Bugzilla@Mozilla – Bug 552090
XHR Cross Site Status leak from xhr.statusText
Last modified: 2010-09-27 18:25:11 PDT
Summon comment box
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 content/base/src/nsXMLHttpRequest.cpp GetStatus() checks for a leak of status information from denied cross-site requests but GetStatusText() does not nsXMLHttpRequest::GetStatus(PRUint32 *aStatus) { *aStatus = 0; if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) { // Make sure we don't leak status information from denied cross-site // requests. if (mChannel) { nsresult status; mChannel->GetStatus(&status); if (NS_FAILED(status)) { return NS_OK; } } } nsXMLHttpRequest::GetStatusText(nsACString& aStatusText) { nsCOMPtr<nsIHttpChannel> httpChannel = GetCurrentHttpChannel(); aStatusText.Truncate(); nsresult rv = NS_OK; if (httpChannel) { rv = httpChannel->GetResponseStatusText(aStatusText); } return rv; } Reproducible: Always
Created attachment 432251 [details] [review] Fix The fix here is pretty trivial. sicking asked me to not throw if we didn't have an http channel because we currently don't throw at all in that case.
Comment on attachment 432251 [details] [review] Fix Thanks!
This should block the next branch release - please request patch approval once it's baked.
http://hg.mozilla.org/mozilla-central/rev/637a23219852 I'm also lowering the severity of this. The statusText field only exposes whether or not a server exists, and there exist timing based attacks to expose the same information. dveditz, bsterne, please tell me if I'm off base here.
This issue was separately reported to security@ by Nicholas B. <nberthaume@gmail.com>. Nominating for branches.
> The statusText field only exposes whether or not a server exists Not quite; it can expose some details of the server's setup too.
Comment on attachment 432251 [details] [review] Fix Approved for 1.9.2.8 and 1.9.1.12, a=dveditz for release-drivers
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/b80930b974b0
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/5e36cfa5f256
Verified for 1.9.1 and 1.9.2 based on updated checked in tests.