Closed Bug 296704 Opened 20 years ago Closed 20 years ago

trusted event reinitialization allows data-theft

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: sync2d, Assigned: jst)

References

Details

(Keywords: fixed-aviary1.0.5, fixed1.7.9, Whiteboard: [sg:fix])

Attachments

(5 files, 2 obsolete files)

testcase
2.58 KB, text/html
Details
Same as above but unmark the dispatch bit when we're done dispatching an event, and permit re-dispatching of DOM events (but reset trusted flags if the caller isn't trusted).
37.32 KB, patch
Details | Diff | Splinter Review
diff -w of the above for review.
27.29 KB, patch
dveditz
: review+
bryner
: superreview+
dveditz
: approval-aviary1.0.5+
dveditz
: approval1.7.9+
dveditz
: approval1.8b3+
Details | Diff | Splinter Review
Aviary and mozilla1.7 branch version of the above
37.35 KB, patch
Details | Diff | Splinter Review
Missed one part of the missing code.
9.17 KB, patch
dveditz
: review+
dveditz
: superreview+
Details | Diff | Splinter Review
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Build Identifier: Mozilla has the special "trusted" flag on event objects, and uses it to deny untrusted events to do some special operations. So untrusted events raised by web pages cannot do clipboard copy, paste, etc... However, malicious page can hijack trusted events by reinitializing such events using DOM initEvent() family in the event handlers, and can perform limited subset of the privileged operations. Reproducible: Always Steps to Reproduce: 1. open the testcase. 2. press "alt-a" key. Actual Results: trusted events can be reinitialized by initEvent() family. Expected Results: initEvent() family during dispatching-phase must be ignored. So, trusted events cannot be hijacked by web pages. http://www.w3.org/TR/DOM-Level-2-Events/events.html#Events-Event-initEvent According to DOM Level2 Events Spec, initEvent() family called during event dispatching-phase must be ignored.
Attached file testcase
testcase: clipboard text and local file can be stealed. works on firefox 1.0.4 and firefox trunk 2005060423. Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050604 Firefox/1.0+
Assignee: events → jst
Blocks: sbb?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3+
Flags: blocking1.7.9+
Flags: blocking-aviary1.0.5+
Whiteboard: [sg:fix]
Fix coming up.
There may be a more efficient way to do this, with less code even. But I'm not sure where that would be to catch all cases, so for now this is probably the safest approach. Alternatively I guess we could move the code that marks events as being dispatched already into nsEventListenerManager::HandleEvent() as I *think* that all event handler invocations *always* go through there. And if no handler is ever called, there's no *real* reason to mark the event since no untrusted code could ever get a reference to the event (unless it was created by script, in which case it'll be properly marked trustes/untrusted anyways). Thoughts?
Attachment #185875 - Flags: superreview?(dveditz)
Attachment #185875 - Flags: review?(bzbarsky)
I don't see why you shouldn't be able to dispatch an event twice. If the event is already being dispatched, then dispatching it again should raise DISPATCH_REQUEST_ERR. Once an event has been passed to the dispatchEvent method, then calling initEventXXX() on it should do nothing. Once a trusted event has finished being dispatched, its trusted flag should be reset, so that if it is redispatched, it doesn't do any damage. Beyond that I see no reason to stop redispatching or reinitialising.
Comment on attachment 185875 [details] [diff] [review] Prevent events from ever being initialized or dispatched more than once. It's going to take me a day or two to get to this.... If I don't by the 19th, though, then I won't be able to until July.
If bz can't get to this soon, can anyone else jump in here and get this fixed for 1.0.5/1.7.9?
Comment on attachment 185875 [details] [diff] [review] Prevent events from ever being initialized or dispatched more than once. >-#define NS_PRIV_EVENT_UNTRUSTED_PERMITTED 0x0800 >+#define NS_EVENT_FLAG_DISPATCH_STARTED 0x0800 >+#define NS_PRIV_EVENT_UNTRUSTED_PERMITTED 0x1000 bump the untrusted define to 0x8000 so we don't move it around each time we add a new flag. (Potentially breaks existing add-ons otherwise binary compatible with unchanged interfaces.) sr=dveditz
Attachment #185875 - Flags: superreview?(dveditz) → superreview+
Whiteboard: [sg:fix] → [sg:fix] need r=, a=, landing
Attachment #185875 - Flags: review?(bzbarsky) → review?(bugmail)
To be on the safe side, this makes is so that re-dispatching an event still works as long as the event isn't in the process of being dispatched already. This also makes sure that if an event is re-dispatched and the event is trusted, it makes sure the caller is also trusted. If not, it unsets the trusted bit when re-initializing the event. This code piggy-backs on the NS_EVENT_FLAG_STOP_DISPATCH_IMMEDIATELY bit to know that an event has already been dispatched, the bit gets set when we leave the DOM event loop, and it's checked when dispatching an event. diff -w coming up.
This should fix this bug while letting people reuse events in a safe way.
Attachment #186960 - Flags: superreview?(bryner)
Attachment #186960 - Flags: review?(dveditz)
*** Bug 292943 has been marked as a duplicate of this bug. ***
Attachment #186960 - Flags: superreview?(bryner) → superreview+
Attachment #185875 - Attachment is obsolete: true
Attachment #185875 - Flags: superreview+
Attachment #185875 - Flags: review?(bugmail)
Comment on attachment 186960 [details] [diff] [review] diff -w of the above for review. r=dveditz a=dveditz for branches and trunk
Attachment #186960 - Flags: review?(dveditz)
Attachment #186960 - Flags: review+
Attachment #186960 - Flags: approval1.8b3+
Attachment #186960 - Flags: approval1.7.9+
Attachment #186960 - Flags: approval-aviary1.0.5+
Whiteboard: [sg:fix] need r=, a=, landing → [sg:fix] need landing
Fixed on trunk and aviary branches. There are some differences between 1.7 and aviary branches that make this hard to apply there, need to figure that out before landing on the 1.7 branch.
Status: NEW → RESOLVED
Closed: 20 years ago
Keywords: fixed-aviary1.0.5
Resolution: --- → FIXED
dveditz and jst need to discuss any discreprencies with their checkins on the 1.7 branch to get this patch checked in there.
Comment on attachment 186981 [details] [diff] [review] Aviary and mozilla1.7 branch version of the above Per 1.0.5 meeting, needs check-in by dveditz.
Attachment #186981 - Attachment description: Aviary version of the above. → Aviary version of the above. [needs check-in]
Whiteboard: [sg:fix] need landing → [sg:fix] needs landing by dveditz
Checked into mozilla 1.7 branch for jst
Keywords: fixed1.7.9
Whiteboard: [sg:fix] needs landing by dveditz → [sg:fix]
Attachment #186981 - Attachment description: Aviary version of the above. [needs check-in] → Aviary and mozilla1.7 branch version of the above
Don't early returns on various errors in HandleDOMEvent methods mean we won't remove the "dispatching" flag from some events?
Depends on: 289940
Attachment #188994 - Flags: superreview?(dveditz)
Attachment #188994 - Flags: review?(dveditz)
This unsets the NS_EVENT_FLAG_STOP_DISPATCH_IMMEDIATELY bit when re-initializing events to make them dispatchable again. Dveditz found this part was missing.
Attachment #188994 - Attachment is obsolete: true
Attachment #188995 - Flags: superreview?(dveditz)
Attachment #188995 - Flags: review?(dveditz)
Attachment #188994 - Flags: superreview?(dveditz)
Attachment #188994 - Flags: review?(dveditz)
Comment on attachment 188995 [details] [diff] [review] Missed one part of the missing code. r/sr=dveditz
Attachment #188995 - Flags: superreview?(dveditz)
Attachment #188995 - Flags: superreview+
Attachment #188995 - Flags: review?(dveditz)
Attachment #188995 - Flags: review+
Missing changes landed on the aviary *and* 1.7 branches now.
v.fixed on Aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5 using attached testcase. Alt-A no longer compromises your clipboard.
Adding distributors
FF1.0.5 advisories published
Group: security
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: