Merge pull request #791 from g4jc/session_supercookie

Issue #792 - backport mozbug 1334776 - CVE-2017-7797 Header name interning leaks across origins

1 files changed, 13 insertions, 2 deletions

diff --git a/netwerk/protocol/http/PHttpChannelParams.h b/netwerk/protocol/http/PHttpChannelParams.h
index 4df5c7832..b04f57306 100644
--- a/netwerk/protocol/http/PHttpChannelParams.h
+++ b/netwerk/protocol/http/PHttpChannelParams.h
@@ -98,7 +98,11 @@ struct ParamTraits<mozilla::net::nsHttpHeaderArray::nsEntry>
 
   static void Write(Message* aMsg, const paramType& aParam)
   {
-    WriteParam(aMsg, aParam.header);
+    if (aParam.headerNameOriginal.IsEmpty()) {
+      WriteParam(aMsg, aParam.header);
+    } else {
+      WriteParam(aMsg, aParam.headerNameOriginal);
+    }
     WriteParam(aMsg, aParam.value);
     switch (aParam.variety) {
       case mozilla::net::nsHttpHeaderArray::eVarietyUnknown:
@@ -124,11 +128,18 @@ struct ParamTraits<mozilla::net::nsHttpHeaderArray::nsEntry>
   static bool Read(const Message* aMsg, PickleIterator* aIter, paramType* aResult)
   {
     uint8_t variety;
-    if (!ReadParam(aMsg, aIter, &aResult->header) ||
+    nsAutoCString header;
+    if (!ReadParam(aMsg, aIter, &header) ||
         !ReadParam(aMsg, aIter, &aResult->value)  ||
         !ReadParam(aMsg, aIter, &variety))
       return false;
 
+    mozilla::net::nsHttpAtom atom = mozilla::net::nsHttp::ResolveAtom(header);
+    aResult->header = atom;
+    if (!header.Equals(atom.get())) {
+      aResult->headerNameOriginal = header;
+    }
+
     switch (variety) {
       case 0:
         aResult->variety = mozilla::net::nsHttpHeaderArray::eVarietyUnknown;