From 4ed26484eef998d6e67d73cf8e0a3737007169ee Mon Sep 17 00:00:00 2001 From: Moonchild Date: Sun, 25 Dec 2022 11:42:42 +0000 Subject: Issue #2070 - When multiple HSTS headers are received, only consider the first. This implements a plain interpretations of RFC 6797, which says to only consider the first HSTS header. This slightly conflicts with RFC 7230, which says that sending multiple headers which can't be merged is illegal (except for a specific whitelist which HSTS isn't in), so this situation should never occur in the first place (and would therefore not need the explicit entry in RFC 6797). It improves HSTS robustness dealing with non-compliant servers. Resolves #2070 --- netwerk/protocol/http/nsHttpHeaderArray.h | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) (limited to 'netwerk/protocol/http/nsHttpHeaderArray.h') diff --git a/netwerk/protocol/http/nsHttpHeaderArray.h b/netwerk/protocol/http/nsHttpHeaderArray.h index cfa7fc6a81..b65b36fcdd 100644 --- a/netwerk/protocol/http/nsHttpHeaderArray.h +++ b/netwerk/protocol/http/nsHttpHeaderArray.h @@ -160,6 +160,8 @@ private: // Header cannot be merged: only one value possible bool IsSingletonHeader(nsHttpAtom header); + // Header cannot be merged, and subsequent values should be ignored + bool IsIgnoreMultipleHeader(nsHttpAtom header); // For some headers we want to track empty values to prevent them being // combined with non-empty ones as a CRLF attack vector bool TrackEmptyHeader(nsHttpAtom header); @@ -231,7 +233,22 @@ nsHttpHeaderArray::IsSingletonHeader(nsHttpAtom header) header == nsHttp::If_Unmodified_Since || header == nsHttp::From || header == nsHttp::Location || - header == nsHttp::Max_Forwards; + header == nsHttp::Max_Forwards || + // Ignore-multiple-headers are singletons in the sense that they + // shouldn't be merged. + IsIgnoreMultipleHeader(header); +} + +// These are headers for which, in the presence of multiple values, we only +// consider the first. +inline bool nsHttpHeaderArray::IsIgnoreMultipleHeader(nsHttpAtom header) +{ + // https://tools.ietf.org/html/rfc6797#section-8: + // + // If a UA receives more than one STS header field in an HTTP + // response message over secure transport, then the UA MUST process + // only the first such header field. + return header == nsHttp::Strict_Transport_Security; } inline bool -- cgit v1.2.3