KotJohansson/UXP-Fixed
1
0
Fork 0
mirror of https://github.com/ManchildProductions/UXP-Fixed.git synced 2026-06-18 08:09:23 +00:00
Code Issues Projects Releases Wiki Activity
Files
09314667a692fedff8564fc347c8a3663474faa6
UXP-Fixed/netwerk/protocol/http/nsHttpResponseHead.h
T
Gaming4JC c5c9445e3a backport mozbug 1334776 - CVE-2017-7797 Header name interning leaks across origins 
Potential attack: session supercookie.

[Moz Notes](https://bugzilla.mozilla.org/show_bug.cgi?id=1334776#c5):
"The problem is that for unknown header names we store the first one we see and then later we case-insensitively match against that name *globally*. That means you can track if a user agent has already seen a certain header name used (by using a different casing and observing whether it gets normalized). This would allow you to see if a user has used a sensitive service that uses custom header names, or allows you to track a user across sites, by teaching the browser about a certain header case once and then observing if different casings get normalized to that.

What we should do instead is only store the casing for a header name for each header list and not globally. That way it only leaks where it's expected (and necessary) to leak."

[Moz fix note](https://bugzilla.mozilla.org/show_bug.cgi?id=1334776#c8):
"nsHttpAtom now holds the old nsHttpAtom and a string that is case sensitive (only for not standard headers).
So nsHttpAtom holds a pointer to a header name. (header names are store on a static structure). This is how it used to be. I left that part the same but added a nsCString which holds a string that was used to resoled the header name. So when we parse headers we call ResolveHeader with a char*. If it is a new header name the char* will be stored in a HttpHeapAtom, nsHttpAtom::_val will point to HttpHeapAtom::value and the same strings will be stored in mLocalCaseSensitiveHeader. For the first resolve request they will be the same but for the following maybe not. At the end this nsHttpAtom will be stored in nsHttpHeaderArray. For all operation we will used the old char* except when we are returning it to a script using VisitHeaders."
2018-09-25 23:03:28 -04:00

198 lines
7.1 KiB
C++
Raw Blame History

/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef nsHttpResponseHead_h__
#define nsHttpResponseHead_h__
#include "nsHttpHeaderArray.h"
#include "nsHttp.h"
#include "nsString.h"
#include "mozilla/ReentrantMonitor.h"
class nsIHttpHeaderVisitor;
// This needs to be forward declared here so we can include only this header
// without also including PHttpChannelParams.h
namespace IPC {
template <typename> struct ParamTraits;
} // namespace IPC
namespace mozilla { namespace net {
//-----------------------------------------------------------------------------
// nsHttpResponseHead represents the status line and headers from an HTTP
// response.
//-----------------------------------------------------------------------------
class nsHttpResponseHead
{
public:
nsHttpResponseHead() : mVersion(NS_HTTP_VERSION_1_1)
, mStatus(200)
, mContentLength(-1)
, mCacheControlPrivate(false)
, mCacheControlNoStore(false)
, mCacheControlNoCache(false)
, mCacheControlImmutable(false)
, mPragmaNoCache(false)
, mReentrantMonitor("nsHttpResponseHead.mReentrantMonitor")
, mInVisitHeaders(false) {}
nsHttpResponseHead(const nsHttpResponseHead &aOther);
nsHttpResponseHead &operator=(const nsHttpResponseHead &aOther);
void Enter() { mReentrantMonitor.Enter(); }
void Exit() { mReentrantMonitor.Exit(); }
nsHttpVersion Version();
// X11's Xlib.h #defines 'Status' to 'int' on some systems!
#undef Status
uint16_t Status();
void StatusText(nsACString &aStatusText);
int64_t ContentLength();
void ContentType(nsACString &aContentType);
void ContentCharset(nsACString &aContentCharset);
bool Private();
bool NoStore();
bool NoCache();
bool Immutable();
/**
* Full length of the entity. For byte-range requests, this may be larger
* than ContentLength(), which will only represent the requested part of the
* entity.
*/
int64_t TotalEntitySize();
nsresult SetHeader(const nsACString &h, const nsACString &v,
bool m=false);
nsresult SetHeader(nsHttpAtom h, const nsACString &v, bool m=false);
nsresult GetHeader(nsHttpAtom h, nsACString &v);
void ClearHeader(nsHttpAtom h);
void ClearHeaders();
bool HasHeaderValue(nsHttpAtom h, const char *v);
bool HasHeader(nsHttpAtom h);
void SetContentType(const nsACString &s);
void SetContentCharset(const nsACString &s);
void SetContentLength(int64_t);
// write out the response status line and headers as a single text block,
// optionally pruning out transient headers (ie. headers that only make
// sense the first time the response is handled).
// Both functions append to the string supplied string.
void Flatten(nsACString &, bool pruneTransients);
void FlattenNetworkOriginalHeaders(nsACString &buf);
// The next 2 functions parse flattened response head and original net headers.
// They are used when we are reading an entry from the cache.
//
// To keep proper order of the original headers we MUST call
// ParseCachedOriginalHeaders FIRST and then ParseCachedHead.
//
// block must be null terminated.
nsresult ParseCachedHead(const char *block);
nsresult ParseCachedOriginalHeaders(char *block);
// parse the status line.
void ParseStatusLine(const nsACString &line);
// parse a header line.
nsresult ParseHeaderLine(const nsACString &line);
// cache validation support methods
nsresult ComputeFreshnessLifetime(uint32_t *);
nsresult ComputeCurrentAge(uint32_t now, uint32_t requestTime,
uint32_t *result);
bool MustValidate();
bool MustValidateIfExpired();
// returns true if the server appears to support byte range requests.
bool IsResumable();
// returns true if the Expires header has a value in the past relative to the
// value of the Date header.
bool ExpiresInPast();
// update headers...
nsresult UpdateHeaders(nsHttpResponseHead *headers);
// reset the response head to it's initial state
void Reset();
nsresult GetAgeValue(uint32_t *result);
nsresult GetMaxAgeValue(uint32_t *result);
nsresult GetDateValue(uint32_t *result);
nsresult GetExpiresValue(uint32_t *result);
nsresult GetLastModifiedValue(uint32_t *result);
bool operator==(const nsHttpResponseHead& aOther) const;
// Using this function it is possible to itereate through all headers
// automatically under one lock.
nsresult VisitHeaders(nsIHttpHeaderVisitor *visitor,
nsHttpHeaderArray::VisitorFilter filter);
nsresult GetOriginalHeader(nsHttpAtom aHeader,
nsIHttpHeaderVisitor *aVisitor);
bool HasContentType();
bool HasContentCharset();
private:
nsresult SetHeader_locked(nsHttpAtom atom, const nsACString &h,
const nsACString &v, bool m=false);
void AssignDefaultStatusText();
void ParseVersion(const char *);
void ParseCacheControl(const char *);
void ParsePragma(const char *);
void ParseStatusLine_locked(const nsACString &line);
nsresult ParseHeaderLine_locked(const nsACString &line, bool originalFromNetHeaders);
// these return failure if the header does not exist.
nsresult ParseDateHeader(nsHttpAtom header, uint32_t *result) const;
bool ExpiresInPast_locked() const;
nsresult GetAgeValue_locked(uint32_t *result) const;
nsresult GetExpiresValue_locked(uint32_t *result) const;
nsresult GetMaxAgeValue_locked(uint32_t *result) const;
nsresult GetDateValue_locked(uint32_t *result) const
{
return ParseDateHeader(nsHttp::Date, result);
}
nsresult GetLastModifiedValue_locked(uint32_t *result) const
{
return ParseDateHeader(nsHttp::Last_Modified, result);
}
private:
// All members must be copy-constructable and assignable
nsHttpHeaderArray mHeaders;
nsHttpVersion mVersion;
uint16_t mStatus;
nsCString mStatusText;
int64_t mContentLength;
nsCString mContentType;
nsCString mContentCharset;
bool mCacheControlPrivate;
bool mCacheControlNoStore;
bool mCacheControlNoCache;
bool mCacheControlImmutable;
bool mPragmaNoCache;
// We are using ReentrantMonitor instead of a Mutex because VisitHeader
// function calls nsIHttpHeaderVisitor::VisitHeader while under lock.
ReentrantMonitor mReentrantMonitor;
// During VisitHeader we sould not allow cal to SetHeader.
bool mInVisitHeaders;
friend struct IPC::ParamTraits<nsHttpResponseHead>;
};
} // namespace net
} // namespace mozilla
#endif // nsHttpResponseHead_h__
Reference in New Issue View Git Blame Copy Permalink