Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`. https://github.com/mozilla/hawk/pull/286 https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq
Created couchdb tracking bugs for this issue: Affects: fedora-all [bug 2082457] Created dotnet3.1 tracking bugs for this issue: Affects: fedora-all [bug 2082458] Created firefox tracking bugs for this issue: Affects: fedora-all [bug 2082459] Created icecat tracking bugs for this issue: Affects: fedora-all [bug 2082460] Created mozjs68 tracking bugs for this issue: Affects: fedora-all [bug 2082461] Created mozjs78 tracking bugs for this issue: Affects: fedora-all [bug 2082462] Created mozjs91 tracking bugs for this issue: Affects: fedora-all [bug 2082466] Created seamonkey tracking bugs for this issue: Affects: epel-8 [bug 2082456] Affects: fedora-all [bug 2082463] Created thunderbird tracking bugs for this issue: Affects: fedora-all [bug 2082464] Created yarnpkg tracking bugs for this issue: Affects: fedora-all [bug 2082465]
Looking at the header of https://hg.mozilla.org/releases/mozilla-release/file/tip/services/common/hawkclient.js, it seems some another hawk implementation, just mentioning an ancient "https://github.com/hueniverse/hawk" link, and does not have any regexp code for the host parsing. IOW, it seems that even the current upstream Firefox still uses its own hawk implementation, which yet not affected by the issue, since does not use any regexp for host parsing yet.