New issue
Advanced search Search tips

Issue 619579 link

Starred by 4 users
Status: Available
Owner: ----
Cc:
eroman@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

CR alone in response header is treated as end-of-line.

Reported by sha7me1o...@gmail.com, Jun 13 2016 
VULNERABILITY DETAILS
CR alone in response header is treated as end-of-line.

VERSION
51.0.2704.84 (64-bit) + [stable]
Operating System: OS X 10.11.5

REPRODUCTION CASE

[nginx.conf]
add_header X-header 'foo\rSet-Cookie: var=exploit';

It will set the cookie.


This problem has already discussed on this issue.( https://bugs.chromium.org/p/chromium/issues/detail?id=157525 )

Following quote is essential.
> (a) All browsers accept a lone LF as the line terminator
> (b) All browsers (except Firefox) accept a lone CR as the line terminator.

> The point of contention in this bug is (b). However the reality is that given the status quo, regardless of what we do in Chrome, server-side applications MUST escape both CR and LF characters if they want to protect their users against header injections.

I agree with this.
But I think it is difficult to recognize needs to escape CR alone in response header from rfc2616.
I noticed some big applications failed to escape CR alone.
Of course this is application-side problem, but disallowing CR alone is safer.

I want to hear from you.

Comment 1 by nparker@chromium.org, Jun 13 2016

Components: Internals>Network>HTTP
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Pri-3 Type-Bug
Removing security labels.

Comment 2 by mmenke@chromium.org, Jun 13 2016

Cc: eroman@chromium.org
Not sure why  issue 157525  was closed, but I agree with eroman's comment - if we can get away with not line-breaking on CRs in HTTP response headers, we should do so.  The fact that FireFox does this is an indication that we may be able to follow suit.

Comment 3 by eroman@chromium.org, Jun 13 2016 

I am also good with that (removing support for lone CR) if someone wants to do the leg work to measure and deploy.

In general we are at a point where we want to ratchet down more on spec-violating behaviors in HTTP parsing, if it can be done tastefully.

Comment 4 by mmenke@chromium.org, Jun 13 2016

Summary: CR alone in response header is treated as end-of-line. (was: Security: CR alone in response header is treated as end-of-line.)

Comment 5 by eroman@chromium.org, Jan 26 2017 

Issue 685693 has been merged into this issue.

Comment 6 by eroman@chromium.org, Jan 26 2017

Status: Available (was: Unconfirmed)
Update: Everyone is supportive of removing support for lone CR.

As next steps we need to do some work to measure the compatibility impact, and survey what other User Agents allow today (our current data is years old).
Project Member

Comment 7 by sheriffbot@chromium.org, Mar 9 2018

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by eroman@chromium.org, Mar 9 2018

Labels: -Hotlist-Recharge-Cold
Status: Available (was: Untriaged)

Comment 9 by mmenke@chromium.org, May 23 2018

Labels: Network-Triaged
Still nice to have.

Comment 10 by efoo@chromium.org, Jul 6

Components: Internals>Network

Comment 11 by efoo@chromium.org, Jul 6

Components: -Internals>Network>HTTP

Sign in to add a comment