Closed Bug 380994 (CVE-2007-3073) Opened 17 years ago Closed 16 years ago

Fix for bug 367428 lets through escaped slashes on Linux (windows too on trunk)

Categories

(Core :: Networking, defect, P1)

Product:
Core
Component:
Networking
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9

People

(Reporter: bzbarsky, Assigned: dveditz)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [sg:dos])

Attachments

(3 files, 3 obsolete files)

Address biesi's comments
4.73 KB, patch
Biesinger
: review+
samuel.sidler+old
: approval1.8.1.17+
samuel.sidler+old
: approval1.9.0.2+
asac
: approval1.8.0.next+
Details | Diff | Splinter Review
incremental patch on top of what's checked in
1.10 KB, patch
Biesinger
: review+
dveditz
: approval1.8.1.17+
dveditz
: approval1.9.0.2+
asac
: approval1.8.0.next+
Details | Diff | Splinter Review
iterator hack (on top) for 1.8.0
1.25 KB, patch
Biesinger
: review+
asac
: approval1.8.0.next+
Details | Diff | Splinter Review 
STEPS TO REPRODUCE:

1)  Open browser on Linux
2)  Load resource:///..%2F..%2F..%2F in it

EXPECTED RESULTS:  Don't see file list for an ancestor of the install directory

ACTUAL RESULTS: I'm looking at a listing of ~bzbarsky (since the browser is installed under ~bzbarsky/mozilla/nightly/install-dir).
Flags: blocking1.9?
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Keywords: privacy
Whiteboard: [sg:low]
Blocks: CVE-2007-3072
This was reported publicly, so opening.
Group: security
It was?  Where?
Flags: blocking1.9? → blocking1.9+
Taking for now, but biesi if you have time for this I'd much appreciate it.
Assignee: nobody → benjamin
taking to get a fix in.
Assignee: benjamin → dveditz
On trunk it looks like windows can get fooled by ..%2f.. too.
Flags: blocking1.8.1.5+ → blocking1.8.1.6+
Summary: Fix for bug 367428 lets through escaped slashes on Linux → Fix for bug 367428 lets through escaped slashes on Linux (windows too on trunk)
Whiteboard: [sg:low] → [sg:low dos]
Target Milestone: --- → mozilla1.9beta1
resource:///..%2F..%2F..%2F..%2F/etc/host.conf
Flags: blocking1.8.0.13+ → blocking1.8.0.14+
Flags: in-testsuite?
Blocks: 395343
Flags: blocking1.8.1.8+ → blocking1.8.1.9+
Target Milestone: mozilla1.9 M8 → mozilla1.9 M10
Priority: -- → P4
Flags: blocking1.8.0.14+
Flags: blocking1.8.1.12+ → blocking1.8.1.13+
macosx on ppc seems partially affected - can traverse up to /Volumes (when started from .dmg)
Whiteboard: [sg:low dos] → [sg:low dos][needs patch]
Target Milestone: mozilla1.9beta2 → mozilla1.9beta4
Moving bugs that aren't beta 4 blockers to target final release.
Target Milestone: mozilla1.9beta4 → mozilla1.9
Dan says this should block. It's blocking on branch as well.
Flags: blocking1.9?
Priority: P4 → P2
Flags: tracking1.9+
Flags: blocking1.9?
Flags: blocking1.9+
Blocks: 416318
Flags: blocking1.8.1.13+ → blocking1.8.1.14+
Dveditz you on this?
Given this is sg:low/dos taking off the blocker list - we'd certainly take a patch..
Flags: blocking1.9+ → blocking1.9-
Flags: wanted1.9.0.x?
This isn't quite limited to a dos.  It has potential for data leakage, since any website can link to resource: scripts and stylesheets and then try to glean data from the result.  For example, if you happen to have any interesting data stored in JSON on your hard drive, you lose.

I agree that it's not stop-ship, but I think it should be a very high priority for fixing as soon as we possibly can....
Flags: blocking1.9- → blocking1.9?
Not blocking, but wanted1.9.0.x+, based on comment #13.
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9?
Flags: blocking1.9-
Flags: blocking1.8.1.15+ → blocking1.8.1.16+
Flags: wanted1.9.1?
Flags: blocking1.9.1?
Attached patch coalesce escaped slashes too (obsolete) — Splinter Review 
The line numbers in the patch are for the 1.8 branch, but it applies cleanly to cvs trunk and mozilla-central
Attachment #335516 - Flags: superreview?(benjamin)
Attachment #335516 - Flags: review?(benjamin)
Comment on attachment 335516 [details] [diff] [review]
coalesce escaped slashes too

Well, this will work but will almost certainly cause multiple allocations for URIs over 40 chars... can you at least SetCapacity on spec before entering the loop?

Also, this needs a unit-test... you should be able to add a trivial one to http://mxr.mozilla.org/mozilla-central/source/netwerk/test/unit/test_bug337744.js or write a new test copying that code.
Attachment #335516 - Flags: superreview?(benjamin)
Attachment #335516 - Flags: review?(benjamin)
Attachment #335516 - Flags: review-
Attached patch updated, with testcase (obsolete) — Splinter Review 

        Attachment #335516 -
        Attachment is obsolete: true

        Attachment #335650 -
        Flags: superreview?(benjamin)

        Attachment #335650 -
        Flags: review?(benjamin)

    
    

    
  
Worked a fix for related bug 394075 into this patch.
Blocks: 394075

    
    

    
  
Comment on attachment 335650 [details] [diff] [review]
updated, with testcase

+        if (*src == '%' && *(src+1) == '2') {

*(src+1) mighht not be valid. You need to check that src+1 != end.

Similar on the next line

(an nsACString isn't necessarily nullterminated)

I also don't think that appending character-by-character is particularly efficient code... but that probably doesn't matter much. (other code keeps track of how many characters were left unchanged and append them in once call. cf. http://mxr.mozilla.org/mozilla-central/source/xpcom/io/nsEscape.cpp#516)

I'd suggest spaces around your + operators but this file doesn't really seem to do that

r+sr=biesi if you fix the src+1 thing

    
    

    
  
> *(src+1) mighht not be valid.

so may be:
char ch = *(src+2);

    
    

    
  


  

        Attachment #335650 -
        Attachment is obsolete: true

        Attachment #335650 -
        Flags: superreview?(benjamin)

        Attachment #335650 -
        Flags: review?(benjamin)
Whiteboard: [sg:low dos][needs patch] → [sg:low dos]

    
    

    
  
Comment on attachment 335671 [details] [diff] [review]
Address biesi's comments

Approved for 1.8.1.17. a=ss

        Attachment #335671 -
        Flags: approval1.8.1.17+

    
    

    
  
Comment on attachment 335671 [details] [diff] [review]
Address biesi's comments

And approved for 1.9.0.2 as well. a=ss

        Attachment #335671 -
        Flags: approval1.9.0.2+

    
    

    
  
Fix checked in to 1.8.1 and 1.9.0 branches. Will seek retroactive r= from biesi to make sure this is what he wanted
Keywords: fixed1.8.1.17, 
          
            fixed1.9.0.2

    
  

        Attachment #335671 -
        Flags: review?(cbiesinger)

    
    

    
  
+           if (*(src+2) == 'f' || *(src+***1***) == 'F')
+             ch = '/';
+           else if (*(src+2) == 'e' || *(src+2) == 'E')

is the only |+1| on purpose ?


    
    

    
  
Comment on attachment 335671 [details] [diff] [review]
Address biesi's comments

+           if (*(src+2) == 'f' || *(src+1) == 'F')

I agree with georgi, that should be +2

maybe the test should verify the final URL's spec, instead of just verifying that it doesn't contain ..?

        Attachment #335671 -
        Flags: review?(cbiesinger) → review+

    
    

    
  


  

        Attachment #335741 -
        Flags: review?(cbiesinger)

        Attachment #335741 -
        Flags: approval1.9.0.2+

        Attachment #335741 -
        Flags: approval1.8.1.17+

        Attachment #335741 -
        Flags: review?(cbiesinger) → review+

    
    

    
  
This needs to land both on the branch and on the GECKO190_20080827_RELBRANCH

    
    

    
  
Er, make that both branches (1.8.1 and 1.9) and GECKO190_20080827_RELBRANCH

    
    

    
  
incremental fix checked into 1.8, 1.9 and _RELBRANCH. Filed bug 452470 for improving the testcase.

    
  
Keywords: fixed1.9.0.3

    
    

    
  
Verified on latest build candidates for 20017 and 3.0.2. When I load resource:///..%2F..%2F..%2F I see the contents of these directories: 

On 20016
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/../../../
Index of file:///home/mozilla/Desktop/firefox/../../../
WinXP/Vista (nothing happens)

On 20017
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/
Index of file:///home/mozilla/Desktop/firefox/
Index of file:///C:/Program Files/Mozilla Firefox/

On 3.0.1
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/../../../
Index of file:///home/mozilla/Desktop/firefox/../../../
WinXP/Vista (nothing happens)

On 3.0.2
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/
Index of file:///home/mozilla/Desktop/firefox/
Index of file:///C:/Program Files/Mozilla Firefox/
Keywords: fixed1.8.1.17, 
          
            fixed1.9.0.2verified1.8.1.17, 
          
            verified1.9.0.2

    
    

    
  
Comment on attachment 335671 [details] [diff] [review]
Address biesi's comments

a=asac for 1.8.0.15 (with attachment 335741 [details] [diff] [review])

        Attachment #335671 -
        Flags: approval1.8.0.15+

    
  

        Attachment #335741 -
        Flags: approval1.8.0.15+

    
    

    
  
Comment on attachment 335741 [details] [diff] [review]
incremental patch on top of what's checked in

a=asac for 1.8.0.15 (with attachment 335741 [details] [diff] [review] and iterator backport patch)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        iterator hack (on top) for 1.8.0 (obsolete)
        — Splinter Review
      

    


  
biesi, you think this 1.8.0 fix is too ugly for the sake of keeping the other patches the unmodified?

        Attachment #336249 -
        Flags: review?(cbiesinger)

    
  
Flags: blocking1.8.0.15+

    
    

    
  


  
err, here the one that was meant to be attached :)

        Attachment #336249 -
        Attachment is obsolete: true

        Attachment #336251 -
        Flags: review?(cbiesinger)

        Attachment #336249 -
        Flags: review?(cbiesinger)

        Attachment #336251 -
        Flags: review?(cbiesinger) → review+

    
    

    
  
Comment on attachment 336251 [details] [diff] [review]
iterator hack (on top) for 1.8.0 

this is for 180 only? fine with me :)

    
  

        Attachment #336251 -
        Flags: approval1.8.0.15+

    
    

    
  
Comment on attachment 336251 [details] [diff] [review]
iterator hack (on top) for 1.8.0 

a=asac for 1.8.0.15

thanks biesi!

    
    

    
  
can't we resolve this as fixed, now?

    
    

    
  
I need someone to check this into mozilla-central to call it "fixed"
Keywords: checkin-needed

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/6dad95d60106
Status: NEW → RESOLVED
Closed: 16 years ago
Keywords: checkin-needed
Resolution: --- → FIXED

    
  
Flags: in-testsuite? → in-testsuite+

    
    

    
  
Verified for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102304 GranParadiso/3.0.4pre.
Keywords: fixed1.9.0.4verified1.9.0.4

    
    

    
  
This landed before 1.9.1 branched
Flags: wanted1.9.1?
Flags: blocking1.9.1?
Flags: blocking1.9.1+
Priority: P2 → P1

    
    

    
  
(In reply to comment #43)
> This landed before 1.9.1 branched

Adding fixed1.9.1
Keywords: fixed1.9.1

    
  
Alias: CVE-2007-3073

    
  
Whiteboard: [sg:low dos] → [sg:dos]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: