Closed
Bug 204902
Opened 21 years ago
Closed 21 years ago
checkloaduri doesn't work for link from Mailnews
Categories
(Core :: Security, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.4final
People
(Reporter: Matti, Assigned: security-bugs)
References
Details
(Keywords: regression, Whiteboard: [adt3])
Attachments
(1 file)
660 bytes,
patch
|
sspitzer
:
review+
hjtoi-bugzilla
:
superreview+
mkaply
:
approval1.4+
|
Details | Diff | Splinter Review |
win2k build 20030508.. a) send yourself a mail with a a file:// link b) click in the mail on this link (le3ft click) c) File will open in the browser window Expected : Doesn't load the link and get a a security error in the JS Console : Security Error: Content at mailbox:///C|/Dokumente%20und%20Einstellungen/Matti/Anwendungsdaten/Mozilla/Profiles/Matti2/gnj7ycwv.slt/Mail/server600-1/Inbox?number=575105 may not load or link to file:///c:/12.bat. FYI: The URL is correctly blocked if you use "opne in new Tab/window" from the context menu
Assignee | ||
Comment 1•21 years ago
|
||
That's not good...
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.4final
Reporter | ||
Comment 2•21 years ago
|
||
FYI: I don't know if this is wanted or not but there should not be a difference between "open in new Tab/window" and a left click. I don't know if there is a true security violation...
Assignee | ||
Comment 3•21 years ago
|
||
Confirmed, and this is definitely a regression since we used to do the right thing.
Flags: blocking1.4?
Keywords: nsbeta1
Assignee | ||
Comment 4•21 years ago
|
||
When we click a link in the browser, CheckLoadURI is called from here: nsGenericElement::TriggerLink line 2992 nsGenericHTMLElement::HandleDOMEventForAnchors line 1541 + 45 bytes nsHTMLAnchorElement::HandleDOMEvent line 355 PresShell::HandleEventInternal line 6380 + 47 bytes Strangely, in the mail window, when I mouseover the file:// link, we call TriggerLink to set the status bar, but when click on it, we don't appear to be going through the above code path at all. How are link clicks handled in mail messages? CCing some people who may know.
Comment 5•21 years ago
|
||
I've changed this behaviour accidentally, for a performance / correctness issue. See http://bugzilla.mozilla.org/show_bug.cgi?id=199360 We are still going through some traditional code paths to open these links: +function openTopBrowserWith(url) +{ + var windowMediator = Components.classes["@mozilla.org/appshell/window-mediator;1"].getService(Components.interfaces.nsIWindowMediator); + var browserWin = windowMediator.getMostRecentWindow("navigator:browser"); + + // if there's an existing browser window, open this url in one + if (browserWin) + browserWin.getBrowser().loadURI(url); // Just do a normal load. + else + window.openDialog(getBrowserURL(), "_blank", "chrome,all,dialog=no", url, null, null); +} Those should be checking the load uri? If not, we might have other code paths (in nav or mail) that don't check the uri
Assignee | ||
Comment 6•21 years ago
|
||
Yes, I think we should be calling CheckLoadURI in the function you mentioned above. If this sounds right to you, I'll write up a patch.
Comment 7•21 years ago
|
||
see http://lxr.mozilla.org/mozilla/source/browser/base/content/contentAreaUtils.js#114 we have: 89 function openNewWindowWith(url, sendReferrer) 90 { 91 urlSecurityCheck(url, document); so I think just a well placed call to urlSecurityCheck() in openTopBrowserWith() will do the trick. but that will throw, and we need to double check that the callers to openTopBrowserWith() handle it right (as the callers to openNewWindowWith do)
Assignee | ||
Comment 8•21 years ago
|
||
I didn't do anything special to handle the exception, but it seems to be caught and displayed just fine, just like openNewWindowWith().
Assignee | ||
Comment 9•21 years ago
|
||
Comment on attachment 124598 [details] [diff] [review] Patch - call URISecurityCheck in openTopBrowserWindow Requesting reviews.
Attachment #124598 -
Flags: superreview?(heikki)
Attachment #124598 -
Flags: review?(sspitzer)
Comment 10•21 years ago
|
||
adt: nsbeta1+/adt3
Updated•21 years ago
|
Attachment #124598 -
Flags: superreview?(heikki) → superreview+
Comment 11•21 years ago
|
||
Comment on attachment 124598 [details] [diff] [review] Patch - call URISecurityCheck in openTopBrowserWindow r=sspitzer, assuming you veriied that the "ok" cases worked fine, and the "failed" cases (where we threw the exception) did what we want. please confirm that you tested that. for the "failed" case, the caller of openTopBrowserWindow() is messagePaneOnClick(event); if it throws an exception, this line of messagePaneOnClick() won't get called: 236 openTopBrowserWith(href); 237 // we want to preventDefault, so that in 238 // nsGenericHTMLElement::HandleDOMEventForAnchors(), we don't try to handle the click again 239 event.preventDefault(); is that a problem? or is that desired? do you want to handle it twice?
Attachment #124598 -
Flags: review?(sspitzer)
Attachment #124598 -
Flags: review+
Attachment #124598 -
Flags: approval1.4?
Assignee | ||
Comment 12•21 years ago
|
||
I tested as many "ok" and "failed" cases as I could find, all are working OK. My test page (internal) is http://warp/u/mstoltz/bugs/clu.html. Mail that page to yourself to run the test. As for the preventDefault, I tried moving it before the openTopBrowserWith call, but it didn't seem to behave any differently, so for simplicity's sake I'm going to leave it as is.
Comment 13•21 years ago
|
||
Comment on attachment 124598 [details] [diff] [review] Patch - call URISecurityCheck in openTopBrowserWindow a=mkaply for 1.4
Attachment #124598 -
Flags: approval1.4? → approval1.4+
Comment 14•21 years ago
|
||
a=adt
Assignee | ||
Comment 15•21 years ago
|
||
Checked in, trunk and 1.4 branch.
Comment 16•21 years ago
|
||
thanks for testing thoroughly.
Reporter | ||
Comment 17•21 years ago
|
||
This works now but I get 3 Errors in the JS Console if I left-click a file link in a mail (text) : 1) Error: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIWebNavigation.loadURI]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: chrome://global/content/bindings/browser.xml#browser.loadURIWithFlags() :: loadURIWithFlags :: line 5" data: no] Source File: chrome://global/content/bindings/browser.xml#browser.loadURIWithFlags() Line: 5 2) Security Error: Content at mailbox:///C|/Dokumente%20und%20Einstellungen/Matti/Anwendungsdaten/Mozilla/Profiles/Matti2/gnj7ycwv.slt/Mail/server600-1/Inbox?number=1212634 may not load or link to file://c/. 3) Error: uncaught exception: Load of file://c/ denied. I get 4 security errors with open in new tab/window : Error 2, Error 3, Error 2, Error 3 I dunno if this is wanted/known but marking verified
Status: RESOLVED → VERIFIED
Assignee | ||
Comment 18•21 years ago
|
||
*** Bug 197252 has been marked as a duplicate of this bug. ***
Comment 19•21 years ago
|
||
matti@mversen.de, those errors sound like a result of us not catching the exception we throw. let's lot a spin off bug for that, but as long as things "work" for the user, I'm ok with this as is, for 1.4 final.
Assignee | ||
Comment 20•21 years ago
|
||
That's what I thought too, but I tried catching the exception and I still saw the 3 errors in the console.
Comment 21•21 years ago
|
||
Does the patch respect the setting of security.checkloaduri ?
Comment 22•21 years ago
|
||
Matti, was this fix verified on the trunk only? Did you check the branch as well?
Reporter | ||
Comment 23•21 years ago
|
||
Verified with the trunk and the 1.4 branch
Comment 24•21 years ago
|
||
Adding verified1.4 per Matti comments. Thx Matti.
Keywords: fixed1.4 → verified1.4
You need to log in
before you can comment on or make changes to this bug.
Description
•