Bug 158589 (CVE-2016-4760) - Restrict HTTP/0.9 responses to default ports and cancel HTTP/0.9 resource loads if the document was loaded with another HTTP protocol
Summary: Restrict HTTP/0.9 responses to default ports and cancel HTTP/0.9 resource loa...
Alias: CVE-2016-4760
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
Keywords: InRadar
Depends on:
Blocks: 164530
  Show dependency treegraph
Reported: 2016-06-09 15:54 PDT by John Wilander
Modified: 2017-10-11 10:27 PDT (History)
6 users (show)

See Also:

Patch (6.69 KB, patch)
2016-06-09 16:06 PDT, John Wilander
bfulgham: review+
Details | Formatted Diff | Diff
Manual test cases for main document and resource loads (4.89 KB, text/x-python-script)
2016-06-09 17:26 PDT, John Wilander
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John Wilander 2016-06-09 15:54:27 PDT
Non-HTTP responses are interpreted as HTTP/0.9 which may allow exfiltration of data from non-HTTP services. Therefore cancel if the request was made to a non-default port. Also, cancel HTTP/0.9 resource responses if the document was loaded with a different HTTP version.
Comment 1 John Wilander 2016-06-09 15:55:17 PDT
Comment 2 John Wilander 2016-06-09 16:06:03 PDT
Created attachment 280961 [details]
Comment 3 Brent Fulgham 2016-06-09 16:13:48 PDT
Comment on attachment 280961 [details]

View in context: https://bugs.webkit.org/attachment.cgi?id=280961&action=review

Looks good! r=me (assuming all tests continue to pass).

> Source/WebCore/ChangeLog:12
> +        HTTP/0.9 header tests for positive and negative cases.

Could you please attach the Python script and instructions to the Bugzilla bug so others (e.g., GTK people) could do testing later if they need to?

> Source/WebCore/loader/ResourceLoader.cpp:435
> +        auto url = r.url();

This should really be "m_response.url()" for consistency.
Comment 4 Brent Fulgham 2016-06-09 17:19:45 PDT
Committed r201895: <http://trac.webkit.org/changeset/201895>
Comment 5 John Wilander 2016-06-09 17:26:08 PDT
Created attachment 280969 [details]
Manual test cases for main document and resource loads

I made the Python test as a stand-alone file. Instructions as comments in the top of the file.
Comment 6 John Wilander 2016-06-15 10:02:04 PDT
Adding Dan Veditz from Mozilla and Joel Weinberger from Google to the CC list so as to facilitate coordination.