Re: [webappsec-testsuite] CORS tests and null bytes in origin from Odin Hørthe Omdal on 2013-04-14 (public-webappsec-testsuite@w3.org from April 2013)

From: Odin Hørthe Omdal <odinho@opera.com>
Date: Sun, 14 Apr 2013 04:08:45 +0200
To: public-webappsec-testsuite@w3.org
Message-Id: <1365905325.10474.140661217438658.5926E7EE@webmail.messagingengine.com>

On Sun, Apr 14, 2013, at 2:12, Hill, Brad wrote:
> No worries.  I'm hacking at a Test The Web Forward event in Seattle
> today, and thought I'd try to work on some of the outstanding bugs in the
> CORS suite.
> 
> Also, I found out now that these tests appear to pass on the public
> server, but fail on the test VM.  Digging into it, I see it is because
> the public server completely strips the Access-Control-Allow-Origin
> header when it has a null byte (either the PHP or Apache version is
> different in this regard) but the VM, with a slightly different version
> of PHP and Apache, sends the header and strips the null byte.  
> 
> (see attached traces)
> 
> I think these are tests are therefore even more questionable since they
> seem to depend on server behavior in this regard.

No, that is the wrong way to look at it :-)

It's not the tests that are wrong, it's the server setup then.

The W3C apache server is known to be useless for some parts of the CORS
tests.  That's why I have them on my own server.  I've had a power
outage since last time, and also I still haven't set up HTTPS, so some
tests are expected to fail because of that server setup.  But mostly the
OPTIONS tests that fail at the w3c-test.org server because of bad
configuration works from my server:

http://test.s0.no/w3c-tests/webappsec/tests/cors/submitted/opera/staging/testrunner.html

Also found out that these tests are not really all that tolerant to high
latency, and since that is running from my server behind the TV in my
childhood home - people far away from Europe might not always get the
best results :P

The fix is obviously to fix w3c-test.org, but last time it was a bit
hard.  Maybe there's fresh energy to start again on it now.

You should also check the report:
http://odinho.html5.org/CORS/testsuite-report.html

Where you find deviations, there might be bugs lurking.  We should take
a good look at the \0 issue.  But we should have some tests for it.

If you're still at the TestTWF event you are very free to either expand
with a few new tests or fix the issues that currently exist in this one.
 Since we're not on GitHub yet, the process is not that smooth, but it
can become that.

I have reviewed three pull requests from the event already, so I'll wait
for some hot stuff from you too then? :D

[ I'm the worst just-go-to-bed'er ever ]
-- 
  Odin Hørthe Omdal
  odinho@opera.com

Received on Sunday, 14 April 2013 02:09:07 UTC