Security bug in XmlHttpRequest, setRequestHeader()

Kusuke Ebihara (Ikousuke at ) has discovered an interesting security bug with XHR. 

Basically, for CGI programs, characters that are valid in HTTP headers but not in Unix shell environment variables are commonly all coerced to "_".  This allows bypass of the security restrictions in, section 5.  If an application sets, e.g. a header of "User_Agent" (or in some cases "User.Agent", "User*Agent", etc...), that is indistinguishable when delivered to a CGI application from the forbidden "User-Agent". 

As this behavior is at least partially formally documented in , and very widely implemented, the algorithm for XHR should be updated to at least consider "_", and possibly all non-alphanumeric characters, as equivalent to "-" for purposes of comparison to the blacklisted header set.

Brad Hill
Sr. MTS, Internet Standards and Governance
PayPal Information Risk Management
cell: 206.245.7844 / skype: hillbrad

Received on Thursday, 5 January 2012 23:26:56 UTC