Closed
Bug 779007
Opened 12 years ago
Closed 12 years ago
Audit our privileged about: pages
Categories
(Firefox for Android Graveyard :: General, defect)
Tracking
(firefox15 fixed, firefox16 fixed, firefox-esr10 unaffected)
RESOLVED
FIXED
Firefox 17
| Tracking | Status | |
|---|---|---|
| firefox15 | --- | fixed |
| firefox16 | --- | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: Margaret, Assigned: Margaret)
References
Details
(Keywords: sec-audit, Whiteboard: [advisory-tracking-])
Attachments
(1 file, 1 obsolete file)
|
1.24 KB,
patch
|
mfinkle
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
A lot of our about: pages are privileged, and it seems like some of them don't need to be (e.g. about:certerror, about:blocked). I'm also unsure why we're not using the URI_SAFE_FOR_UNTRUSTED_CONTENT flag for unprivileged pages. I think it would be worthwhile to just make sure we're being as safe as can be here.
|
||
Comment 1•12 years ago
|
||
Not using URI_SAFE_FOR_UNTRUSTED_CONTENT for unprivileged pages is weird, but isn't a security issue (it just means none of the pages are linkable from untrusted content). Having pages that can be loaded (indirectly) by content be privileged *is* a security issue, though. about:home (via window.home()), about:certerror/blocked (via embedding a phishing/malware page, or page with a bad cert) are in this category.
|
||
Updated•12 years ago
|
tracking-fennec: --- → ?
|
Assignee | |
Comment 2•12 years ago
|
||
I looked in blockedSite.xhtml, aboutCertError.xhtml, and aboutHome.xhtml, and none of these pages try to make any privileged calls. Unlike desktop, our about:/about:firefox pages have the update install stuff, but that's okay because external pages can't link to it.
Assignee: nobody → margaret.leibovic
Attachment #647578 -
Flags: review?(mark.finkle)
|
|
Assignee | |
Comment 3•12 years ago
|
||
Whoops wrong patch.
Attachment #647578 -
Attachment is obsolete: true
Attachment #647578 -
Flags: review?(mark.finkle)
Attachment #647579 -
Flags: review?(mark.finkle)
|
||
Comment 4•12 years ago
|
||
Comment on attachment 647579 [details] [diff] [review] don't make about: pages privileged if they don't need to be blockedSite and aboutCertError use "click" events handled in browser.js, which should still work fine with this change.
Attachment #647579 -
Flags: review?(mark.finkle) → review+
|
|
Assignee | |
Comment 5•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/89fb39735ee3
Target Milestone: --- → Firefox 17
|
|
Assignee | |
Comment 6•12 years ago
|
||
Comment on attachment 647579 [details] [diff] [review] don't make about: pages privileged if they don't need to be [Approval Request Comment] Bug caused by (feature/regressing bug #): n/a User impact if declined: possible security risk from content indirectly loading privileged about pages Testing completed (on m-c, etc.): just landed on inbound Risk to taking this patch (and alternatives if risky): low-risk, changing the privilege level of some pages to match desktop String or UUID changes made by this patch: n/a
Attachment #647579 -
Flags: approval-mozilla-beta?
Attachment #647579 -
Flags: approval-mozilla-aurora?
|
||
Comment 7•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/89fb39735ee3 Is it possible to test this?
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
|
|
Assignee | |
Comment 8•12 years ago
|
||
(In reply to Ryan VanderMeulen from comment #7) > https://hg.mozilla.org/mozilla-central/rev/89fb39735ee3 > > Is it possible to test this? We don't have any automated test for this AFAIK. On desktop you can use the web console to try to execute privileged code while on an about: page (e.g. try running |Components.stack|), but this patch only affects mobile, so I'm not sure of the best way to test it. I think we can trust that setting this privileged flag does the right thing for these pages. Or otherwise we'd have a more serious problem! Gavin, do you have an idea of how to test this manually?
|
|
||
Comment 9•12 years ago
|
||
I don't think there's an easy way to test this manually in Fennec, short of exploiting one of our open security vulnerabilities :)
|
||
Comment 10•12 years ago
|
||
We might be able to create iframes containing the about pages, and use their windows as a sandbox context. On some chrome:// page, try this:
// no error
let iframe = document.createElement("iframe");
iframe.setAttribute("src", "about:config");
document.body.appendChild(iframe);
let sandbox = Components.utils.Sandbox(iframe.contentWindow);
Components.utils.evalInSandbox("Components.classes", sandbox);
// Error: Permission denied for <moz-safe-about:blank> to get property XPCComponents.classes
iframe = document.createElement("iframe");
iframe.setAttribute("src", "about:blank");
document.body.appendChild(iframe);
let sandbox = Components.utils.Sandbox(iframe.contentWindow);
Components.utils.evalInSandbox("Components.classes", sandbox);|
|
||
Comment 11•12 years ago
|
||
Oh, yes - I was assuming a "without changing code" constraint. It's certainly possible to test that the page isn't privileged by changing its code (or injecting code into it programmatically, etc.), but I assumed Margaret had done that locally already.
|
||
Updated•12 years ago
|
Attachment #647579 -
Flags: approval-mozilla-beta?
Attachment #647579 -
Flags: approval-mozilla-beta+
Attachment #647579 -
Flags: approval-mozilla-aurora?
Attachment #647579 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 12•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/998b5d096f2c https://hg.mozilla.org/releases/mozilla-beta/rev/60f195931a12
|
||
Updated•12 years ago
|
Whiteboard: [advisory-tracking-]
|
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
|
||
Updated•12 years ago
|
Group: core-security
|
||
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•