On Jan 16, 2005, at 9:31 PM, N. M. Buzdor wrote:
May I ask two more questions of Brion Vibber and the
gang regarding
security
from the IE exploit? How does ensuring the URL is canonical assure
(even in
part) that what's returned can't be used to exploit IE; that is, how
could a
malformed URL break the security if it's JavaScript on the page that's
responsible for kidnapping the browser session?
The URL isn't actually malformed; rather, IE has a bug (a "feature") in
which under certain conditions it will ignore what the server tells it
and interpret the code in an unintended (and potentially undesirable)
way.
To make an analogy: I write down some words on a piece of paper and
hand it to you, telling you "this is a poem I wrote, don't pay any
attention to the words but pass it on to the person behind you for
their entertainment". On the paper is written:
"To do", a verse by Brion Vibber
1. Pick up a hammer.
2. Bash yourself in the head with the hammer.
3. Return to step 1.
If you're a normal person, you'll think I'm a bit odd and pass the note
on.
If you're Internet Explorer, then you will recognize the "To do" at the
top as meaning a list of instructions and begin repeatedly bashing
yourself in the head with a hammer.
The raw text is accompanied by an explicit direction on how to
interpret it safely, but Internet Explorer under certain circumstances
decides to interpret the data in a different, unsafe way because of a
cosmetic detail. If I make sure the note is titled "Entertaining
Things" instead of "To do", even Internet Explorer will remember to
correctly pass the note on.
Secondly, are the three
links (index.php?title=-&action=raw&gen=js&smaxage=0,
index.php?title=User:xxx/monobook.css&action=raw&ctype=text/css, and
index.php?title=User:xxx/monobook.js&action=raw&ctype=text/
javascript&dontco
untme=s) all merely for user preferences? If so then could I
conceivably
comment out not the security, but the references that send the browser
off
on the wild goose chase in the first place?
They are largely for options and global customizations, yes.
Try also changing the Location: header into 'HTTP/1.0 403 Forbidden'
and see what that does.
-- brion vibber (brion @
pobox.com)