Closed Bug 162393 Opened 22 years ago Closed 22 years ago

[FIX]a variable called "content" confuses urlSecurityCheck in contentAreaUtils.js

Categories

(Core :: Security, defect, P1)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.2beta

People

(Reporter: jruderman, Assigned: caillon)

References

(
URL
)

Details

(Whiteboard: [sg:blocker])

Attachments

(4 files, 5 obsolete files)

testcase A: links to chrome
624 bytes, text/html
Details
testcase B: spoofs the referrer as a different http site
612 bytes, text/html
Details
Patch v2.2
6.47 KB, patch
bzbarsky
: review+
caillon
: superreview+
asa
: approval+
Details | Diff | Splinter Review
Patch for 1.0 branch
11.66 KB, patch
caillon
: approval+
Details | Diff | Splinter Review 
http://www.uni-duesseldorf.de/ulb/db.html defines a variable called |content|,
which causes "Open Link in New Window" to break with this error message:

Error: focusedWindow._content.location has no properties
Source File: chrome://communicator/content/contentAreaUtils.js
Line: 59

Thanks to biesi for pointing out this bug on #mozillazine.

This is a security hole.  If a page defines |content| such that
content.location.href is the string "chrome://foo", middle-clicking (or
selecting Open Link in New Window) on a link to a chrome url succeeds.

I think functions in contentAreaUtils.js such as openNewWindowWith and
urlSecurityCheck should pass around the content document that contains the link
rather than relying on xuldocument.commandDispatcher.focusedWindow and
isDocumentFrame.  It seems to me that passing around the content document would
be simpler.
-> caillon
Assignee: mstoltz → caillon
Yikes.  Looking.
Status: NEW → ASSIGNED
Attached file testcase (obsolete) — 

    
    

    
  


  

        Attachment #95030 -
        Attachment is obsolete: true

        Attachment #95031 -
        Attachment mime type: text/plain → text/html

    
    

    
  
Um, testcase B doesn't seem to be exploitable using a trunk build, is it
exploitable using a branch build only?

    
    

    
  
Haven't we seen this before? Bug 143369 was this type of problem, too, wasn't it?

    
    

    
  
jst, testcase B is exploitable for me if I open the link in a new window.

    
    

    
  
oops, forgot to mention, that was with trunk build 2002081209 on windows98.

    
    

    
  
There's actually several different bugs that this is about.  I can fix these,
but I'd like to know whether or not I need to conjure up a "real fix" or a
"lowest risk" fix (i.e. is this wanted for MachV?).  Nominating in either case.
Keywords: nsbeta1

    
    

    
  
The good news is that javascript: URLs don't seem to run with chrome privileges
even after this trick.

    
    

    
  
Oh, duh. I didn't read testcase B through before testing, it is exploitable
using trunk builds.

    
    

    
  
Can't do anything serious with this, so not a MachV stopper.  This is something
we should fix in Buffy though.
Priority: -- → P1
Target Milestone: --- → mozilla1.2alpha

    
    

    
  
*** Bug 167941 has been marked as a duplicate of this bug. ***

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Proposed fix v.1.0 (obsolete)
        — Splinter Review
      

    


  
Works against both testcases.  I actually want to remove urlSecurityCheck
completely from contentAreaUtils.js.  There is still one place,
http://lxr.mozilla.org/mozilla/source/editor/ui/composer/content/editorApplicationOverlay.js#63
that calls it, but I can't find any callers of that method (editLink).	I'll
double check with the editor folks first, though.

    
    

    
  


  
With the code completely moved into browser.xml

    
    

    
  
glazou/cmanske: is this change ok with you guys?

    
    

    
  
Comment on attachment 99792 [details] [diff] [review]
Same as before; but completely removing urlSecurityCheck

r=cmanske for change in
editorApplicationOverlay.js

        Attachment #99792 -
        Flags: review+

    
  

        Attachment #99792 -
        Flags: review+

    
    

    
  
This change doesn't seem right. For a frameset we would use the frame's URL as
the referrer, now we'll always be using the outermost frameset's URL.

Also, do we always want to fall back to the document.currentURI or about:blank
for the referrer in the security check? Should clicking a bookmark in the
personal toolbar really be checked against document.currentURI?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v2.0 (obsolete)
        — Splinter Review
      

    


  

        Attachment #99791 -
        Attachment is obsolete: true

        Attachment #99792 -
        Attachment is obsolete: true

    
    

    
  
We need this for 1.2 final.
Whiteboard: [sg:blocker]

    
    

    
  
All righty then.
Summary: a variable called "content" confuses urlSecurityCheck in contentAreaUtils.js → [FIX]a variable called "content" confuses urlSecurityCheck in contentAreaUtils.js
Target Milestone: mozilla1.2alpha → mozilla1.2beta

    
    

    
  
So comments on irc to caillon:

isDocumentFrame should probably be renamed to isContentFrame or isContentWindow

focusedWindow.location.href is unsafe and should be replaced with the
lookupMethod version.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v2.1 (obsolete)
        — Splinter Review
      

    


  

        Attachment #102669 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 103009 [details] [diff] [review]
Patch v2.1

>Index: xpfe/browser/resources/content/navigator.js

>-  if (!_content || !_content.frames.length || !isDocumentFrame(document.commandDispatcher.focusedWindow))
>+  if (!content || !content.length || !isContentFrame(document.commandDispatcher.focusedWindow))

Even though you and I know that content.frames == content (ewww), I think the
code is clearer if you keep this as content.frames.length.

>Index: xpfe/communicator/resources/content/contentAreaUtils.js

> function urlSecurityCheck(url, doc) 
> {
>   // URL Loading Security Check
>   var focusedWindow = doc.commandDispatcher.focusedWindow;
>+  var sourceWin = getContentFrameHref(focusedWindow);

Perhaps this should be named sourceURL instead of sourceWin.

sr=jag

        Attachment #103009 -
        Flags: superreview+

    
    

    
  
Actually, name the function getContentFrameURI, href is the property name but
the URI is really what you're getting there.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v2.2Splinter Review
      

    


  
jag's comments addressed.

        Attachment #103009 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 103106 [details] [diff] [review]
Patch v2.2

r=bzbarsky

        Attachment #103106 -
        Flags: review+

    
    

    
  
Comment on attachment 103106 [details] [diff] [review]
Patch v2.2

transferring sr=jag

        Attachment #103106 -
        Flags: superreview+

    
    

    
  
Comment on attachment 103106 [details] [diff] [review]
Patch v2.2

a=asa for checkin to 1.2 (on behalf of drivers)

        Attachment #103106 -
        Flags: approval+

    
    

    
  
Fixed, though this didn't make the beta.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED

    
    

    
  
caillon:

I suspect this bug applies to the 1.0 branch as well.  If so, once it gets a
little baking on trunk, I'd like you to make a 1.0 branch patch as well.

    
    

    
  
Sure will do.  For reference, this fix depends on the fix for bug 159667 which
was not checked into the 1.0 branch.

    
    

    
  
this has caused regressions in composer
OS: Windows 2000 → All
Hardware: PC → All

    
    

    
  


  
I haven't actually tested this against the 1.0 branch since it appears the
branch doesn't support the compiler I'm using (gcc3.2), which seems a bit
strange to me as gcc3.2 is likely going to be sticking around for quite a
while...

    
    

    
  
I'm kind of confused.  This made it into the mozilla trunk, right?  I see a note
about regressions in composer.

    
    

    
  
The regression is/was bug 175304 and has already been fixed on trunk.  The branc
patch I uploaded includes that fix (sans the comment as requested by brade).
Keywords: adt1.0.2

    
    

    
  
Discussed in bBird team meeting.  Minusing for bBird.
Keywords: adt1.0.2adt1.0.2-

    
    

    
  
Comment on attachment 104130 [details] [diff] [review]
Patch for 1.0 branch

Adding a=asa,shaver,roc+moz via email and confirming with roc on irc that 3 oks
is an implied a=.

        Attachment #104130 -
        Flags: approval+

    
    

    
  
Checked in on the branch.
Whiteboard: [sg:blocker] → [sg:blocker][fixed1.0.2]
Keywords: fixed1.0.2
Whiteboard: [sg:blocker][fixed1.0.2] → [sg:blocker]

    
    

    
  
Verified on 2002-11-06-branch build on Win 2000.

Both above test cases work as expected.
Status: RESOLVED → VERIFIED

    
    

    
  
Updating the verified1.0.2 keyword.
Keywords: fixed1.0.2verified1.0.2
Group: security
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: