Closed Bug 1517025 Opened 5 years ago Closed 5 years ago

Disallow % symbol in hostname for nsStandardURL

Categories

(Core :: Networking, defect, P2)

Product:
Core
Component:
Networking
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- fixed

People

(Reporter: jkratzer, Assigned: valentin)

References

(Blocks 3 open bugs)

Details

(Keywords: assertion, testcase, Whiteboard: [necko-triaged])

Attachments

(4 files, 1 obsolete file)

testcase.html
59 bytes, text/html
Details
Bug 1517025 - Do not allow percent symbol in URL hostnames r=kershaw!
47 bytes, text/x-phabricator-request
Details | Review
Bug 1517025 - Use mock API server so fetchSignedObjects doesn't fail because of BAD URL r=Gijs!
47 bytes, text/x-phabricator-request
Details | Review
Bug 1517025 - Remove EXPECTED-FAIL for URL percent encoding tests r=kershaw!
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html 
Testcase found while fuzzing mozilla-central rev 83d06ab87e74.

Assertion failure: false (NS_SUCCEEDED(GetPrincipalFromOrigin(aOrigin, getter_AddRefs(dbgPrincipal)))), at /builds/worker/workspace/build/src/extensions/cookie/nsPermissionManager.cpp:3221

Unfortunately we still do not have working symbols on debug builds so no minidump is available.
Flags: in-testsuite?
Component: Networking: Cookies → Permission Manager

Nika, can you take a quick look at this? I'm not sure if this is really actionable from the testcase alone.

Flags: needinfo?(nika)

Hmm - that may be caused by bug 1517014. It looks like the string which that test case is generating produces a string which doesn't round-trip back into a nsIPrincipal, which could be caused by some validation failing somewhere?

I don't think this should be causing any serious problems, but it would be nice to figure out what is happening with it.

Flags: needinfo?(nika) → needinfo?(ehsan)

Bug 1517014 is completely innocent here.

The real problem here is that we parse the URL of the iframe as https://b%9a/ at https://searchfox.org/mozilla-central/rev/b29663c6c9c61b0bf29e8add490cbd6bad293a67/dom/base/nsFrameLoader.cpp#275.

There, src is u"/\b%9ª", encoding is encoding_rs::WINDOWS_1252_INIT, and base_uri is "https://bug1517025.bmoattachments.org/attachment.cgi?id=9033787". This causes us to load an iframe from origin https://b%9a/ but since the URI isn't valid UTF-8 we later on fail to parse the URI and the permission manager asserts because of that. Chrome seems to parse the original URI correctly here.

I'm pretty sure this is a URI parsing bug. Anne, what do you think?

Flags: needinfo?(ehsan) → needinfo?(annevk)

This URL should fail to parse as % cannot be present in a host name (except when it's followed by two hex digits and can be decoded): https://url.spec.whatwg.org/#host-parsing. (The non-UTF-8 encoding only matters for the query component of a URL, by the way.)

(The reason it's treated as a host is because /\ becomes // which makes it a scheme-relative URL.)

Blocks: url
Flags: needinfo?(annevk) → needinfo?(valentin.gosu)

(In reply to Anne (:annevk) from comment #4)

(The reason it's treated as a host is because /\ becomes // which makes it a scheme-relative URL.)

Oh, fun. TIL!

Component: Permission Manager → Networking
Assignee: nobody → valentin.gosu
Flags: needinfo?(valentin.gosu)
Priority: -- → P2
Whiteboard: [necko-triaged]

Valentin, do you mind adding a crashtest based on the original test case attached to the bug as well? I think that would be useful to have too.

Depends on D16696
Attachment #9036907 - Attachment description: Bug 1517025 - Use mock API server so fetchSignedObjects doesn't fail because of BAD URL r=Gijs! → Bug 1517025 - Change default pref URLs to localhost instead of %(server) r=Gijs!
Pushed by valentin.gosu@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/419cb778d531
Do not allow percent symbol in URL hostnames r=kershaw
https://hg.mozilla.org/integration/autoland/rev/48c7d643d2fa
Change default pref URLs to localhost instead of %(server) r=Gijs
https://hg.mozilla.org/integration/autoland/rev/c29889dea969
Remove EXPECTED-FAIL for URL percent encoding tests r=kershaw
https://hg.mozilla.org/integration/autoland/rev/1e173178e49f
Add crashtest with invalid URL r=kershaw
14:20:15     INFO -  PID 10716 | JavaScript strict warning: jar:file:///Z:/task_1548078859/build/application/firefox/omni.ja!/components/nsSearchService.js, line 3807: ReferenceError: reference to undefined property "result"
14:20:15     INFO -  "CONSOLE_MESSAGE: (warn) [JavaScript Warning: "ReferenceError: reference to undefined property "result"" {file: "jar:file:///Z:/task_1548078859/build/application/firefox/omni.ja!/components/nsSearchService.js" line: 3807}]"
14:20:15  WARNING -  TEST-UNEXPECTED-FAIL | toolkit/components/telemetry/tests/unit/test_TelemetryReportingPolicy.js | test_canSend - [test_canSend : 257] A promise chain failed to handle a rejection: Phase "OS.File: Waiting for clients before profileBeforeChange" is finished, it is too late to register completion condition "Search service: shutting down" - stack: addBlocker@resource://gre/modules/AsyncShutdown.jsm:675:15
14:20:15     INFO -  SRCH_SVC_addObservers@jar:file:///Z:/task_1548078859/build/application/firefox/omni.ja!/components/nsSearchService.js:4689:5
14:20:15     INFO -  _asyncInit@jar:file:///Z:/task_1548078859/build/application/firefox/omni.ja!/components/nsSearchService.js:2774:5
14:20:15     INFO -  async*task@jar:file:///Z:/task_1548078859/build/application/firefox/omni.ja!/components/nsSearchService.js:3804:17
14:20:15     INFO -  async*SRCH_SVC_init@jar:file:///Z:/task_1548078859/build/application/firefox/omni.ja!/components/nsSearchService.js:3801:23
14:20:15     INFO -  observe@resource://gre/modules/TelemetryEnvironment.jsm:1213:9
14:20:15     INFO -  test_firstRun@Z:/task_1548078859/build/tests/xpcshell/tests/toolkit/components/telemetry/tests/unit/test_TelemetryReportingPolicy.js:76:3
14:20:15     INFO -  async*run_next_test/_run_next_test/<@Z:\\task_1548078859\\build\\tests\\xpcshell\\head.js:1436:22

According to the stack trace, this exception seems to be coming from here and the code is only expecting XPCOM error results here

Not sure this new behaviour is caused by my patch, but I'll look into it.

Flags: needinfo?(valentin.gosu)
Attachment #9036907 - Attachment description: Bug 1517025 - Change default pref URLs to localhost instead of %(server) r=Gijs! → Bug 1517025 - Use mock API server so fetchSignedObjects doesn't fail because of BAD URL r=Gijs!
Pushed by valentin.gosu@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/2b799d86aeff
Do not allow percent symbol in URL hostnames r=kershaw
https://hg.mozilla.org/integration/autoland/rev/c4c141df786b
Use mock API server so fetchSignedObjects doesn't fail because of BAD URL r=Gijs
https://hg.mozilla.org/integration/autoland/rev/41e7f49db5a6
Remove EXPECTED-FAIL for URL percent encoding tests r=kershaw
Blocks: 1527124
Blocks: 1527126
Depends on: 1527236
Summary: Assertion failure: false (NS_SUCCEEDED(GetPrincipalFromOrigin(aOrigin, getter_AddRefs(dbgPrincipal)))), at /builds/worker/workspace/build/src/extensions/cookie/nsPermissionManager.cpp:3221 → Disallow % symbol in hostname for nsStandardURL

Did you mean to re-land the crashtest?

status-firefox65: --- → wontfix
status-firefox66: affectedwontfix
status-firefox-esr60: --- → wontfix
Flags: needinfo?(valentin.gosu)

(In reply to Ryan VanderMeulen [:RyanVM] from comment #21)

Did you mean to re-land the crashtest?

I filed bug 1527126 for that. It was triggering some other assertions on OSX.

Flags: needinfo?(valentin.gosu)
Regressions: 1554202

Comment on attachment 9037193 [details]
Bug 1517025 - Add crashtest with invalid URL r=kershaw!

Revision D16817 was moved to bug 1527126. Setting attachment 9037193 [details] to obsolete.

Attachment #9037193 - Attachment is obsolete: true
Regressions: 1677828
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: