LibWeb: Fix UAF in convert_header_names_to_a_sorted_lowercase_set()

We can't keep a span (ReadonlyBytes) to a move()'d ByteBuffer in the header_names_seen HashTable - copy the original name span instead which works the same thanks to CaseInsensitiveBytesTraits. This would sporadically fail the contains() check due to garbage data, later leading to a VERIFY() crash in the OrderedHashTable append loop.
Author: https://github.com/linusg Commit: 6bce48e99b Pull-request: https://github.com/SerenityOS/serenity/pull/17420 Reviewed-by: https://github.com/kennethmyhra ✅
2025-08-01 13:49:16 +00:00 · 2023-02-10 21:58:10 +00:00 · 2023-02-10 21:58:10 +00:00 · 6bce48e99b · 2024-07-17 00:49:59 +09:00
commit 6bce48e99b
parent 92cb32b905
1 changed files with 1 additions and 1 deletions
--- a/Userland/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Headers.cpp
+++ b/Userland/Libraries/LibWeb/Fetch/Infrastructure/HTTP/Headers.cpp
@ -352,7 +352,7 @@ ErrorOr<OrderedHashTable<ByteBuffer>> convert_header_names_to_a_sorted_lowercase
            continue;
        auto bytes = TRY(ByteBuffer::copy(name));
        Infra::byte_lowercase(bytes);
-        header_names_seen.set(bytes);
+        header_names_seen.set(name);
        header_names_set.append(move(bytes));
    }