Closed Bug 1159136 Opened 6 years ago Closed 6 years ago

[Stingray][Smart-System] XSS/HTML injection in app modal dialog

Categories

(Firefox OS Graveyard :: Gaia::TV::System, defect)

defect
Not set
normal

Tracking

(b2g-v1.4 unaffected, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 unaffected, b2g-v2.1S unaffected, b2g-v2.2 fixed, b2g-master fixed)

RESOLVED FIXED
2.2 S11 (1may)
Tracking Status
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- fixed
b2g-master --- fixed

People

(Reporter: suchiu, Assigned: suchiu)

References

Details

(Keywords: sec-high, wsec-xss, Whiteboard: stingray-picked(2015/5/19) [b2g-adv-main2.2-])

Attachments

(1 file)

46 bytes, text/x-github-pull-request
johnhu
: review+
Details | Review
Same issue in Bug 1158715. According to following link https://github.com/mozilla-b2g/gaia/blob/master/tv_apps/smart-system/js/app_modal_dialog.js#L310, where 'title' comes from app name in manifest, XSS injection may happen when others try to create a app name with escape characters.
Thank you for sharing the progress to me.

As far as I looked at the same code there are several innerHTML in it that would be exploitable.
https://github.com/mozilla-b2g/gaia/blob/master/tv_apps/smart-system/js/app_modal_dialog.js#L330

And the similar code also exists in System app for handheld variants, it seems it may not be used from any apps at the moment.
https://github.com/mozilla-b2g/gaia/blob/master/apps/system/js/app_modal_dialog.js
Please check them as well.
Attached file Pull Request
1. Change innerHTML to textContent in app_modal_dialog in order to prevent potential XSS injection.
Attachment #8599645 - Flags: review?(im)
Comment on attachment 8599645 [details] [review]
Pull Request

Looks good to me. But please remove escapeHTML code.
Attachment #8599645 - Flags: review?(im) → review+
Hi Muneaki,

May you file another bugs for apps/system app? Although smart-system is a special fork of system app, we had done some modifications. The patch of those two may be different. According to our understanding, bug 1159136 and bug 1159137 affected both system apps.

(In reply to Muneaki Nishimura from comment #1)
> Thank you for sharing the progress to me.
> 
> As far as I looked at the same code there are several innerHTML in it that
> would be exploitable.
> https://github.com/mozilla-b2g/gaia/blob/master/tv_apps/smart-system/js/
> app_modal_dialog.js#L330
> 
> And the similar code also exists in System app for handheld variants, it
> seems it may not be used from any apps at the moment.
> https://github.com/mozilla-b2g/gaia/blob/master/apps/system/js/
> app_modal_dialog.js
> Please check them as well.
Flags: needinfo?(sdna.muneaki.nishimura)
No longer depends on: 1158715
See Also: → 1158715
(In reply to John Hu [:johnhu][:johu][:醬糊小弟] from comment #4)
> Hi Muneaki,
> 
> May you file another bugs for apps/system app? Although smart-system is a
> special fork of system app, we had done some modifications. The patch of
> those two may be different. According to our understanding, bug 1159136 and
> bug 1159137 affected both system apps.
> 
> (In reply to Muneaki Nishimura from comment #1)
> > Thank you for sharing the progress to me.
> > 
> > As far as I looked at the same code there are several innerHTML in it that
> > would be exploitable.
> > https://github.com/mozilla-b2g/gaia/blob/master/tv_apps/smart-system/js/
> > app_modal_dialog.js#L330
> > 
> > And the similar code also exists in System app for handheld variants, it
> > seems it may not be used from any apps at the moment.
> > https://github.com/mozilla-b2g/gaia/blob/master/apps/system/js/
> > app_modal_dialog.js
> > Please check them as well.

OK, I filed a new bug 1160069 for requesting to reflect following two changes to System app.
https://github.com/mozilla-b2g/gaia/pull/29786
https://github.com/mozilla-b2g/gaia/pull/29811
Flags: needinfo?(sdna.muneaki.nishimura)
Keywords: checkin-needed
See Also: → 1160069
Master: https://github.com/mozilla-b2g/gaia/commit/9143008f97f47fe76fd44cd1189314dcc7955a17
Status: NEW → RESOLVED
Closed: 6 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → 2.2 S11 (1may)
Depends on: 1163553
Whiteboard: stingray-picked(2015/5/19)
Whiteboard: stingray-picked(2015/5/19) → stingray-picked(2015/5/19) [b2g-adv-main2.2-]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.