Bug 158589 (CVE-2016-4760)

Summary: Restrict HTTP/0.9 responses to default ports and cancel HTTP/0.9 resource loads if the document was loaded with another HTTP protocol
Product: WebKit Reporter: John Wilander <wilander>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, bfulgham, dveditz, jww, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 164530    
Attachments:
Description Flags
Patch
bfulgham: review+
Manual test cases for main document and resource loads none

John Wilander
Reported 2016-06-09 15:54:27 PDT
Non-HTTP responses are interpreted as HTTP/0.9 which may allow exfiltration of data from non-HTTP services. Therefore cancel if the request was made to a non-default port. Also, cancel HTTP/0.9 resource responses if the document was loaded with a different HTTP version.
Attachments
Patch (6.69 KB, patch)
2016-06-09 16:06 PDT, John Wilander 		bfulgham: review+
DetailsFormatted DiffDiff
Manual test cases for main document and resource loads (4.89 KB, text/x-python-script)
2016-06-09 17:26 PDT, John Wilander 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
John Wilander
Comment 1 2016-06-09 15:55:17 PDT
rdar://problem/25757454
John Wilander
Comment 2 2016-06-09 16:06:03 PDT
Created attachment 280961 [details] Patch
Brent Fulgham
Comment 3 2016-06-09 16:13:48 PDT
Comment on attachment 280961 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=280961&action=review Looks good! r=me (assuming all tests continue to pass). > Source/WebCore/ChangeLog:12 > + HTTP/0.9 header tests for positive and negative cases. Could you please attach the Python script and instructions to the Bugzilla bug so others (e.g., GTK people) could do testing later if they need to? > Source/WebCore/loader/ResourceLoader.cpp:435 > + auto url = r.url(); This should really be "m_response.url()" for consistency.
Brent Fulgham
Comment 4 2016-06-09 17:19:45 PDT
Committed r201895: <http://trac.webkit.org/changeset/201895>
John Wilander
Comment 5 2016-06-09 17:26:08 PDT
Created attachment 280969 [details] Manual test cases for main document and resource loads I made the Python test as a stand-alone file. Instructions as comments in the top of the file.
John Wilander
Comment 6 2016-06-15 10:02:04 PDT
Adding Dan Veditz from Mozilla and Joel Weinberger from Google to the CC list so as to facilitate coordination.
Note You need to log in before you can comment on or make changes to this bug.