nobody → english-other
Status: UNCONFIRMED → NEW
Component: Networking: HTTP → English Other
Ever confirmed: true
Product: Core → Tech Evangelism
QA Contact: networking.http → english-other
Version: Trunk → unspecified
I've posted a message on the site forum, and the admin has made the fix and it now works fine in Firefox 7. I'm marking this issue as resolved. Thanks Thomas for tracking down the issue, and Patrick for identifying the invalid content-length header. http://www.playdiplomacy.com/forum/viewtopic.php?f=2&t=22204
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
|
|
||
Comment 7•13 years ago
|
||
Mark - thanks for helping with firefox 7!
|
||
Comment 8•13 years ago
|
||
Actually I think we may want to be a little less strict, and just parse the leading digits in the Content-Length header and ignore any other chars, just for backward-compat and parity (Chrome ignores the 'bytes' and I suspect other browsers do--Mark?).
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Summary: Image does not load with Corrupt Content Error → Ignore non-digit chars at end of Content-Length header
|
|
||
Comment 9•13 years ago
|
||
One-liner.
Assignee: english-other → jduell.mcbugs
Status: REOPENED → ASSIGNED
Attachment #557699 -
Flags: review?(bzbarsky)
|
|
||
Comment 10•13 years ago
|
||
So one thing I notice (which I discovered when running with and w/o the fix) is that if we run into our new NS_ERROR_CORRUPTED_CONTENT error (or if the webserver is completely down (ie. you don't have 'nc -l 8080 < NC_clen' running), we wind up showing whatever we have in cache for the URL. Is that the behavior we want? Or do we want to show the error message if the server reply is bogus and/or the server is down?
|
|
||
Comment 11•13 years ago
|
||
Patrick: feel free to chime in if you think we shouldn't make the fix--don't mean to railroad you. I'd just rather not deal with bug reports from broken sites that are affected by this, and AFAICT there's no security issue if we just parse the digits (correct?)
|
|
||
Updated•13 years ago
|
Assignee: jduell.mcbugs → nobody
Component: English Other → Networking: HTTP
Product: Tech Evangelism → Core
QA Contact: english-other → networking.http
Target Milestone: --- → mozilla9
|
||
Comment 12•13 years ago
|
||
I think we shouldn't flip-flop between draconian or not. If this is a isolated problem, by all means, leave in the draconian behavior. Once it ships in Mozilla other UAs may follow.
|
|
||
Comment 13•13 years ago
|
||
We may indeed see a big run of this kind of thing, but I don't think allowing " bytes" is going to help. That appears to be a one-off in somebody's custom php. So I'd prefer to hang onto the strict interpretation a while longer.
|
|
||
Comment 14•13 years ago
|
||
> I think we shouldn't flip-flop between draconian or not. True--the patch would only be worth taking if it could land on beta, so releases stayed consistently permissive. > So I'd prefer to hang onto the strict interpretation a while longer. I don't have a problem with that, so long as the bug floodgates don't open (and so far they haven't).
Status: ASSIGNED → RESOLVED
Closed: 13 years ago → 13 years ago
Resolution: --- → WONTFIX
|
|
||
Updated•13 years ago
|
Attachment #557699 -
Flags: review?(bzbarsky)
|
||
Comment 15•13 years ago
|
||
Did someone contact the site? Seems like we should still have an evang bug on the original issue open somewhere....
|
|
||
Comment 16•13 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #15) > Did someone contact the site? Seems like we should still have an evang bug > on the original issue open somewhere.... yes - comments 5 and 6. The admin even fixed the site! so evang is closed.
|
|
||
Comment 17•13 years ago
|
||
Ah, great. Sorry I missed that!
|
|
||
Comment 18•13 years ago
|
||
Note bug 690202.
You need to log in
before you can comment on or make changes to this bug.
Description
•