Closed Bug 1242909 Opened 9 years ago Closed 9 years ago

Firefox crash : malformed CSP report-uri directive

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
43 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla47
Tracking Flags:
Tracking Status
firefox44 --- wontfix
firefox45 --- fixed
firefox46 --- fixed
firefox47 --- fixed

People

(Reporter: g.mochizuki, Assigned: Gijs)

Details

Attachments

(2 files, 1 obsolete file)

firefox-debug_1957_2810_2016-01-26_19-57-07-724.log
128.09 KB, text/plain
Details
Patch v0.2
1.76 KB, patch
ckerschb
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 Build ID: 20160105164030 Firefox for Android Steps to reproduce: PC: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 Android: User-Agent: Mozilla/5.0 (Android 4.1.1; Tablet; rv:43.0) Gecko/43.0 Firefox/43.0 When browse the page that contains the malformed CSP report-uri directive, Firefox crash. =========================================== HTTP/1.1 200 OK Date: Tue, 26 Jan 2016 08:43:03 GMT Content-Security-Policy: script-src 'self'; report-uri javascript: Content-Length: 28 Connection: close Content-Type: text/html; charset=UTF-8 <script>alert(0);</script> ===========================================
Attachment #8712095 - Attachment mime type: text/x-log → text/plain
https://crash-stats.mozilla.com/report/index/e8c3bfab-c74c-48b6-8200-8c5172160126 AFAICT this is a nullptr crash (at least on ff44 beta, where I tested) and so it might not need to be sec-sensitive.
Group: firefox-core-security → core-security
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Ever confirmed: true
Product: Firefox → Core
Attached patch Patch v0.1 (obsolete) — Splinter Review
This should do the trick.
Attachment #8712100 - Flags: review?(mozilla)
Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED
Attached patch Patch v0.2Splinter Review
Now without random leftovers from another bit of work - sorry for the bugspam.
Attachment #8712101 - Flags: review?(mozilla)
Attachment #8712100 - Attachment is obsolete: true
Attachment #8712100 - Flags: review?(mozilla)
Comment on attachment 8712101 [details] [diff] [review] Patch v0.2 Review of attachment 8712101 [details] [diff] [review]: ----------------------------------------------------------------- Thanks Gijs, that is indeed the right fix. I also don't think this needs to be security sensitive - feel free to open it up.
Attachment #8712101 - Flags: review?(mozilla) → review+
Ryan, can you un-sec-sensitive this, please? Thanks!
Flags: needinfo?(ryanvm)
Comment on attachment 8712101 [details] [diff] [review] Patch v0.2 Approval Request Comment [Feature/regressing bug #]: CSP parsing [User impact if declined]: crashes! [Describe test coverage new/current, TreeHerder]: https://dxr.mozilla.org/mozilla-central/source/dom/security/test/csp and various other tests, but nothing specifically for this issue, it seems [Risks and why]: very low, essentially just a nullcheck [String/UUID change made/needed]: nope
Attachment #8712101 - Flags: approval-mozilla-beta?
Attachment #8712101 - Flags: approval-mozilla-aurora?
Group: core-security
Flags: needinfo?(ryanvm)
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox47: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Comment on attachment 8712101 [details] [diff] [review] Patch v0.2 Fix a crash, taking it.
Attachment #8712101 - Flags: approval-mozilla-beta?
Attachment #8712101 - Flags: approval-mozilla-beta+
Attachment #8712101 - Flags: approval-mozilla-aurora?
Attachment #8712101 - Flags: approval-mozilla-aurora+
Should be in 45 beta 2
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: