Closed Bug 1126798 Opened 10 years ago Closed 10 years ago

Socorro should restrict files uploaded with crash reports

Categories

(Socorro :: General, task)

Product:
Socorro
Component:
General
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: eusebiu.blindu, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Steps to reproduce: I had a proxy running while Firefox was uploading a crash report. POST /submit?id={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&version=30.0&buildid=20140608211622 HTTP/1.1 Host: crash-reports.mozilla.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Length: 4047 Content-Type: multipart/form-data; boundary=---------------------------127879285517493204272098720149 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="PluginContentURL" https://vimeo.com/117832849 -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="StartupTime" 1422452588 -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="EMCheckCompatibility" true -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="ProductName" Firefox -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="Vendor" Mozilla -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="InstallTime" 1404159229 -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="Theme" classic/1.0 -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="Notes" OpenGL: ATI Technologies Inc. -- AMD Radeon HD 7500M/7600M Series -- 4.3.12798 Compatibility Profile Context 13.35.1005 -- texture_from_pixmap -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="FramePoisonSize" 4096 -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="Version" 30.0 -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="FramePoisonBase" 7ffffffff0dea000 -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="ReleaseChannel" release -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="useragent_locale" chrome://global/locale/intl.properties -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="Add-ons" %7B2e1445b0-2682-11e1-bfc2-0800200c9a66%7D:2013.09.20.beta,online-accounts%40lists.launchpad.net:0.5,ubufox%40ubuntu.com:2.9,%7Bb9db16a4-6edc-47ec-a1f4-b86292ed211d%7D:4.9.24,%7B972ce4c6-7e08-4474-a285-3208198ce6f1%7D:7000.2011.0707.1,%7BF5DDF39C-9293-4d5e-9AA8-E04E6DD5E9B4%7D:1.6.3,%7B9c51bd27-6ed8-4000-a2bf-36cb95c0c947%7D:11.0.1,xssme%40security.compass:0.4.6,sqlime%40security.compass:0.4.7,gspeed%40wobot.org:1.2,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:30.0,wappalyzer%40crunchlabz.com:3.0.14,langpack-en-ZA%40firefox.mozilla.org:30.0,langpack-en-GB%40firefox.mozilla.org:30.0,webapps-team%40lists.launchpad.net:3.0.2 -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="BuildID" 20140608211622 -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="ProductID" {ec8030f7-c20a-464f-9b0e-13a3a9e97384} -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="URL" https://vimeo.com/117832849 -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="CrashTime" 1422453650 -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="PluginHang" 1 -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="ProcessType" plugin -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="additional_minidumps" browser -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="PluginVersion" 11.2.202.394 -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="PluginName" Shockwave Flash -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="PluginFilename" libflashplayer.so -----------------------------127879285517493204272098720149 Content-Disposition: form-data; name="upload_file_minidump"; filename=".htaccess" Content-Type: text/html test Actual results: I noticed I can use there any filename and content type so I can upload basically any content via that POST request. And maybe I can attack the support team Expected results: the filename and Content-Type should be restincted
Ted, do you know what checks are done here and/or if there's a serious security risk here?
Component: Untriaged → General
Flags: needinfo?(ted)
Product: Firefox → Socorro
Summary: arbitrary file upload in crash reports → Socorro should restrict files uploaded with crash reports
Version: 30 Branch → unspecified
This is not a problem. We accept a lot of metadata fields, but have a public whitelist for display.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(ted)
Resolution: --- → INVALID
Yeah, we already treat all this data as untrusted.
You need to log in before you can comment on or make changes to this bug.