Closed Bug 1190760 Opened 9 years ago Closed 8 years ago

Discuss security implications of using Enhanced Metafiles to store prints between the content and parent process.

Categories

(Core :: Security: Process Sandboxing, defect)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
All
Windows
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: bobowen, Unassigned)

References

Details

I'm currently planning on using EMFs [1] in shared memory to transport data for printing from the content to the parent process on windows.

It looks like we can write directly to EMF instead of the printer device context in the content process.
Processing the EMF back to a printer device context in the parent also seems relatively straightforward.

There are some concerns that this will open up the parent to vulnerabilities in EMF for example things like [2].

For information, my understanding is that Chrome uses in memory PDF files (on all platforms) to transport the print data to the parent process.
On windows this is then converted to EMF before being sent to the printer.
Again I understand that we have some support for PDF on windows, but only for an earlier version (1.5).
Which I think might cause some print quality issues.

[1] https://msdn.microsoft.com/en-us/library/dd162600%28v=vs.85%29.aspx
[2] http://tools.cisco.com/security/center/viewAlert.x?alertId=38258
Not sure who is the best person to ask about this.

Do you think that PDF is inherently more secure than EMF?

What do you think we could reasonably do to mitigate any potential problems?
Would it be possible to check/scan EMFs for problems in the parent process?
What about sending some sort of token from the parent process when a print is requested, so the return call would only be allowed when a print has been requested?
(Note: I have no idea how easy that last suggestion would be to implement or whether we could cover all bases.)

Is there anyone else that would be a good person to ask about this?
Flags: needinfo?(dveditz)
Flags: needinfo?(abillings)
Also found: https://msdn.microsoft.com/en-us/library/cc230514.aspx

Which has a "Security Considerations" section, but it's very brief.
(In reply to Bob Owen (:bobowen) from comment #2)
> Also found: https://msdn.microsoft.com/en-us/library/cc230514.aspx
> 
> Which has a "Security Considerations" section, but it's very brief.

I assume that section is referring to:
https://msdn.microsoft.com/en-us/library/cc230578.aspx
(In reply to Bob Owen (:bobowen) from comment #1)
> Not sure who is the best person to ask about this.

Not me! I'll defer to Dveditz here.
Flags: needinfo?(abillings)
We didn't go down the EMF file route in the end.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(dveditz)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.