On Wednesday, September 21, 2011 10:20:45 PM ext Jarred Nicholls wrote: > Hey qtwebkittens, > > So we found an interesting HTTP header injection vulnerability with the > QWebPage::userAgentForUrl API - see > https://bugs.webkit.org/show_bug.cgi?id=68560. As suggested by jeez, I'm > posting this finding on the mailing list so it's not lost in the ether and > any others can chime in. > > Not too sure where the permanent guard belongs, but I'm planning on adding a > test case and a temp patch to FrameLoaderClientQt.cpp to protect this one > scenario. I'll follow up by scouring the API to see if any other relevant > vulnerabilities exist.
My feeling is that the best place to protect against this is on PhantomJS level. If you have access to the memory of the process and the QtWebKit API, you can do a lot worse things than that :). I mean, we can't add a protection against QWebPage::setNetworkAccessManager, right? In other words: The user of an API is trusted, also because he has access to the process memory anyway. The content downloaded from the network cannot be trusted. Do you trust the scripts executed in PhantomJS? Simon _______________________________________________ webkit-qt mailing list webkit-qt@lists.webkit.org http://lists.webkit.org/mailman/listinfo.cgi/webkit-qt
