Bug 158768 - CR alone in response header is treated as end-of-line.
Summary: CR alone in response header is treated as end-of-line.
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: Safari 9
Hardware: Mac OS X 10.11
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-14 17:54 PDT by Motoshi Nishihira
Modified: 2016-06-15 17:25 PDT (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Motoshi Nishihira 2016-06-14 17:54:42 PDT
Safari treat CR alone in response header as end-of-line.

[nginx.conf]
add_header X-header 'foo\rSet-Cookie: var=exploit';

This will set the cookie's value.

In rfc2616, CR alone in headers is not spec'd.
But I think it is difficult for application developers to recognize needs to escape CR alone in response header referencing rfc2616.
I think it is better to disallow CR alone as end-of-line.
f
I've also opened this issue in chromium bug-trackers.
https://bugs.chromium.org/p/chromium/issues/detail?id=619579
Comment 1 Alexey Proskuryakov 2016-06-15 17:05:43 PDT
HTTP is implemented in Apple frameworks below WebKit. Could you please file a bug for Apple to take a look via <https://bugreport.apple.com>?
Comment 2 Motoshi Nishihira 2016-06-15 17:25:41 PDT
Thank you. I'll report it to apple.