On Tue, 23 Jul 2002 15:24:44 -0700, John Gardiner Myers <[EMAIL PROTECTED]> wrote: > To respond to recent comments in bug 71916 asking for that fix to be > backed out:
I got that fix checked in a few hours after the initial gopher support was committed, after some people on IRC pointed out the issues. > > As for HTTP GET, there is no way I know of for an attacker to get an > HTTP client to insert a newline before attacker-supplied text. Newlines > in URLS are encoded as %0a over the HTTP protocol. If there is such a > way, that should be reported through the relevant client's security bug > reporting procedure. See the CERT advisory http://www.kb.cert.org/vuls/id/476267 and the paper at http://www.remote.org/jochen/sec/hfpa/hfpa.pdf as well as bug 83401. > The URL gopher://www:80/0GET%20/%20HTTP/1.0%0D%0A is an attack, not a > feature. That URL is requesting to bypass any HTTP policies implemented > either in the client or its HTTP proxy. Right, which was why that is blocked. Note that removing the explicit fixing to port 70 would still block all the ports listed at http://lxr.mozilla.org/seamonkey/source/netwerk/base/src/nsIOService.cpp#87 since bug 83401 was fixed (which was done after bug 71916) Bradley
