Closed Bug 292589 Opened 19 years ago Closed 19 years ago

[FIX]XBL load missing content policy check (Thunderbird not blocking remote content)

Categories

(Core :: XBL, defect, P1)

Product:
Core
Component:
XBL
Version:
1.7 Branch
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta2

People

(Reporter: moz_bug_r_a4, Assigned: bzbarsky)

References

Details

(Keywords: fixed-aviary1.0.5, fixed1.7.9, privacy, Whiteboard: [sg:fix] have patch)

Attachments

(3 files)

Add content policy check to XBL
2.11 KB, patch
jst
: superreview+
shaver
: approval-aviary1.0.5+
dbaron
: approval-aviary1.1a1+
shaver
: approval1.7.8+
Details | Diff | Splinter Review
1.7 branch fix
1.60 KB, patch
Details | Diff | Splinter Review
Aviary branch fix... Gotta love forkage
2.13 KB, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Thunderbird/1.0.2

Thunderbird doesn't block remote XBL, even though "Block loading of remote
images" setting is true.


Reproducible: Always

Steps to Reproduce:
create the following HTML mail, and receive it, and open it.

<body>
<p>If the remote XBL is loaded, a red box appears below.</p>
<p
style="-moz-binding:url(http://members.tripod.com/cv6y-mlr8-9hh/ixdc-5tn2/test.xml#x);"></p>
</body>


-----
http://members.tripod.com/cv6y-mlr8-9hh/ixdc-5tn2/test.xml is:

<?xml version="1.0"?>

<bindings xmlns="http://www.mozilla.org/xbl"
          xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">

  <binding id="x">
    <content>
      <xul:label value="This is the remote XBL content."
style="background-color: #f00;"/>
    </content>
  </binding>

</bindings>

Actual Results:  
The remote XBL is loaded.


Expected Results:  
The remote XBL is blocked.
This means XBL loads aren't being checked with any content policies, more of a
core issue (e.g. Adblock wouldn't work against these either). In addition to the
scripting exploit covered in your other bug this lets XBL function as a web-bug
or return-receipt.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Keywords: privacy
Whiteboard: [sg:fix]
So I can add a content-policy check in XBL.  Probably should.  But thunderbird
allows RSS to load anything it feels like, so that wouldn't help that much here;
just have to use the RSS feed as an attack vector instead of using an email.
This is compiled; not really tested, because I'm not sure how to test it...
(In reply to comment #2)
> So I can add a content-policy check in XBL.  Probably should.  But thunderbird
> allows RSS to load anything it feels like, so that wouldn't help that much here;
> just have to use the RSS feed as an attack vector instead of using an email.

Not if the attack is determination of valid email addresses by sending email and
waiting for "confirmation".
True.  ;)  The posted patch should help with that, I think.
I've been able to verify that Boris's patch does work for Thunderbird.
Thunderbird's cotent policy manager is now getting invoked and we are blocking
the remote xbl. I now get a warning at the top of the message saying that
thunderbird has blocked the remote content. 
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL

Note that I used the element we're trying to bound to as the context for the
content policy check.  I think that makes more sense than anything else I could
use here...
Attachment #183171 - Flags: superreview?(jst)
Attachment #183171 - Flags: review?(jst)
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL

r+sr=jst
Attachment #183171 - Flags: superreview?(jst)
Attachment #183171 - Flags: superreview+
Attachment #183171 - Flags: review?(jst)
Attachment #183171 - Flags: review+
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL

Requesting 1.0.4 approval, 1.8b2 approval, 1.7.x approval... which I can't,
since this isn't in Core.  :(
Attachment #183171 - Flags: approval-aviary1.0.4?
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL

Approving for trunk; please try to keep the checkin comment somewhat cryptic
(e.g., don't mention thunderbird).
Attachment #183171 - Flags: approval-aviary1.1a1+
-->Core
Assignee: dveditz → bzbarsky
Component: Security → XBL
Flags: review+
Product: Thunderbird → Core
Summary: Thunderbird doesn't block remote XBL, even though "Block loading of remote images" setting is true. → XBL load missing content policy check (Thunderbird not blocking remote content)
Version: unspecified → 1.7 Branch
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL

Requesting 1.7 approval too.  I've landed this on trunk.
Attachment #183171 - Flags: approval1.7.8?
Priority: -- → P1
Summary: XBL load missing content policy check (Thunderbird not blocking remote content) → [FIX]XBL load missing content policy check (Thunderbird not blocking remote content)
Target Milestone: --- → mozilla1.8beta2
That change may break builds with adblock installed... see bug 293778.  Need to
sort out whether it does, and if so why.  Does anyone have an adblock-mangled
debug build?
Depends on: 293778
So for branch we'll also want to take the one-liner for bug 293778 (it's a
one-line modification to this patch, basically).

Marking this fixed, since it's fixed on trunk....
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Attachment #183171 - Flags: approval-aviary1.0.4? → approval-aviary1.0.5?
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL

Approving for stable branches. a=shaver.
Attachment #183171 - Flags: approval1.7.8?
Attachment #183171 - Flags: approval1.7.8+
Attachment #183171 - Flags: approval-aviary1.0.5?
Attachment #183171 - Flags: approval-aviary1.0.5+
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL

This should probably get the aContent -> document fix from that other bug too,
before landing on the branches, right?
Yes.  That still needs reviews and stuff, though, so I'll hold off on landing on
branches till it gets that.
Attached patch 1.7 branch fixSplinter Review 

    
    

    
  
Yeah, I'm glad you caught that the content policy API is completely different
between the two branches (PRBool vs nsresult).  I've hit that a number of times...

    
    

    
  
Fixed on both branches.

Code inspection makes me think that this should work fine for Seamonkey 1.7.9
mailnews, but we should test to make sure once we spin the builds of course.
Keywords: fixed-aviary1.0.5, 
          
            fixed1.7.9

    
    

    
  
I filed bug 294307 on the issues in the 1.7 mailnews content policy that make
this fix not helpful in 1.7 mailnews.

    
  
Whiteboard: [sg:fix] → [sg:fix] have patch

    
    

    
  
v.fixed on aviary with version 1.0.5 (20050706) using the testcase in comment #0.

    
    

    
  
Adding distributors

    
    

    
  
Security advisories published
Group: security
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: