Closed Bug 233108 Opened 21 years ago Closed 20 years ago

[FIX]Make checkLoadURI configurable by-site

Categories

(Core :: Security: CAPS, defect, P1)

Product:
Core
Component:
Security: CAPS
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8alpha5

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

(Blocks 1 open bug)

Details

(Whiteboard: [Usage examples: see bug 84128 comment 194 and 199])

Attachments

(1 file, 3 obsolete files)

Merged to trunk
1.92 KB, patch
dveditz
: approval-aviary1.0.1-
dveditz
: approval1.7.6-
Details | Diff | Splinter Review 
I want to make checkLoadURI configurable per-site.  The patch I posted in bug
84128 comment 194 (dear God) does that, more or less.  The one issue is that it
relies on converting the URI to a principal.

Now I expect that a number of callers already have a principal.  So I propose
the following setup:

1)  Add a noscript checkLoadURI that takes a principal
2)  Make this be the main impl
3)  Have the URI version create a principal from the uri and call the other
    version.

This will leave JS code calling CheckLoadURI a little less efficient, but not
much and will improve efficiency (and correctness, since there is more to a
principal than just a URI) of other code that calls this function.

Seem reasonable, caillon?
Blocks: clu
Attached patch Like so (obsolete) — Splinter Review 

    
  

        Attachment #140852 -
        Flags: review?(caillon)

    
    

    
  
*** Bug 135830 has been marked as a duplicate of this bug. ***

    
  
Blocks: 135830

    
    

    
  
Mental note.  The change to nsDocument::SetBaseURI needs to call GetPrincipal(),
not just use mPrincipal, since the principal is generated lazily.  Please let me
know if you want an updated patch with that fixed.

    
    

    
  
Caillon?  Any chance of an ETA on the review?
Summary: Make checkLoadURI configurable by-site → [FIX]Make checkLoadURI configurable by-site

    
    

    
  
(In reply to comment #3)
> Mental note.  The change to nsDocument::SetBaseURI needs to call GetPrincipal(),
> not just use mPrincipal, since the principal is generated lazily.  Please let me
> know if you want an updated patch with that fixed.

Please do.  Additionally, if you could split this up into "API changes vs
capability changes", that would really be nice.  I agree with all three proposed
API changes outlined in comment 0, but need some time to think about the
checkLoadURI being configurable by capability policies portion.  In particular
(for my personal notes) I want to re-hash how our capability things work, and
how well they mesh with an eventual security zone policy.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Just the API change (obsolete)
        — Splinter Review
      

    


  

        Attachment #140852 -
        Attachment is obsolete: true

    
  

        Attachment #146727 -
        Flags: review?(caillon)

    
    

    
  


  
Well, that was painful.  I need to land some of this crap that's all over my
tree.... :(

    
    

    
  
Comment on attachment 146727 [details] [diff] [review]
Just the API change

> NS_IMETHODIMP
> nsScriptSecurityManager::CheckLoadURI(nsIURI *aSourceURI, nsIURI *aTargetURI,
>                                       PRUint32 aFlags)
> {
>+    NS_PRECONDITION(aSourceURI, "CheckLoadURI called with null source URI");
>+    if (!aSourceURI) {
>+        return NS_ERROR_UNEXPECTED;
>+    }

NS_ENSURE_ARG_POINTER

>+    
>+    nsCOMPtr<nsIPrincipal> sourcePrincipal;
>+    nsresult rv = CreateCodebasePrincipal(aSourceURI,
>+                                          getter_AddRefs(sourcePrincipal));
>+    NS_ENSURE_SUCCESS(rv, rv);
>+    return CheckLoadURIWithPrincipal(sourcePrincipal, aTargetURI, aFlags);
>+}
>+
>+NS_IMETHODIMP
>+nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
>+                                                   nsIURI *aTargetURI,
>+                                                   PRUint32 aFlags)
>+{
>+    NS_PRECONDITION(aPrincipal, "CheckLoadURIWithPrincipal must have a principal");
>+    if (!aPrincipal) {
>+        return NS_ERROR_UNEXPECTED;
>+    }

NS_ENSURE_ARG_POINTER

>+
>+    if (aPrincipal == mSystemPrincipal) {
>+        // Allow access
>+        return NS_OK;
>+    }
>+    
>+    nsCOMPtr<nsIURI> sourceURI;
>+    aPrincipal->GetURI(getter_AddRefs(sourceURI));
>+
>+    NS_ASSERTION(sourceURI, "Principals passed to CheckLoadURIWithPrincipal must have a URI!");

The assertion text is wrong, or your code is.  System principals don't have a
URI....

>+    
>     nsresult rv;
>     //-- get the source scheme
>     nsXPIDLCString sourceScheme;
>-    rv = GetBaseURIScheme(aSourceURI, getter_Copies(sourceScheme));
>+    rv = GetBaseURIScheme(sourceURI, getter_Copies(sourceScheme));

|nsresult rv = GetBase....|



>Index: content/xsl/public/nsIDocumentTransformer.h


>   NS_IMETHOD LoadStyleSheet(nsIURI* aUri, nsILoadGroup* aLoadGroup,
>-                            nsIURI* aReferrerUri) = 0;
>+                            nsIPrincipal* aCallerPrincipal) = 0;

Would "aDocumentPrincipal" be a better name here (and in subsequent places)? 
Otherwise, just aPrincipal will work.  Obviously if its passed in, its from a
caller....


>Index: content/xbl/src/nsXBLService.cpp
>+  // XXXbz wouldn't anything with a chrome URI get the system principal?

No.  Bug 160042.


r=caillon

        Attachment #146727 -
        Flags: review?(caillon) → review+

    
    

    
  
> NS_ENSURE_ARG_POINTER

Will do.

> The assertion text is wrong, or your code is.  System principals don't have a
> URI....

Are there system principals other than mSystemPrincipal?  This assert comes
after the early bail if aPrincipal == mSystemPrincipal, no?  I can change the
text of the assert to say "non-system principals" if you prefer.

> |nsresult rv = GetBase....|

Will do.

> Would "aDocumentPrincipal" be a better name here (and in subsequent places)? 

I see nothing in the API restricting this to documents, and it would be unclear
which document.

> Obviously if its passed in, its from a caller....

The point is that the principal identifies the caller.  As in, it tells us who
is calling us.  aPrincipal could be a principal the caller wants us to use
somewhere or a whole slew of other things.  I can change this if you want, but I
did spend a good amount of time picking this name, and I think it's the best
compromise between aPrincipal and
aPrincipalThatWeShouldUseForAllSecurityChecks... ;)

> No.  Bug 160042.

Should I remove the comment, or just change it to reference that bug?


    
    

    
  
Comment on attachment 146727 [details] [diff] [review]
Just the API change

Dan, could you sr?

        Attachment #146727 -
        Flags: superreview?(dveditz)

    
    

    
  
(In reply to comment #9)
>> The assertion text is wrong, or your code is.  System principals don't have a
>> URI....
> 
> Are there system principals other than mSystemPrincipal?  This assert comes
> after the early bail if aPrincipal == mSystemPrincipal, no?  I can change the
> text of the assert to say "non-system principals" if you prefer.

Right.  I meant that the assertion that "Principals passed to
CheckLoadURIWithPrincipal must have a URI!" is misleading because it is valid
for system principals (and you are correct, there is only one system principal;
otherwise pointer comparisons would not work) to be passed in, as the code
handles it, and those do not have a URI.  So, yes, please change the wording. 
Sorry for being enigmatical.


> Should I remove the comment, or just change it to reference that bug?

Your call.  XXXbz implies you want to fix it though, so you may elect to just
discard it...  :-)


    
    

    
  
> I think it's the best compromise between aPrincipal and
aPrincipalThatWeShouldUseForAllSecurityChecks... ;)

Well. being a principal sort of implies that we should use it for security
checks n stuff...  ;-)  I don't really care that much.  I just thought it an odd
name.  Feel free to leave it.

    
    

    
  
> So, yes, please change the wording. 

Will do.

    
    

    
  
Comment on attachment 146727 [details] [diff] [review]
Just the API change

Keep an eye on Tp
sr=dveditz

        Attachment #146727 -
        Flags: superreview?(dveditz) → superreview+

    
    

    
  
Comment on attachment 146727 [details] [diff] [review]
Just the API change

Checked in; Tp looks fine.

        Attachment #146727 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 146728 [details] [diff] [review]
Behavior change (to be applied on top of previous patch)

Moving on to what this bug is actually about...

        Attachment #146728 -
        Flags: review?(caillon)

    
    

    
  
Comment on attachment 146728 [details] [diff] [review]
Behavior change (to be applied on top of previous patch)

? (char*)loadURIPrefGroup,

There should be no need to do that cast.

    
    

    
  
Ah, indeed.  That code was mostly copy/pasted from other places that access
content policy...

    
    

    
  
Chris, are we likely to end up with large-scale CAPS rearch in 1.8?  If not, I
think I'd like to check in the existing patch to make this usable on intranets
without having to completely disable the security check....  The number of bug
reports I've seen where people had that check disabled altogether so they could
use Mozilla at work (4 or 5 at this point) scares me.
Priority: -- → P1
Target Milestone: --- → mozilla1.8alpha2

    
    

    
  
*** Bug 259285 has been marked as a duplicate of this bug. ***

    
    

    
  
Comment on attachment 146728 [details] [diff] [review]
Behavior change (to be applied on top of previous patch)

I hoped to get this done via a zone policy, but in light of that not happening,
this is reasonable.

The main thing I don't like is using something designed for checking javascript
object access for this purpose.  If someone has a classinfo which reports a
name of "checkloaduri" it will conflict.  Will that be a huge issue?  Probably
not.

r=caillon

        Attachment #146728 -
        Flags: review?(caillon) → review+

    
    

    
  
Comment on attachment 146728 [details] [diff] [review]
Behavior change (to be applied on top of previous patch)

jst@moz

        Attachment #146728 -
        Flags: superreview?

    
  

        Attachment #146728 -
        Flags: superreview?(jst)

    
  

        Attachment #146728 -
        Flags: superreview?

    
    

    
  
Comment on attachment 146728 [details] [diff] [review]
Behavior change (to be applied on top of previous patch)

sr=jst

        Attachment #146728 -
        Flags: superreview?(jst) → superreview+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Merged to trunkSplinter Review
      

    


  

    
  

        Attachment #146728 -
        Attachment is obsolete: true

    
    

    
  
Fix checked in on trunk.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Target Milestone: mozilla1.8alpha2 → mozilla1.8alpha5

    
  
QA Contact: benc
Whiteboard: [Usage examples: see bug 84128 comment 194 and 199]

    
    

    
  
Comment on attachment 164403 [details] [diff] [review]
Merged to trunk

Shouldn't this security related enhancement be included in Mv1.7.x and FFv1.0.x
too ?

        Attachment #164403 -
        Flags: approval1.7.6?

        Attachment #164403 -
        Flags: approval-aviary1.0.1?

    
    

    
  
The patch that approval have been requested for depends on the api changes that are 
also attached to this bug.  I am strongly against making such api changes on the api-
stable branches for an enhancement. request 

    
    

    
  
Comment on attachment 164403 [details] [diff] [review]
Merged to trunk

This is not a security hole, the only reason we'd ship a ff1.0.1 or a Moz1.7.6.
Then there's the interface changes bz mentions which drivers also don't want
any more of on the branch. Denied on driver's behalf.

        Attachment #164403 -
        Flags: approval1.7.6?

        Attachment #164403 -
        Flags: approval1.7.6-

        Attachment #164403 -
        Flags: approval-aviary1.0.1?

        Attachment #164403 -
        Flags: approval-aviary1.0.1-

    
    

    
  
Thanks for answering my question !

    
    

    
  
*** Bug 312229 has been marked as a duplicate of this bug. ***

    
    

    
  
It would be nice if the text at:

http://www.mozilla.org/releases/mozilla1.7.12/known-issues.html#psm

was updated to describe this new process, instead of the old (ineffectual) one.

That link comes up first on google when searching for "Security Error content at may not load or link to".

    
    

    
  
How would that help?  The new setup doesn't work in Mozilla 1.7.12, so that would be a lie.

If you're saying the new setup should be documented, then I agree.  Is there not a devmo page about it?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: