[Bug 9225] New: lax interpretation of legacy encoding decl allows attackers to change encoding of a page from bugzilla@wiggum.w3.org on 2010-03-11 (public-html-bugzilla@w3.org from March 2010)

From: <bugzilla@wiggum.w3.org>
Date: Thu, 11 Mar 2010 09:28:48 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-9225-2486@http.www.w3.org/Bugs/Public/>

http://www.w3.org/Bugs/Public/show_bug.cgi?id=9225

           Summary: lax interpretation of legacy encoding decl allows
                    attackers to change encoding of a page
           Product: HTML WG
           Version: unspecified
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: HTML5 spec bugs
        AssignedTo: dave.null@w3.org
        ReportedBy: simonp@opera.com
         QAContact: public-html-bugzilla@w3.org
                CC: ian@hixie.ch, mike@w3.org, public-html@w3.org


The spec says to look at content='' on each meta and try to interpret it as an
encoding decl, even if it doesn't have http-equiv=content-type. This allows
attackers to change the encoding if a page allows text to be inserted in a
<meta name=description content='...'> (or keywords, author, etc). This can
cause scripts to execute twice or change the meaning of URLs and form
submission.

Maybe we should require http-equiv=content-type (possibly also other
combinations if compat requires e.g. name=content-type or
http-equiv=contenttype).

Discussion at http://krijnhoetmer.nl/irc-logs/whatwg/20100311#l-184


-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Thursday, 11 March 2010 09:28:50 UTC