On 7/3/13 11:44 AM, Stefan Arentz wrote:
The "Multipart MIME Responses” bit is really interesting. So if I understand
correctly:
1) a server under control of an attacker can send a multipart response with
multiple HTML parts
2) we ignore all parts except the *last* one (which is probably the right thing
to do)
This is not the case. If a multipart response is sent, we will render
all the parts one after another.
For example, you can send a multipart in which the first part is HTML
page that says "wait for the next part", the second a .doc that will get
handed off to a helper app, and the third is an HTML page that says "all
done".
You can see this by going to
https://bugzilla.mozilla.org/buglist.cgi?quicksearch=foo and noting that
the "please wait while your bugs are retrieved" part with the animated
dino is shown until the second part with the actual buglist comes in.
3) malware detection proxies/filters might ignore all parts except the *first*
one
Those would be some pretty broken filters. :( Doesn't mean they don't
exist, of course.
I don’t know if this is a common technique that is used in the wild. If it is
then we might want to consider changing our logic for multipart and render the
*first* part received.
Websites depend on all the parts being rendered. Or at least websites
certainly depend on the "hand off some parts to helper apps, then show
the last HTML part" behavior.
-Boris
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
