- From: John Wilander <notifications@github.com>
- Date: Tue, 06 Sep 2016 16:25:44 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/382@github.com>
Fetch only restricts Content-Type request values beyond field-content token production: https://fetch.spec.whatwg.org/#cors-safelisted-request-header
This means simple CORS requests can send unexpected characters in Accept, Accept-Language, and Content-Language header values. As an example, header value "() { :;};" could exploit the infamous Shellshock server vulnerability from 2014 (http://www.cvedetails.com/cve/cve-2014-6271).
RFC 7231 does not allow "() { :;};" as a value for these headers from what I can tell:
Accept https://tools.ietf.org/html/rfc7231#section-5.3.2
Accept-Language https://tools.ietf.org/html/rfc7231#section-5.3.5
Content-Language https://tools.ietf.org/html/rfc7231#section-3.1.3.2
So far browsers have not restricted these headers and so server backends have to do the validation. I suggest we close this payload delivery mechanism in the Fetch spec.
This was briefly discussed at the W3C WebAppSec meeting May 17, 2016: https://www.w3.org/2011/webappsec/minutes/2016-05-17-webappsec-minutes.html#item08
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/382
Received on Tuesday, 6 September 2016 23:26:13 UTC