Re: CVE Request: WebKitGTK+ performs DNS prefetch when a proxy is configured

[Michael Catanzaro <mcatanzaro () igalia com>]

On Mon, 2015-06-08 at 17:34 -0400, cve-assign () mitre org wrote:
> We're not sure that this can be considered a vulnerability fix; it
> seems more like a feature addition. The
> platformProxyIsEnabledInSystemPreferences "return false" code seems 
> to
> mean that the the product's development status was that ascertaining 
> a
> proxy setting was an unimplemented capability, and therefore any
> proxy-specific DNS behavior was an unimplemented feature.

Yes, but it should have been a "return true" to fail-safe instead.

> Admittedly, never making direct DNS queries during proxy use may be
> the new preferred behavior in this product. However, sometimes people
> want to make direct DNS queries during proxy use.

I don't think we intend to support this level of configurability.

> There could be a CVE ID if a product were specifically trying to
> detect a proxy setting (in order to avoid direct DNS in that case) 
> but
> failing because of a coding error. There typically can't be a CVE ID
> for addition of new code to satisfy a requested behavior change.

OK, no need for a CVE then.

Thanks for the good response and the links,

Michael