Bug 716801: Location parsing. r=bz

netwerk/protocol/http/nsHttpHeaderArray.cpp

@@ -88,8 +88,12 @@ nsHttpHeaderArray::SetHeaderFromNet(nsHttpAtom header, const nsACString &value)
     index = LookupEntry(header, &entry);
 
     if (!entry) {
-        if (value.IsEmpty())
-            return NS_OK; // ignore empty headers
+        if (value.IsEmpty()) {
+            if (HeaderMustHaveValue(header)) {
+                return NS_ERROR_CORRUPTED_CONTENT;
+            }
+            return NS_OK; // ignore empty headers by default
+        }
         entry = mHeaders.AppendElement(); //new nsEntry(header, value);
         if (!entry)
             return NS_ERROR_OUT_OF_MEMORY;

netwerk/protocol/http/nsHttpHeaderArray.h

@@ -113,6 +113,8 @@ private:
 
     // Header cannot be merged: only one value possible
     bool    IsSingletonHeader(nsHttpAtom header);
+    // For some headers, we treat no value as possible CRLF attack
+    bool    HeaderMustHaveValue(nsHttpAtom header);
 
     // Subset of singleton headers: should never see multiple, different
     // instances of these, else something fishy may be going on (like CLRF
@@ -156,6 +158,12 @@ nsHttpHeaderArray::IsSingletonHeader(nsHttpAtom header)
            header == nsHttp::Max_Forwards;
 }
 
+inline bool
+nsHttpHeaderArray::HeaderMustHaveValue(nsHttpAtom header)
+{
+    return header == nsHttp::Location;
+}
+
 inline void
 nsHttpHeaderArray::MergeHeader(nsHttpAtom header,
                                nsEntry *entry,

netwerk/test/unit/test_duplicate_headers.js

@@ -357,7 +357,31 @@ function completeTest11(request, data, ctx)
     do_throw("error parsing Content-Disposition: " + ex);
   }
 
+  run_test_number(12);
+}
+
+////////////////////////////////////////////////////////////////////////////////
+// Bug 716801 FAIL if any/only Location: header is blank
+test_flags[12] = CL_EXPECT_FAILURE;
+
+function handler12(metadata, response)
+{
+  var body = "012345678901234567890123456789";
+  response.seizePower();
+  response.write("HTTP/1.0 301 Moved\r\n");
+  response.write("Content-Type: text/plain\r\n");
+  response.write("Content-Length: 30\r\n");
+  response.write("Location:\r\n");
+  response.write("Connection: close/\r\n");
+  response.write("\r\n");
+  response.write(body);
+  response.finish();
+}
+
+function completeTest12(request, data, ctx)
+{
+  do_check_eq(request.status, Components.results.NS_ERROR_CORRUPTED_CONTENT);
+
   endTests();
 }
 
-