[Development] Newlines in XHR / QNetworkAccessManager headers

Thiago Macieira thiago.macieira at intel.com
Mon Oct 8 01:53:55 CEST 2012


On domingo, 7 de outubro de 2012 21.23.53, Mikko.Saario at nokia.com wrote:
> That's one debatable issue, but perhaps there is another more interesting
> case (at least in my opinion). I can also add newlines ("\n" or "\r\n") and
> thus spoof any header, even without that all-caps shouting. This time I
> added the new stuff (still in QML + JS) into the value side of the header
> (also works on the Header part, but then it's all caps [which I suppose
> should not make a difference really]) (interestingly, this attack vector
> did not succeed when I tried supplying malicious input via QML TextInput,
> as the newlines were printed as "\n" [which is good - a header value
> something\nReferer:abc is of no use for an attacker]):
> 
> 
> 
> xhr.setRequestHeader("Origin","http://www.google.fi\nReferer:http://www.goog
> le.fi/whatever<http://www.google.fi/nReferer:%20http:/www.google.fi/whatever
> >");
> 
> and this results on the HTTP ===>
> 
> ORIGIN: http://www.google.fi
> Referer: http://www.google.fi/whatever

This looks like a bug. First of all, QNAM should do something about it, so 
that the newline is correctly escaped -- if there's such a thing as escaped 
newlines. If there isn't such a thing, we might have to add to the 
documentation that the behaviour is undefined.

As for accessing this from untrusted sources, like JS scripts running on web 
pages, WebKit should do the validation. If it doesn't do that, it's a security 
issue.

> Small bug or something else?

If you find that it's a security issue, contact us at security at qt-project.org 
so we can deal with it.

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.qt-project.org/pipermail/development/attachments/20121007/5193adfa/attachment.sig>


More information about the Development mailing list