Closed Bug 1223743 (CVE-2016-2816) Opened 9 years ago Closed 9 years ago

CSP is not applied to documents sent through multipart/x-mixed-replace

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox45 --- wontfix
firefox46 --- verified
firefox-esr45 --- wontfix

People

(Reporter: sdna.muneaki.nishimura, Assigned: ckerschb)

References

(Blocks 1 open bug)

Details

(Keywords: reporter-external, sec-moderate, Whiteboard: [adv-main46+])

Attachments

(2 files)

bug_1223743_csp_not_applied.patch
1.40 KB, patch
sicking
: review+
Details | Diff | Splinter Review
bug_1223743_csp_not_applied_tests.patch
4.30 KB, patch
sicking
: review+
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36 Steps to reproduce: Open the following PoC. http://mallory.csrf.jp/x-mixed-replace/csp/bad.php Actual results: The response from above URL is multipart/x-mixed-replace and it contains two text/html documents in it. Both documents triggers alert(1); and alert(2) from the inline-script. This URL is protected by CSP with default-src 'self' so the inline-script should be ignored but Firefox doesn't. Expected results: CSP should be applied to all documents in a multipart/x-mixed-replace response. The inline script script execution should be ignored like ordinal HTML document (see following URL). http://mallory.csrf.jp/x-mixed-replace/csp/good.php
Patrick should this fall under networking or some other layer?
Flags: needinfo?(mcmanus)
probly networking security.. sworkman would know exactly.
Flags: needinfo?(mcmanus)
Flags: needinfo?(sworkman)
Chris, can you take a look please?
Flags: needinfo?(sworkman) → needinfo?(mozilla)
Component: Untriaged → DOM: Security
Flags: needinfo?(mozilla)
Assignee: nobody → mozilla
Status: NEW → ASSIGNED
Group: core-security → dom-core-security
Blocks: csp-w3c-2
Comment on attachment 8695554 [details] [diff] [review] bug_1223743_csp_not_applied_tests.patch Review of attachment 8695554 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/security/test/csp/file_multipart_testserver.sjs @@ +13,5 @@ > + <img src="file_multipart_testserver.sjs?img" id="testimg"></img> > + <script> > + var myImg = document.getElementById("testimg"); > + myImg.onerror = function(e) { > + window.parent.postMessage("img-blocked", "*"); This is racy. The image might have already gotten inserted and had it's onerror/onload event fire. Instead do something like myImg = new Image; myImg.src = "..."; myImg.onerror = ... myImg.onload = ... document.body.appendChild(myImg); @@ +30,5 @@ > + response.setHeader("Cache-Control", "no-cache", false); > + > + if (request.queryString == "doc") { > + response.setHeader("Content-Security-Policy", CSP, false); > + response.setHeader("Content-Type", "multipart/x-mixed-replace; boundary=" + BOUNDARY, false); I think this part shouldn't have the '--'. I.e. it should be boundary=fooboundary, not boundary=--fooboundary
Attachment #8695554 - Flags: review?(jonas) → review+
Flags: sec-bounty?
https://hg.mozilla.org/mozilla-central/rev/de7773dd42e1 https://hg.mozilla.org/mozilla-central/rev/31ffab3a0629
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox46: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
Group: dom-core-security → core-security-release
Flags: sec-bounty? → sec-bounty+
Reproduced this issue on 45.0.2. Confirming the fix on Mac OS X 10.9.5, Ubuntu 12.04x86 and Windows 10x64 using Fx 46.0 RC build 3 (buildID 20160418114253).
Status: RESOLVED → VERIFIED
status-firefox46: fixedverified
QA Contact: cornel.ionce
status-firefox45: --- → wontfix
status-firefox-esr45: --- → wontfix
Whiteboard: [adv-main46+]
Alias: CVE-2016-2816
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: