Bug 158589 (CVE-2016-4760)

Summary: Restrict HTTP/0.9 responses to default ports and cancel HTTP/0.9 resource loads if the document was loaded with another HTTP protocol
Product: WebKit Reporter: John Wilander <wilander>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, bfulgham, dveditz, jww, webkit-bug-importer, wilander
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 164530    
Attachments:
Description Flags
Patch
bfulgham: review+
Manual test cases for main document and resource loads none

Description John Wilander 2016-06-09 15:54:27 PDT
Non-HTTP responses are interpreted as HTTP/0.9 which may allow exfiltration of data from non-HTTP services. Therefore cancel if the request was made to a non-default port. Also, cancel HTTP/0.9 resource responses if the document was loaded with a different HTTP version.
Comment 1 John Wilander 2016-06-09 15:55:17 PDT
rdar://problem/25757454
Comment 2 John Wilander 2016-06-09 16:06:03 PDT
Created attachment 280961 [details]
Patch
Comment 3 Brent Fulgham 2016-06-09 16:13:48 PDT
Comment on attachment 280961 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=280961&action=review

Looks good! r=me (assuming all tests continue to pass).

> Source/WebCore/ChangeLog:12
> +        HTTP/0.9 header tests for positive and negative cases.

Could you please attach the Python script and instructions to the Bugzilla bug so others (e.g., GTK people) could do testing later if they need to?

> Source/WebCore/loader/ResourceLoader.cpp:435
> +        auto url = r.url();

This should really be "m_response.url()" for consistency.
Comment 4 Brent Fulgham 2016-06-09 17:19:45 PDT
Committed r201895: <http://trac.webkit.org/changeset/201895>
Comment 5 John Wilander 2016-06-09 17:26:08 PDT
Created attachment 280969 [details]
Manual test cases for main document and resource loads

I made the Python test as a stand-alone file. Instructions as comments in the top of the file.
Comment 6 John Wilander 2016-06-15 10:02:04 PDT
Adding Dan Veditz from Mozilla and Joel Weinberger from Google to the CC list so as to facilitate coordination.