Mac OS X Parental Controls Stomp the Web

September 17, 2009 on 1:34 pm | In Programming | 1 Comment

“Won’t anyone think of the children?”

Oh, snap. Apple may be our techno-culture poster child for great design and great execution, but they appear to have flubbed it badly while trying to keep the children sitting in front of its computers safe from whatever’s out there.

We recently were dealing with a support call concerning a number of Noteflight scores created in a particular school classroom. These are XML documents, and it turned out that they had been corrupted by the injection of web proxy HTTP headers in the middle of the document, rendering it unparseable. The corruption now appears to be the handiwork of Mac OS X 10.5’s Parental Controls option, which has been reported to have a buggy interaction with Firefox that can insert this garbage into the content of any HTTP POST. And indeed, all the cases we found occurred with Firefox (various versions) and Mac OS 10.5 with Parental Controls in effect. Safari reportedly has no problem.

The garbage typically takes the form Proxy-Connection: keep-alive\rCache-Content age=0 and appears a little under 1500 characters into the POST — probably not coincidentally this is approximately the length of a network packet. Parental Control’s web aspect is implemented as an HTTP proxy server, no doubt one with a bug in it.

What’s really amazing is that this bug has been around since the beginning of 2009 or so, and little has been said or done about it. But if you Google for the garbage, you’ll see that this garbage has made its way into every corner of the web.

Now, that’s what I call viral!

1 Comment

1 Comment »

RSS feed for comments on this post. TrackBack URI

  1. Re-stumbled upon your blog Joe! Wonderfully fun to read – hope you’re doing well.

    Comment by Deepa Subramaniam — November 11, 2009 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Entries and comments feeds. Valid XHTML and CSS.
All content copyright (c) 2006-2007 Joseph Berkovitz. All Rights Reserved.