Bug 1223743 (CVE-2016-2816)

CSP is not applied to documents sent through multipart/x-mixed-replace

VERIFIED FIXED in Firefox 46

Status

()

VERIFIED FIXED
3 years ago
a year ago

People

(Reporter: sdna.muneaki.nishimura, Assigned: ckerschb)

Tracking

(Blocks: 1 bug, {sec-moderate})

Trunk
mozilla46
sec-moderate
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox45 wontfix, firefox46 verified, firefox-esr45 wontfix)

Details

(Whiteboard: [adv-main46+])

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36

Steps to reproduce:

Open the following PoC.
http://mallory.csrf.jp/x-mixed-replace/csp/bad.php



Actual results:

The response from above URL is multipart/x-mixed-replace and it contains two text/html documents in it. Both documents triggers alert(1); and alert(2) from the inline-script. This URL is protected by CSP with default-src 'self' so the inline-script should be ignored but Firefox doesn't.


Expected results:

CSP should be applied to all documents in a multipart/x-mixed-replace response.
The inline script script execution should be ignored like ordinal HTML document (see following URL).
http://mallory.csrf.jp/x-mixed-replace/csp/good.php

Comment 1

3 years ago
Patrick should this fall under networking or some other layer?

Updated

3 years ago
Flags: needinfo?(mcmanus)
probly networking security.. sworkman would know exactly.
Flags: needinfo?(mcmanus)
Flags: needinfo?(sworkman)
Chris, can you take a look please?
Flags: needinfo?(sworkman) → needinfo?(mozilla)
Component: Untriaged → DOM: Security
Flags: needinfo?(mozilla)
Created attachment 8695553 [details] [diff] [review]
bug_1223743_csp_not_applied.patch
Attachment #8695553 - Flags: review?(jonas)
Created attachment 8695554 [details] [diff] [review]
bug_1223743_csp_not_applied_tests.patch
Attachment #8695554 - Flags: review?(jonas)
Assignee: nobody → mozilla
Status: NEW → ASSIGNED
Group: core-security → dom-core-security
Comment on attachment 8695554 [details] [diff] [review]
bug_1223743_csp_not_applied_tests.patch

Review of attachment 8695554 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/security/test/csp/file_multipart_testserver.sjs
@@ +13,5 @@
> +  <img src="file_multipart_testserver.sjs?img" id="testimg"></img>
> +  <script>
> +    var myImg = document.getElementById("testimg");
> +    myImg.onerror = function(e) {
> +      window.parent.postMessage("img-blocked", "*");

This is racy. The image might have already gotten inserted and had it's onerror/onload event fire.

Instead do something like

myImg = new Image;
myImg.src = "...";
myImg.onerror = ...
myImg.onload = ...
document.body.appendChild(myImg);

@@ +30,5 @@
> +  response.setHeader("Cache-Control", "no-cache", false);
> +
> +  if (request.queryString == "doc") {
> +    response.setHeader("Content-Security-Policy", CSP, false);
> +    response.setHeader("Content-Type", "multipart/x-mixed-replace; boundary=" + BOUNDARY, false);

I think this part shouldn't have the '--'. I.e. it should be boundary=fooboundary, not boundary=--fooboundary
Attachment #8695554 - Flags: review?(jonas) → review+
Flags: sec-bounty?
Keywords: sec-moderate
https://hg.mozilla.org/mozilla-central/rev/de7773dd42e1
https://hg.mozilla.org/mozilla-central/rev/31ffab3a0629
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
status-firefox46: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
Group: dom-core-security → core-security-release
Flags: sec-bounty? → sec-bounty+
Reproduced this issue on 45.0.2.

Confirming the fix on Mac OS X 10.9.5, Ubuntu 12.04x86 and Windows 10x64 using Fx 46.0 RC build 3 (buildID 20160418114253).
Status: RESOLVED → VERIFIED
status-firefox46: fixed → verified
QA Contact: cornel.ionce
status-firefox45: --- → wontfix
status-firefox-esr45: --- → wontfix
Whiteboard: [adv-main46+]
Alias: CVE-2016-2816
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.