backport mozbug 1334776 - CVE-2017-7797 Header name interning leaks across origins

Potential attack: session supercookie. [Moz Notes](https://bugzilla.mozilla.org/show_bug.cgi?id=1334776#c5): "The problem is that for unknown header names we store the first one we see and then later we case-insensitively match against that name *globally*. That means you can track if a user agent has already seen a certain header name used (by using a different casing and observing whether it gets normalized). This would allow you to see if a user has used a sensitive service that uses custom header names, or allows you to track a user across sites, by teaching the browser about a certain header case once and then observing if different casings get normalized to that. What we should do instead is only store the casing for a header name for each header list and not globally. That way it only leaks where it's expected (and necessary) to leak." [Moz fix note](https://bugzilla.mozilla.org/show_bug.cgi?id=1334776#c8): "nsHttpAtom now holds the old nsHttpAtom and a string that is case sensitive (only for not standard headers). So nsHttpAtom holds a pointer to a header name. (header names are store on a static structure). This is how it used to be. I left that part the same but added a nsCString which holds a string that was used to resoled the header name. So when we parse headers we call ResolveHeader with a char*. If it is a new header name the char* will be stored in a HttpHeapAtom, nsHttpAtom::_val will point to HttpHeapAtom::value and the same strings will be stored in mLocalCaseSensitiveHeader. For the first resolve request they will be the same but for the following maybe not. At the end this nsHttpAtom will be stored in nsHttpHeaderArray. For all operation we will used the old char* except when we are returning it to a script using VisitHeaders."
author: Gaming4JC <g4jc@bulletmail.org> 2018-09-25 23:03:28 -0400
committer: Gaming4JC <g4jc@bulletmail.org> 2018-09-25 23:03:28 -0400
commit: c5c9445e3adf6b65c98f6810551d7c3d64133134 (patch)
tree: cf7aa42302515fe1792fd9c3230c6fd7ae3325fc /netwerk/protocol/http/nsHttpResponseHead.cpp
parent: e3508f55bed8a463d298021633dbc7d079c9d764 (diff)
download: UXP-c5c9445e3adf6b65c98f6810551d7c3d64133134.tar
UXP-c5c9445e3adf6b65c98f6810551d7c3d64133134.tar.gz
UXP-c5c9445e3adf6b65c98f6810551d7c3d64133134.tar.lz
UXP-c5c9445e3adf6b65c98f6810551d7c3d64133134.tar.xz
UXP-c5c9445e3adf6b65c98f6810551d7c3d64133134.zip
1 files changed, 39 insertions, 11 deletions
diff --git a/netwerk/protocol/http/nsHttpResponseHead.cpp b/netwerk/protocol/http/nsHttpResponseHead.cpp
index 6d384c488..fa6430b82 100644
--- a/netwerk/protocol/http/nsHttpResponseHead.cpp
+++ b/netwerk/protocol/http/nsHttpResponseHead.cpp
@@ -137,6 +137,26 @@ nsHttpResponseHead::Immutable()
 }
 
 nsresult
+nsHttpResponseHead::SetHeader(const nsACString &hdr,
+                              const nsACString &val,
+                              bool merge)
+{
+    ReentrantMonitorAutoEnter monitor(mReentrantMonitor);
+
+    if (mInVisitHeaders) {
+        return NS_ERROR_FAILURE;
+    }
+
+    nsHttpAtom atom = nsHttp::ResolveAtom(PromiseFlatCString(hdr).get());
+    if (!atom) {
+        NS_WARNING("failed to resolve atom");
+        return NS_ERROR_NOT_AVAILABLE;
+    }
+
+    return SetHeader_locked(atom, hdr, val, merge);
+}
+
+nsresult
 nsHttpResponseHead::SetHeader(nsHttpAtom hdr,
                               const nsACString &val,
                               bool merge)
@@ -147,24 +167,25 @@ nsHttpResponseHead::SetHeader(nsHttpAtom hdr,
         return NS_ERROR_FAILURE;
     }
 
-    return SetHeader_locked(hdr, val, merge);
+    return SetHeader_locked(hdr, EmptyCString(), val, merge);
 }
 
 nsresult
-nsHttpResponseHead::SetHeader_locked(nsHttpAtom hdr,
+nsHttpResponseHead::SetHeader_locked(nsHttpAtom atom,
+                                     const nsACString &hdr,
                                      const nsACString &val,
                                      bool merge)
 {
-    nsresult rv = mHeaders.SetHeader(hdr, val, merge,
+    nsresult rv = mHeaders.SetHeader(atom, hdr, val, merge,
                                      nsHttpHeaderArray::eVarietyResponse);
     if (NS_FAILED(rv)) return rv;
 
     // respond to changes in these headers.  we need to reparse the entire
     // header since the change may have merged in additional values.
-    if (hdr == nsHttp::Cache_Control)
-        ParseCacheControl(mHeaders.PeekHeader(hdr));
-    else if (hdr == nsHttp::Pragma)
-        ParsePragma(mHeaders.PeekHeader(hdr));
+    if (atom == nsHttp::Cache_Control)
+        ParseCacheControl(mHeaders.PeekHeader(atom));
+    else if (atom == nsHttp::Pragma)
+        ParsePragma(mHeaders.PeekHeader(atom));
 
     return NS_OK;
 }
@@ -316,6 +337,7 @@ nsHttpResponseHead::ParseCachedOriginalHeaders(char *block)
 
     char *p = block;
     nsHttpAtom hdr = {0};
+    nsAutoCString headerNameOriginal;
     nsAutoCString val;
     nsresult rv;
 
@@ -331,12 +353,13 @@ nsHttpResponseHead::ParseCachedOriginalHeaders(char *block)
 
         *p = 0;
         if (NS_FAILED(nsHttpHeaderArray::ParseHeaderLine(
-            nsDependentCString(block, p - block), &hdr, &val))) {
+            nsDependentCString(block, p - block), &hdr, &headerNameOriginal, &val))) {
 
             return NS_OK;
         }
 
         rv = mHeaders.SetResponseHeaderFromCache(hdr,
+                                                 headerNameOriginal,
                                                  val,
                                                  nsHttpHeaderArray::eVarietyResponseNetOriginal);
 
@@ -567,18 +590,21 @@ nsresult
 nsHttpResponseHead::ParseHeaderLine_locked(const nsACString &line, bool originalFromNetHeaders)
 {
     nsHttpAtom hdr = {0};
+    nsAutoCString headerNameOriginal;
     nsAutoCString val;
 
-    if (NS_FAILED(nsHttpHeaderArray::ParseHeaderLine(line, &hdr, &val))) {
+    if (NS_FAILED(nsHttpHeaderArray::ParseHeaderLine(line, &hdr, &headerNameOriginal, &val))) {
         return NS_OK;
     }
     nsresult rv;
     if (originalFromNetHeaders) {
         rv = mHeaders.SetHeaderFromNet(hdr,
+                                       headerNameOriginal,
                                        val,
                                        true);
     } else {
         rv = mHeaders.SetResponseHeaderFromCache(hdr,
+                                                 headerNameOriginal,
                                                  val,
                                                  nsHttpHeaderArray::eVarietyResponse);
     }
@@ -856,7 +882,8 @@ nsHttpResponseHead::UpdateHeaders(nsHttpResponseHead *aOther)
     uint32_t i, count = aOther->mHeaders.Count();
     for (i=0; i<count; ++i) {
         nsHttpAtom header;
-        const char *val = aOther->mHeaders.PeekHeaderAt(i, header);
+        nsAutoCString headerNameOriginal;
+        const char *val = aOther->mHeaders.PeekHeaderAt(i, header, headerNameOriginal);
 
         if (!val) {
             continue;
@@ -890,7 +917,8 @@ nsHttpResponseHead::UpdateHeaders(nsHttpResponseHead *aOther)
             LOG(("new response header [%s: %s]\n", header.get(), val));
 
             // overwrite the current header value with the new value...
-            SetHeader_locked(header, nsDependentCString(val));
+            SetHeader_locked(header, headerNameOriginal,
+                             nsDependentCString(val));
         }
     }
author	Gaming4JC <g4jc@bulletmail.org>	2018-09-25 23:03:28 -0400
committer	Gaming4JC <g4jc@bulletmail.org>	2018-09-25 23:03:28 -0400
commit	c5c9445e3adf6b65c98f6810551d7c3d64133134 (patch)
tree	cf7aa42302515fe1792fd9c3230c6fd7ae3325fc /netwerk/protocol/http/nsHttpResponseHead.cpp
parent	e3508f55bed8a463d298021633dbc7d079c9d764 (diff)
download	UXP-c5c9445e3adf6b65c98f6810551d7c3d64133134.tar UXP-c5c9445e3adf6b65c98f6810551d7c3d64133134.tar.gz UXP-c5c9445e3adf6b65c98f6810551d7c3d64133134.tar.lz UXP-c5c9445e3adf6b65c98f6810551d7c3d64133134.tar.xz UXP-c5c9445e3adf6b65c98f6810551d7c3d64133134.zip