New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 724027 link

Starred by 1 user

Issue metadata

Status: Assigned
Owner:
Buried. Ping if important.
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug

Blocking:
issue 720511



Sign in to add a comment

no longer possible to include invalid characters in http response with current apache

Project Member Reported by jochen@chromium.org, May 18 2017

Issue description

Even with "HttpProtocolOptions Unsafe", apache will refuse to send a response header that includes an invalid character, namely anything but a token character as defined in RFC7230 section 3.2.6 or \n \r ' ' or \t

Specifically that means that http/tests/security/contentSecurityPolicy/directive-parsing-03.html and http/tests/security/contentSecurityPolicy/source-list-parsing-04.html now trigger an internal server error
 

Comment 1 by jochen@chromium.org, May 18 2017

more background: https://httpd.apache.org/security/vulnerabilities_24.html#2.4.25 and CVE-2016-8743
Blocking: 720511
Marking blocking bug. Though, maybe we should migrate the remaining failing tests to this bug instead and close the other.

Comment 3 by jochen@chromium.org, May 18 2017

yes, i think that makes sense

Comment 4 by jochen@chromium.org, May 18 2017

Cc: dpranke@chromium.org
+dpranke

Dirk, it turns out that HttpProtocolOptions Unsafe is not enough to make the tests not cause an internal server error, so now that we tracked down the cause of the discrepancy, we can as well revert my patch again that adds the option, wdyt?
Project Member

Comment 5 by bugdroid1@chromium.org, May 18 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9ad27e95181462f0187240acd01a2737139aa94c

commit 9ad27e95181462f0187240acd01a2737139aa94c
Author: machenbach <machenbach@chromium.org>
Date: Thu May 18 12:20:01 2017

Change bug for some layout test expectations

BUG= 720511 ,724027
NOTRY=true

Review-Url: https://codereview.chromium.org/2894573002
Cr-Commit-Position: refs/heads/master@{#472777}

[modify] https://crrev.com/9ad27e95181462f0187240acd01a2737139aa94c/third_party/WebKit/LayoutTests/TestExpectations

Project Member

Comment 6 by bugdroid1@chromium.org, Jun 23 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/22a36f75d658266ed6a61021c57834d70398a1b7

commit 22a36f75d658266ed6a61021c57834d70398a1b7
Author: tansell <tansell@chromium.org>
Date: Fri Jun 23 08:50:28 2017

LayoutTests: Disable two contentSecurityPolicy tests.

This test appears to be flaky everywhere.

BUG=724027
TBR=jochen@chromium.org,dpranke@chromium.org,mcgreevy@chromium.org,qyearsley@chromium.org,jeffcarp@chromium.org,mkwst@chromium.org,machenbach@chromium.org
NOTRY=true

Review-Url: https://codereview.chromium.org/2948373002
Cr-Commit-Position: refs/heads/master@{#481830}

[modify] https://crrev.com/22a36f75d658266ed6a61021c57834d70398a1b7/third_party/WebKit/LayoutTests/TestExpectations

Sign in to add a comment