W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

Re: [cors] Legacy Servers: POST Body Format

From: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
Date: Wed, 03 Aug 2011 11:03:50 +0200
To: Anne van Kesteren <annevk@opera.com>
Cc: public-webapps@w3.org, Giles Hogben <Giles.Hogben@enisa.europa.eu>, Lieven Desmet <Lieven.Desmet@cs.kuleuven.be>
Message-ID: <1312362230.25950.12.camel@papyrus>
On Tue, 2011-08-02 at 16:46 +0200, Anne van Kesteren wrote:
> On Mon, 01 Aug 2011 16:09:17 +0200, Philippe De Ryck  
> <philippe.deryck@cs.kuleuven.be> wrote:
> > The CORS specification fails to protect legacy servers from POST
> > messages with arbitrary body formatting.
> 
> You can create pretty much any arbitrary message body you want using  
> application/x-www-form-urlencoded already by crafting smart names and  
> values so the real importance is in not being able to set Content-Type.  
> This is not a security problem as far as I can tell.

Using a form still results in the use of = and & in the body, even with crafted names/values. Taking the ICS format as an example, this is very difficult to encode in a normal form, but very easy with cross-origin XHR. This can leave legacy servers open to a new attack vector.

	BEGIN:VCALENDAR
	VERSION:2.0
	PRODID:-//hacksw/handcal//NONSGML v1.0//EN
	BEGIN:VEVENT
	UID:uid1@example.com
	DTSTAMP:19970714T170000Z
	ORGANIZER;CN=John Doe:MAILTO:john.doe@example.com
	DTSTART:19970714T170000Z
	DTEND:19970715T035959Z
	SUMMARY:Bastille Day Party
	END:VEVENT
	END:VCALENDAR


-- 
Philippe De Ryck
K.U.Leuven, Dept. of Computer Science


Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Received on Wednesday, 3 August 2011 09:20:43 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:46 GMT