Closed Bug 1254241 Opened 8 years ago Closed 8 years ago

Unchecked redirect in Bugzilla auth integration

Categories

(MozReview Graveyard :: Review Board: Extension, defect)

Product:
MozReview Graveyard
Component:
Review Board: Extension
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jwkbugzilla, Unassigned)

Details

Attachments

(1 file, 2 obsolete files)

bug-1254241.diff (v3)
1.49 KB, patch
glob
: review+
Details | Diff | Splinter Review 
Unchecked redirects allow hiding phishing websites behind seemingly legitimate Mozilla links. They also allow circumventing referrer checks on websites that enforce the referrer to be a Mozilla website. Yet MozReview allows redirecting to any URL after Bugzilla authentication. Consider the following URL:

> https://bugzilla.mozilla.org/auth.cgi?callback=https://reviewboard.mozilla.org/mozreview/bmo_auth_callback/%3Fredirect%3Dhttp://google.com/&description=MozReview

While this seems to point to BMO, for any logged in Bugzilla user this will redirect to reviewboard.mozilla.org automatically which will in turn redirect to any website (google.com in this case).
Attached patch bug-1254241.diff (obsolete) — Splinter Review 
This should do it, I believe, by enforcing that all directs are local paths (i.e. start with '/').
Assignee: nobody → mcote
Status: NEW → ASSIGNED
Attachment #8730394 - Flags: review?(glob)
Comment on attachment 8730394 [details] [diff] [review]
bug-1254241.diff

Review of attachment 8730394 [details] [diff] [review]:
-----------------------------------------------------------------

r=glob  lgtm
Attachment #8730394 - Flags: review?(glob) → review+
Comment on attachment 8730394 [details] [diff] [review]
bug-1254241.diff

Review of attachment 8730394 [details] [diff] [review]:
-----------------------------------------------------------------

(In reply to Wladimir Palant from comment #3)
> What about protocol-relative URLs?
> 
> > ..%3Fredirect%3D//google.com/&description=MozReview

excellent point, thanks wladimir.

mcote - how parsing the url and rejecting those that don't match the expected hostname.
Attachment #8730394 - Flags: review+ → review-
Attached patch bug-1254241.diff (obsolete) — Splinter Review 
This does the same thing, verifying that the redirect is only a path, by using urlparse.

I didn't want to complicate things by checking for a correct server name; all generated redirects should be local.
Attachment #8730394 - Attachment is obsolete: true
Attachment #8731395 - Flags: review?(glob)
Comment on attachment 8731395 [details] [diff] [review]
bug-1254241.diff

Review of attachment 8731395 [details] [diff] [review]:
-----------------------------------------------------------------

r=glob
Attachment #8731395 - Flags: review?(glob) → review+
I assume that redirecting to something like a data: URL isn't possible?
Hm I could also check that the scheme is empty as well.
Once more, with feeling.
Attachment #8731395 - Attachment is obsolete: true
Attachment #8731489 - Flags: review?(glob)
Comment on attachment 8731489 [details] [diff] [review]
bug-1254241.diff (v3)

Review of attachment 8731489 [details] [diff] [review]:
-----------------------------------------------------------------

r=glob
Attachment #8731489 - Flags: review?(glob) → review+
https://hg.mozilla.org/hgcustom/version-control-tools/rev/415a3d6628d3
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
This has been deployed.  Btw the link in comment 0 should be https://bugzilla.mozilla.org/auth.cgi?callback=https://reviewboard.mozilla.org/mozreview/bmo_auth_callback/%3Fredirect%3Dhttp://google.com/&description=mozreview to avoid generating a new API key (the description at the end should be all lower case).  I've confirmed that it did redirect to google before and no longer does.
Group: mozreview-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: