Closed Bug 1188538 Opened 9 years ago Closed 4 years ago

Don't load URIs if they don't have a security flag set

Categories

(Core :: Security: CAPS, defect, P2)

Product:
Core
Component:
Security: CAPS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla76
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox74 --- wontfix
firefox75 --- wontfix
firefox76 --- fixed

People

(Reporter: bholley, Assigned: ckerschb)

References

(Blocks 1 open bug)

Details

(Keywords: sec-other, Whiteboard: [post-critsmash-triage][adv-main76-][adv-ESR68.8-])

Attachments

(1 file)

Bug 1188538: Ensure every protocol handler sets a valid security flag. r=bholley,mixedpuppy
47 bytes, text/x-phabricator-request
Details | Review
Group: core-security → dom-core-security

This one has rendered INVALID given that we do not support GetProtocolFlags anymore, see:
https://searchfox.org/mozilla-central/rev/d69ec052bed8700af7a283e37b60b4af22734930/netwerk/base/nsIOService.cpp#904

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID

Ah, I guess I was too fast in closing this one - there is getFlagsForURI within nsIProtocolHandlerWithDynamicFlags - maybe that is the one to use.

Status: RESOLVED → REOPENED
Resolution: INVALID → ---

Hey Bobby, based on the description and the linked bug I can't really tell whether this bug is still valid or not. Also because nsIProtocolHandler mentions that each handler must set one of 5 flags, but way more are listed:
https://searchfox.org/mozilla-central/rev/d69ec052bed8700af7a283e37b60b4af22734930/netwerk/base/nsIProtocolHandler.idl#170

If this one is still valid and you think it's worth fixing, we could easily add a check within the ContentSecurityManager to ensure that all URIs to be opened have valid security checks.

I personally like the general idea behind, because it would harden our infrastructure, but I don't know if it's still applicable.

Flags: needinfo?(bholley)

(In reply to Christoph Kerschbaumer [:ckerschb] from comment #3)

Hey Bobby, based on the description and the linked bug I can't really tell whether this bug is still valid or not.

Seems like we still have the suboptimal behavior described: https://searchfox.org/mozilla-central/rev/d69ec052bed8700af7a283e37b60b4af22734930/caps/nsScriptSecurityManager.cpp#964

Also because nsIProtocolHandler mentions that each handler must set one of 5 flags, but way more are listed:
https://searchfox.org/mozilla-central/rev/d69ec052bed8700af7a283e37b60b4af22734930/netwerk/base/nsIProtocolHandler.idl#170

That's just because it's effectively an enum that's slotted into a bitfield with a bunch of other things before and after. Ideally we'd separate it into a separate enum field, but that might be too much work? If so, we can just hard assert that exactly one of those five bits are set.

If this one is still valid and you think it's worth fixing, we could easily add a check within the ContentSecurityManager to ensure that all URIs to be opened have valid security checks.

Not sure exactly where the right place to put the check is, but anything we do here should also fix up the mess in the SSM that I referenced above.

Flags: needinfo?(bholley)

Ok, I think that bug very much aligns with the work we are doing to harden the security landscapce of Firefox (Meta Bug 1596359). I see what I can do.

Assignee: nobody → ckerschb
Blocks: harden-security-landscape-firefox
Status: REOPENED → ASSIGNED
Priority: -- → P2

Bobby, it seems all protocol handlers set one of the 5 security flags. Adding such an assertion in the ContentSecurityManager which is consulted within asyncOpen()/open() of every channel verifies that, see:
https://hg.mozilla.org/try/rev/474f2e10b1751dff6953df28f5381d6baf1ca158

My main question is however, what do we need to do within CheckLoadURIFLags:
https://searchfox.org/mozilla-central/rev/d69ec052bed8700af7a283e37b60b4af22734930/caps/nsScriptSecurityManager.cpp#964

Or put differently, what do you want me to do there?

Flags: needinfo?(bholley)

(In reply to Christoph Kerschbaumer [:ckerschb] from comment #6)

Bobby, it seems all protocol handlers set one of the 5 security flags. Adding such an assertion in the ContentSecurityManager which is consulted within asyncOpen()/open() of every channel verifies that, see:
https://hg.mozilla.org/try/rev/474f2e10b1751dff6953df28f5381d6baf1ca158

Cool. As a cute bonus, you could mask off the five bits at once, and then check if the result is a power-of-two, though I don't object if you prefer the very-explicit-and-obvious approach.

My main question is however, what do we need to do within CheckLoadURIFLags:
https://searchfox.org/mozilla-central/rev/d69ec052bed8700af7a283e37b60b4af22734930/caps/nsScriptSecurityManager.cpp#964

Or put differently, what do you want me to do there?

(1) Delete all the existing handling below that line.
(2) Add a debug-only assertion that the chain either has URI_LOADABLE_BY_SUBSUMERS or URI_LOADABLE_BY_ANYONE.
(3) Add a comment indicating that the former case is handled by the caller, which is delegating to us as a helper.

Flags: needinfo?(bholley)

https://hg.mozilla.org/integration/autoland/rev/f4981f4405d978e04676ce53028c15451558d20e
https://hg.mozilla.org/mozilla-central/rev/f4981f4405d9

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago4 years ago
status-firefox76: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main76-][adv-ESR68.8-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: