Closed Bug 1242909 Opened 4 years ago Closed 4 years ago

Firefox crash : malformed CSP report-uri directive

Categories

(Core :: DOM: Security, defect)

43 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla47
Tracking Status
firefox44 --- wontfix
firefox45 --- fixed
firefox46 --- fixed
firefox47 --- fixed

People

(Reporter: g.mochizuki, Assigned: Gijs)

Details

Attachments

(2 files, 1 obsolete file)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20160105164030
Firefox for Android

Steps to reproduce:

PC: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Android: User-Agent: Mozilla/5.0 (Android 4.1.1; Tablet; rv:43.0) Gecko/43.0 Firefox/43.0

When browse the page that contains the malformed CSP report-uri directive, Firefox crash.

===========================================
HTTP/1.1 200 OK
Date: Tue, 26 Jan 2016 08:43:03 GMT
Content-Security-Policy: script-src 'self'; report-uri javascript:
Content-Length: 28
Connection: close
Content-Type: text/html; charset=UTF-8

<script>alert(0);</script>
===========================================
Attachment #8712095 - Attachment mime type: text/x-log → text/plain
https://crash-stats.mozilla.com/report/index/e8c3bfab-c74c-48b6-8200-8c5172160126

AFAICT this is a nullptr crash (at least on ff44 beta, where I tested) and so it might not need to be sec-sensitive.
Group: firefox-core-security → core-security
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Ever confirmed: true
Product: Firefox → Core
Attached patch Patch v0.1 (obsolete) — Splinter Review
This should do the trick.
Attachment #8712100 - Flags: review?(mozilla)
Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED
Attached patch Patch v0.2Splinter Review
Now without random leftovers from another bit of work - sorry for the bugspam.
Attachment #8712101 - Flags: review?(mozilla)
Attachment #8712100 - Attachment is obsolete: true
Attachment #8712100 - Flags: review?(mozilla)
Comment on attachment 8712101 [details] [diff] [review]
Patch v0.2

Review of attachment 8712101 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks Gijs, that is indeed the right fix. I also don't think this needs to be security sensitive - feel free to open it up.
Attachment #8712101 - Flags: review?(mozilla) → review+
Ryan, can you un-sec-sensitive this, please? Thanks!
Flags: needinfo?(ryanvm)
Comment on attachment 8712101 [details] [diff] [review]
Patch v0.2

Approval Request Comment
[Feature/regressing bug #]: CSP parsing
[User impact if declined]: crashes!
[Describe test coverage new/current, TreeHerder]: https://dxr.mozilla.org/mozilla-central/source/dom/security/test/csp and various other tests, but nothing specifically for this issue, it seems
[Risks and why]: very low, essentially just a nullcheck
[String/UUID change made/needed]: nope
Attachment #8712101 - Flags: approval-mozilla-beta?
Attachment #8712101 - Flags: approval-mozilla-aurora?
Group: core-security
Flags: needinfo?(ryanvm)
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Comment on attachment 8712101 [details] [diff] [review]
Patch v0.2

Fix a crash, taking it.
Attachment #8712101 - Flags: approval-mozilla-beta?
Attachment #8712101 - Flags: approval-mozilla-beta+
Attachment #8712101 - Flags: approval-mozilla-aurora?
Attachment #8712101 - Flags: approval-mozilla-aurora+
Should be in 45 beta 2
You need to log in before you can comment on or make changes to this bug.