Closed
Bug 1049583
Opened 10 years ago
Closed 10 years ago
Screensharing allowed_domains needs limited wildcard matching.
Categories
(Core :: WebRTC: Audio/Video, defect, P1)
Core
WebRTC: Audio/Video
Tracking
()
RESOLVED
FIXED
mozilla34
People
(Reporter: ehugg, Assigned: pkerr)
References
Details
(Whiteboard: [p=1])
Attachments
(1 file, 2 obsolete files)
2.86 KB,
patch
|
mt
:
review+
ehugg
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
Based on comments in other bugs and some email exchanges this is what I think we need for wildcard matching of domain names in media.getusermedia.screensharing.allowed_domains
We will only allow the wildcard at the beginning of the string and only when followed by a '.'. Also there must be at least one other '.' in the string to avoid allowing an entire TLD. The wildcard can then match any number of subdomains on the front.
In other words these uses would not be allowed:
- "*"
- "*.foo"
- "*foo.bar"
- "foo.*.bar"
And these would work:
- "*.foo.bar"
- "*.foo.bar.baz"
Reporter | ||
Updated•10 years ago
|
Comment 1•10 years ago
|
||
Paul - can you take this one?
Also (though it's likely ill-formed anyways) *..foo should also fail, and *.foo. (which due to vagaries of DNS *might* resolve to *.foo)
Flags: needinfo?(pkerr)
Reporter | ||
Comment 2•10 years ago
|
||
Instead of just refusing *.TLD, it looks like we should be checking this file:
netwerk/dns/effective_tld_names.dat
It was created in bug 342314 for preventing abuse of cookies.
Assignee | ||
Comment 3•10 years ago
|
||
(In reply to Randell Jesup [:jesup] from comment #1)
> Paul - can you take this one?
>
> Also (though it's likely ill-formed anyways) *..foo should also fail, and
> *.foo. (which due to vagaries of DNS *might* resolve to *.foo)
Yes I can. I already have a partial implementation of wildcard domain expansion about which Martin and I exchanged comments.
Flags: needinfo?(pkerr)
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → pkerr
Assignee | ||
Updated•10 years ago
|
Status: NEW → ASSIGNED
Comment 4•10 years ago
|
||
Can we use public suffix + 1?
Assignee | ||
Comment 5•10 years ago
|
||
(In reply to Martin Thomson [:mt] from comment #4)
> Can we use public suffix + 1?
Ethan, what is your reason for matching more that one level of sub-domains? What Martin is proposing is similar to certificate validation. (see comment https://bugzilla.mozilla.org/show_bug.cgi?id=1037424#c16)
Flags: needinfo?(ethanhugg)
Assignee | ||
Comment 6•10 years ago
|
||
Version with single level wildcard implemented.
Assignee | ||
Updated•10 years ago
|
Attachment #8468934 -
Flags: feedback?(ethanhugg)
Reporter | ||
Comment 7•10 years ago
|
||
Comment on attachment 8468934 [details] [diff] [review]
Allow sub-domain wildcard on ScreenSharing domain whitelist patterns
Review of attachment 8468934 [details] [diff] [review]:
-----------------------------------------------------------------
::: dom/media/MediaManager.cpp
@@ +155,5 @@
> + NS_WARNING("Ill-formed domain pattern");
> + return false;
> + }
> + /*
> + FIXME(PRK) determine how many sub-domains are allowed to pass for a wildcard.
I have not received the official word yet but I would like to say that this will work for us as I have not seen any of our sites with multiple sub-domains. I'm inclined to go with this for now.
Attachment #8468934 -
Flags: feedback?(ethanhugg) → feedback+
Reporter | ||
Comment 8•10 years ago
|
||
One level will probably work for us but I haven't got all info from our side yet.
Does this patch satisfy the Mozilla's security needs or will you need to add checking of the public suffix list?
Flags: needinfo?(ethanhugg)
Comment 9•10 years ago
|
||
Comment on attachment 8468934 [details] [diff] [review]
Allow sub-domain wildcard on ScreenSharing domain whitelist patterns
Review of attachment 8468934 [details] [diff] [review]:
-----------------------------------------------------------------
::: dom/media/MediaManager.cpp
@@ +110,5 @@
> using dom::SupportedAudioConstraints;
> using dom::SupportedVideoConstraints;
>
> +static bool
> +HostInDomain(const nsACString &aHost, const nsACString &aDomain)
aDomain is the pattern? Call it aPattern then.
This function could be a lot shorter and easier to read. We don't need to validate the inputs here. One has already been validated as a URL and if the other one doesn't match that, then it's merely ineffectual as a method for enabling something.
if (aPattern.Length() > 2 && aPattern[0] == '*' && aPattern[1] == '.') {
int32_t dot = aHost.FindChar('.');
if (dot <= 0) { // < 0 would be enough, but the <= is harmless
return false;
}
host = Substring(aHost, dot);
pattern = Substring(aPattern, 2);
} else {
host = aHost;
pattern = aPattern;
}
// have you verified that the pref is converted in ACE form before this point
// and that it's safe to do so on a name that is essentially invalid
// (i.e., one starting with '*' ? Because people do enter prefs by hand, and
// people don't understand the finer points on different unicode normalization
// forms so that they get their input exactly correct.
return host == pattern;
Assignee | ||
Comment 10•10 years ago
|
||
(In reply to Martin Thomson [:mt] from comment #9)
> This function could be a lot shorter and easier to read. We don't need to
> validate the inputs here. One has already been validated as a URL and if
> the other one doesn't match that, then it's merely ineffectual as a method
> for enabling something.
>
In this case, the URI is taken from the DOM for the document and should be in correct (ASCII) form. Removing the explicit checks of the domain pattern against bad formats mentioned in previous comments, except the "*." leading wildcard and the need to have at least one subdomain, could be handled as you demonstrate. I am comfortable with that approach as we are not able to provide any feedback as to a bad wildcard format in anything beyond a log file; we have no UI other than about:config.
I will double check that the ConvertUTF8toACE service call can handle the '*'.
Assignee | ||
Comment 11•10 years ago
|
||
Simplified version based on feedback. ConvertUTF8ToACE does appear to correctly handle subdomain consisting of only '*'
Assignee | ||
Updated•10 years ago
|
Attachment #8468934 -
Attachment is obsolete: true
Assignee | ||
Comment 12•10 years ago
|
||
Removed now unecessary include of ctype.h
Assignee | ||
Updated•10 years ago
|
Attachment #8469626 -
Attachment is obsolete: true
Assignee | ||
Updated•10 years ago
|
Attachment #8469634 -
Flags: review?(martin.thomson)
Attachment #8469634 -
Flags: review?(ethanhugg)
Updated•10 years ago
|
Attachment #8469634 -
Flags: review?(martin.thomson) → review+
Reporter | ||
Comment 13•10 years ago
|
||
Comment on attachment 8469634 [details] [diff] [review]
Allow sub-domain wildcard on ScreenSharing domain whitelist patterns
Review of attachment 8469634 [details] [diff] [review]:
-----------------------------------------------------------------
lgtm
Attachment #8469634 -
Flags: review?(ethanhugg) → review+
Assignee | ||
Updated•10 years ago
|
Whiteboard: [p=1]
Assignee | ||
Updated•10 years ago
|
Keywords: checkin-needed
Assignee | ||
Updated•10 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla34
Version: unspecified → Trunk
Assignee | ||
Updated•10 years ago
|
Whiteboard: [p=1] → [p=1][screensharing-uplift]
Comment 14•10 years ago
|
||
Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Updated•10 years ago
|
Flags: qe-verify-
Comment 16•10 years ago
|
||
Comment on attachment 8469634 [details] [diff] [review]
Allow sub-domain wildcard on ScreenSharing domain whitelist patterns
Approval Request Comment
[Feature/regressing bug #]: screensharing whitelist
[User impact if declined]: Have to manually list all relevant subdomains. Important to the planned use of the feature
[Describe test coverage new/current, TBPL]: manual testing
[Risks and why]: very low risk other than a bug could make it overly permissive or not permissive enough.
[String/UUID change made/needed]: none
Attachment #8469634 -
Flags: approval-mozilla-aurora?
Comment 17•10 years ago
|
||
Not that I think this is going to happen (I reviewed the code and it looked fine), but I don't think we should understate the impact of "overly permissive" in this context. Screensharing, particularly as embodied here, risks destroying cross-origin content protection. We'd still have a consent dialog, but we've seen (repeatedly) that users are incapable of understanding the implications of a choice to permit screensharing.
Comment 18•10 years ago
|
||
(In reply to Martin Thomson [:mt] from comment #17)
> Not that I think this is going to happen (I reviewed the code and it looked
> fine), but I don't think we should understate the impact of "overly
> permissive" in this context. Screensharing, particularly as embodied here,
> risks destroying cross-origin content protection. We'd still have a consent
> dialog, but we've seen (repeatedly) that users are incapable of
> understanding the implications of a choice to permit screensharing.
Agreed, though I was referring to "if the code has a bug" it might be overly permissive. Though the code overall is pretty simple.
Updated•10 years ago
|
status-firefox33:
--- → affected
status-firefox34:
--- → fixed
Updated•10 years ago
|
Attachment #8469634 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 19•10 years ago
|
||
Updated•10 years ago
|
Whiteboard: [p=1][screensharing-uplift] → [p=1]
Comment 20•10 years ago
|
||
Comment on attachment 8469634 [details] [diff] [review]
Allow sub-domain wildcard on ScreenSharing domain whitelist patterns
Review of attachment 8469634 [details] [diff] [review]:
-----------------------------------------------------------------
::: dom/media/MediaManager.cpp
@@ +159,3 @@
> Test each domain name in the comma separated list
> after converting from UTF8 to ASCII. Each domain
> must match exactly: no wildcards are used.
You forgot to update this comment, which is now wrong.
Comment 21•10 years ago
|
||
comment-only fix rs=me
https://hg.mozilla.org/integration/mozilla-inbound/rev/d44797d191e5
Comment 22•10 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•