179475 – [SOUP] Case of request headers depends on global state in libsoup

Bug 179475 - [SOUP] Case of request headers depends on global state in libsoup

Summary: [SOUP] Case of request headers depends on global state in libsoup

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-11-09 05:09 PST by Ms2ger (he/him; ⌚ UTC+1/+2)
Modified:	2021-07-03 06:56 PDT (History)
CC List:	4 users (show)

See Also:	177530 https://bugzilla.gnome.org/show_bug.cgi?id=792176

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ms2ger (he/him; ⌚ UTC+1/+2) 2017-11-09 05:09:35 PST

http://w3c-test.org/fetch/api/basic/request-headers-case.any.html

soup_message_headers_append interns the header name case-insensitively, and always uses the casing it got in the first call. This means that

fetch("..", {headers: [["TEST", 1]] })
fetch("..", {headers: [["test", 1]] })

will the same header name twice. The name might be "TEST", or it might be any other casing which any other web page has used during the runtime of the browser.

This also provides a way of cross-origin communication: if a web page A uses a sufficiently unique header name in a particular casing, another web page B can check if page A was loaded before page B by checking what happens when using the header name in a different casing.

Comment 1 Michael Catanzaro 2017-11-09 07:44:17 PST

Wow, good find!

I don't think there is anything to change in WebKit here. Do you want to report this on GNOME Bugzilla?

Anyway, the fix would surely be in soup-message-headers.c:

static const char *
intern_header_name (const char *name, SoupHeaderSetter *setter)
{
	// ...

	if (!header_pool) {
		header_pool = g_hash_table_new (soup_str_case_hash, soup_str_case_equal);

	// ...
}

Presumably that would need to be changed to:

	header_pool = g_hash_table_new (g_str_hash, g_str_equal);

But we should probably audit other uses of soup_str_case_hash and soup_str_case_equal to ensure they are appropriate.

Comment 2 Michael Catanzaro 2017-11-09 08:20:17 PST

danw	the "cross-origin communication" idea seems a little crazy, but people have done crazier stuff... I'd say file a libsoup bug yeah. you can't just change intern_header_name to be non-case-sensitive though. that would definitely break things
mcatanzaro	What sort of things?
danw	eg, when you call soup_message_headers_get_content_type(), it has to return the content type whether it was specified as "Content-Type" or "CONTENT-type"
I guess if you want to fix it, the fix would be to not intern header names at all. just copy both name and value, and use g_ascii_strcasecmp() rather than pointer equality to compare header names when needed

Comment 3 Michael Catanzaro 2017-12-07 07:58:29 PST

This is a bug in libsoup, not in WebKit. This report needs to be moved to GNOME Bugzilla.

Comment 4 Carlos Alberto Lopez Perez 2021-07-03 06:54:02 PDT

This two tests pass now when webkit is built with libsoup3