Closed
Bug 1193926
Opened 9 years ago
Closed 9 years ago
Don't register chrome for dictionary add-ons
Categories
(Toolkit :: Add-ons Manager, defect)
Toolkit
Add-ons Manager
Tracking
()
RESOLVED
FIXED
mozilla43
| Tracking | Status | |
|---|---|---|
| firefox43 | --- | fixed |
People
(Reporter: mossop, Assigned: mossop)
References
Details
(Keywords: sec-audit, Whiteboard: [adv-main43-])
Attachments
(2 files, 2 obsolete files)
|
5.18 KB,
patch
|
benjamin
:
review+
|
Details | Diff | Splinter Review |
|
17.07 KB,
patch
|
Details | Diff | Splinter Review |
Looks like dictionary add-ons (type 64) inadvertently register chrome.manifest files when used. There is no need for this. I think you could override parts of the browser with this and so there is a way to bypass signing and run unverified code.
|
Assignee | |
Comment 1•9 years ago
|
||
This restricts registering chrome to only the types that need it. Technically that is extensions and locale packs. But locale packs aren't signed, so they can inject chrome into the browser :(
Sounds like there aren't many (if any?) locale packs that aren't owned by us so maybe we can just require those to be signed. The alternative is to change the manifest parser so locale packs can only define locale chrome, I don't know if that might break things.
Assignee: nobody → dtownsend
Status: NEW → ASSIGNED
Flags: needinfo?(jorge)
Flags: needinfo?(dveditz)
|
||
Comment 2•9 years ago
|
||
Well, locale packs should only be able to register locale and full themes (which also need to support chrome.manifest) can only register skin-related stuff. I thought we already had code for that.
|
|
Assignee | |
Comment 3•9 years ago
|
||
(In reply to Robert Kaiser (:kairo@mozilla.com) from comment #2)
> Well, locale packs should only be able to register locale and full themes
> (which also need to support chrome.manifest) can only register skin-related
> stuff. I thought we already had code for that.
We do for full themes, I'm not seeing it for locale packs though
|
||
Comment 4•9 years ago
|
||
I favor restricting language packs to only locale entries in chrome.manifest. I believe we already have that restriction on AMO.
Flags: needinfo?(jorge)
|
||
Comment 5•9 years ago
|
||
I also thought locales were restricted to registering locale types, and themes only skin types. We should enforce that in the client, not just as an AMO rule.
What about "experiments"? Do they need to register chrome? nothing else should be able to.
Even restricted to locale chrome resources, though, we have some places where we read raw HTML out of localizations. I'm not a fan but it's a reality that even locale types can inject scripts into the browser. I'd like to see them signed if we could.
Flags: needinfo?(dveditz)
|
|
Assignee | |
Comment 6•9 years ago
|
||
This blocks registering chrome for dictionaries and adds a new chrome location type for locale packs where only locale directives are registered. The boolean flags in the manifest parsing directive list were getting a bit unwieldy so I've instead switched to type flags to split them up and say what is allowed for each chrome location type.
Attachment #8647175 -
Attachment is obsolete: true
Attachment #8649012 -
Flags: review?(benjamin)
|
||
Comment 7•9 years ago
|
||
Comment on attachment 8649012 [details] [diff] [review]
patch
I don't think the NS_LOCALE_TYPE restriction is actually useful. If you register a locale package you can get chrome privileges via the DTD anyway. So can we just not do that part?
Flags: needinfo?(dtownsend)
|
|
Assignee | |
Comment 8•9 years ago
|
||
(In reply to Benjamin Smedberg [:bsmedberg] from comment #7)
> Comment on attachment 8649012 [details] [diff] [review]
> patch
>
> I don't think the NS_LOCALE_TYPE restriction is actually useful. If you
> register a locale package you can get chrome privileges via the DTD anyway.
> So can we just not do that part?
How is that? If we don't do that part then we have to make signing a requirement for locale packs.
Flags: needinfo?(dtownsend)
|
|
Assignee | |
Updated•9 years ago
|
Flags: needinfo?(benjamin)
|
|
||
Comment 9•9 years ago
|
||
DTDs are XML. So it's possible to inject arbitrary script into chrome-privilege pages using any entity that is included directly in the page (not in an attribute). For example:
<!ENTITY changeSearchSettings.button "<script>Cc[...];</script>Change Search Settings">
Flags: needinfo?(benjamin)
|
|
||
Comment 10•9 years ago
|
||
Signing should be a requirement for locale packs, at least until we move away from DTD-based localization completely.
|
|
Assignee | |
Comment 11•9 years ago
|
||
(In reply to Benjamin Smedberg [:bsmedberg] from comment #10)
> Signing should be a requirement for locale packs, at least until we move
> away from DTD-based localization completely.
Ok, spun that out into bug 1197876
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8649012 -
Attachment is obsolete: true
Attachment #8649012 -
Flags: review?(benjamin)
|
|
Assignee | |
Comment 12•9 years ago
|
||
Removed the unnecessary churn here
Attachment #8651840 -
Flags: review?(benjamin)
|
|
Assignee | |
Comment 13•9 years ago
|
||
The rest of the patch for posterity
|
|
||
Updated•9 years ago
|
Attachment #8651840 -
Flags: review?(benjamin) → review+
|
||
Comment 14•9 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•9 years ago
|
Whiteboard: [adv-main43-]
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•