![[LWN Logo]](/images/lwn.banner.gif)
Date: Thu, 8 Oct 1998 23:06:19 -0500
From: HD Moore <hdmoore@USA.NET>
Subject: Re: Remote CGI can crash Netscape 4.x (and current source for 5.x)
To: BUGTRAQ@NETSPACE.ORG
Maybe this will give an idea of *why* its crashing...
Digging around in the mozilla source code (http://www.mozilla.org), I found
these references to the content type of "internal/parser" :
--[ from net.h in /mozilla/include ]--
/* This is like text/html, but also implies that the charset is that of
the window. This type should not escape to the outside world!
*/
#define INTERNAL_PARSER "internal/parser"
--[ from mimemoz.c in /mozilla/lib/libmime/ ]--
/* If we've converted to HTML, then we've already done charset
conversion,
so label this data as "internal/parser" to prevent it from being
passed
through the charset converters again. */
if (msd->options->write_html_p &&
!strcasecomp(type, TEXT_HTML))
type = INTERNAL_PARSER;
______________________________________________________________
If you are curious to how this makes it crash, grep the source code for
"INTERNAL_PARSER" and you can see the many places that data with this
content type, but not in that format will crash the browser. Here are some
other interesting cuts from mozilla source:
--[ from mozilla.cpp in /mozilla/cmd/winfe ]--
// added by ftang & jliu, just remap it from
memory_stream->net_ColorHTMLStream
NET_RegisterContentTypeConverter(INTERNAL_PARSER, FO_VIEW_SOURCE,
TEXT_HTML, net_ColorHTMLStream);
--[ from pagescan.c in /mozilla/network/main/ ]--
if ((URL_s->server_status >= 400) ||
/* don't attempt to parse non-html */
((PL_strstr(URL_s->content_type, TEXT_HTML) == NULL) &&
(PL_strstr(URL_s->content_type, INTERNAL_PARSER) == NULL))) {
/* URL_s->dont_cache = PR_FALSE; */
obj->page->dontFollow = PR_TRUE;
}
Here is the NPL disclaimer so I dont get bitched at for quoting source
code:
/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* The contents of this file are subject to the Netscape Public License
* Version 1.0 (the "NPL"); you may not use this file except in
* compliance with the NPL. You may obtain a copy of the NPL at
* http://www.mozilla.org/NPL/
*
* Software distributed under the NPL is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the NPL
* for the specific language governing rights and limitations under the
* NPL.
*
* The Initial Developer of this code under the NPL is Netscape
* Communications Corporation. Portions created by Netscape are
* Copyright (C) 1998 Netscape Communications Corporation. All Rights
* Reserved.
*/
/* Please leave outside of ifdef for windows precompiled headers */
Jim Paris wrote:
> Netscape 4.x will crash when given a content-type of "internal/parser".
> Earlier versions seem unaffected. Tested versions are 4.05 and 4.5b1.
> Under Win95 it simply hangs and needs a three finger salute to kill it.
> It dies with a bus fault under Linux. To test it, try
> http://www.jtan.com/~jim/netscape-crash.cgi , which contains
>
> #!/bin/sh
> echo Content-type: internal/parser
> echo
> echo If you can see this, your browser is OK!
>
> It may be possible to do worse than crash a browser. If this data is
> going to the same place that parsed pages go, I would imagine that
> buffer overflows are present.
>
> I submitted a bug report to Netscape.
>
> -jim