Bug 1453318 - Disallow responses when a response header value contain…

…s 0x00; r=kershaw,sunil,necko-reviewers

Differential Revision: https://phabricator.services.mozilla.com/D185160

dom/base/domerr.msg

@@ -126,6 +126,7 @@ DOM4_MSG_DEF(NotSupportedError, "The media resource indicated by the src attribu
 
 DOM4_MSG_DEF(SyntaxError, "The URI is malformed.", NS_ERROR_DOM_MALFORMED_URI)
 DOM4_MSG_DEF(SyntaxError, "Invalid header name.", NS_ERROR_DOM_INVALID_HEADER_NAME)
+DOM4_MSG_DEF(SyntaxError, "Invalid header value.", NS_ERROR_DOM_INVALID_HEADER_VALUE)
 
 /* XMLHttpRequest errors. */
 DOM4_MSG_DEF(InvalidStateError, "XMLHttpRequest has an invalid context.", NS_ERROR_DOM_INVALID_STATE_XHR_HAS_INVALID_CONTEXT)

modules/libpref/init/StaticPrefList.yaml

@@ -12643,6 +12643,12 @@
   value: 5
   mirror: always
 
+  # If true, requests will be canceled if any of the response headers values has a NUL character
+- name: network.http.reject_NULs_in_response_header_values
+  type: RelaxedAtomicBool
+  value: true
+  mirror: always
+
   # If true, remove the resumption token when 0RTT failed.
 - name: network.http.remove_resumption_token_when_early_data_failed
   type: RelaxedAtomicBool

netwerk/protocol/http/nsHttpResponseHead.cpp

@@ -7,6 +7,7 @@
 // HttpLog.h should generally be included first
 #include "HttpLog.h"
 
+#include "mozilla/StaticPrefs_network.h"
 #include "mozilla/Unused.h"
 #include "nsHttpResponseHead.h"
 #include "nsIHttpHeaderVisitor.h"
@@ -594,6 +595,14 @@ nsresult nsHttpResponseHead::ParseHeaderLine_locked(
           line, &hdr, &headerNameOriginal, &val))) {
     return NS_OK;
   }
+
+  // reject the header if there are 0x00 bytes in the value.
+  // (see https://github.com/httpwg/http-core/issues/215 for details).
+  if (StaticPrefs::network_http_reject_NULs_in_response_header_values() &&
+      val.FindChar('\0') >= 0) {
+    return NS_ERROR_DOM_INVALID_HEADER_VALUE;
+  }
+
   nsresult rv;
   if (originalFromNetHeaders) {
     rv = mHeaders.SetHeaderFromNet(hdr, headerNameOriginal, val, true);

testing/web-platform/meta/cookies/name/name-ctl.html.ini

@@ -14,33 +14,6 @@
   [Cookie with %x7f in name is rejected (DOM).]
     expected: FAIL
 
-  [Cookie with %x0 in name is rejected or modified (HTTP).]
-    expected: FAIL
-
-  [Cookie with %x1 in name is rejected (HTTP).]
-    expected: FAIL
-
-  [Cookie with %x2 in name is rejected (HTTP).]
-    expected: FAIL
-
-  [Cookie with %x3 in name is rejected (HTTP).]
-    expected: FAIL
-
-  [Cookie with %x4 in name is rejected (HTTP).]
-    expected: FAIL
-
-  [Cookie with %x5 in name is rejected (HTTP).]
-    expected: FAIL
-
-  [Cookie with %x6 in name is rejected (HTTP).]
-    expected: FAIL
-
-  [Cookie with %x7 in name is rejected (HTTP).]
-    expected: FAIL
-
-  [Cookie with %x8 in name is rejected (HTTP).]
-    expected: FAIL
-
   [Cookie with %x9 in name is accepted (HTTP).]
     expected: FAIL
 

testing/web-platform/meta/cookies/name/name.html.ini

@@ -210,13 +210,25 @@
     expected: FAIL
 
   [Set a nameless cookie (that has an = in its value)]
-    expected: FAIL
+    expected:
+      if (os == "mac") and not debug: FAIL
+      if os == "android": FAIL
+      [FAIL, PASS]
 
   [Set a nameless cookie (that has multiple ='s in its value)]
-    expected: FAIL
+    expected:
+      if (os == "mac") and not debug: FAIL
+      if os == "android": FAIL
+      [FAIL, PASS]
 
   [Set a nameless cookie]
-    expected: FAIL
+    expected:
+      if (os == "mac") and not debug: FAIL
+      if os == "android": FAIL
+      [FAIL, PASS]
 
   [Set valueless cookie to its name with empty value]
-    expected: FAIL
+    expected:
+      if (os == "mac") and not debug: FAIL
+      if os == "android": FAIL
+      [FAIL, PASS]

testing/web-platform/meta/cookies/value/value-ctl.html.ini

@@ -8,36 +8,6 @@
   [Cookie with %xd in value is rejected (DOM).]
     expected: FAIL
 
-  [Cookie with %x0 in name is rejected or modified (HTTP).]
-    expected: FAIL
-
-  [Cookie with %x1 in value is rejected (HTTP).]
-    expected: FAIL
-
-  [Cookie with %x2 in value is rejected (HTTP).]
-    expected: FAIL
-
-  [Cookie with %x3 in value is rejected (HTTP).]
-    expected: FAIL
-
-  [Cookie with %x4 in value is rejected (HTTP).]
-    expected: FAIL
-
-  [Cookie with %x5 in value is rejected (HTTP).]
-    expected: FAIL
-
-  [Cookie with %x6 in value is rejected (HTTP).]
-    expected: FAIL
-
-  [Cookie with %x7 in value is rejected (HTTP).]
-    expected: FAIL
-
-  [Cookie with %x8 in value is rejected (HTTP).]
-    expected: FAIL
-
-  [Cookie with %x9 in value is accepted (HTTP).]
-    expected: FAIL
-
   [Cookie with %xa in name is rejected or modified (HTTP).]
     expected: FAIL
 

testing/web-platform/meta/fetch/h1-parsing/resources-with-0x00-in-header.window.js.ini

@@ -1,11 +1,5 @@
 [resources-with-0x00-in-header.window.html]
   expected:
     if (os == "android") and fission: [OK, TIMEOUT]
-  [Expect network error for image with 0x00 in a header]
-    expected: FAIL
-
   [Expect network error for frame navigation to resource with 0x00 in a header]
     expected: FAIL
-
-  [Expect network error for script with 0x00 in a header]
-    expected: FAIL

testing/web-platform/meta/xhr/headers-normalize-response.htm.ini

@@ -1,14 +1,3 @@
 [headers-normalize-response.htm]
   expected:
     if (os == "android") and fission: [OK, TIMEOUT]
-  [Header value: hello\\0world]
-    expected: FAIL
-
-  [Header value: \\0hello world]
-    expected: FAIL
-
-  [Header value: \\0]
-    expected: FAIL
-
-  [Header value: hello world\\0]
-    expected: FAIL

xpcom/base/ErrorList.py

@@ -752,6 +752,8 @@ def SUCCESS(code):
     # https://html.spec.whatwg.org/multipage/origin.html#cross-origin-opener-policies
     errors["NS_ERROR_DOM_COOP_FAILED"] = FAILURE(1041)
 
+    errors["NS_ERROR_DOM_INVALID_HEADER_VALUE"] = FAILURE(1042)
+
     # May be used to indicate when e.g. setting a property value didn't
     # actually change the value, like for obj.foo = "bar"; obj.foo = "bar";
     # the second assignment throws NS_SUCCESS_DOM_NO_OPERATION.