Closed Bug 125583 Opened 23 years ago Closed 23 years ago

Disable automatic XLinks in Mail

Categories

(Core :: Security, defect, P2)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0.1

People

(Reporter: security-bugs, Assigned: hjtoi-bugzilla)

References

Details

(Whiteboard: [ADT2 RTM] [fixed on trunk 6/14, branch 6/19])

Attachments

(1 file, 1 obsolete file)

Fixed jst's concerns
2.74 KB, patch
jesup
: review+
jesup
: superreview+
jesup
: approval+
Details | Diff | Splinter Review
xlink in xml allows opening new windows even with javascript disabled. While this is not quite big issue, it may be used for advertising purpose and more importantly it may be used to escape the email sandbox by circumventing javascript and force the user to visit a page which contain javascript. The following xml file: ----xlink1.xml------------ <zvon:logo xmlns:zvon = "http://www.zvon.org" xmlns:xlink="http://www.w3.org/1999/xlink" xlink:type="simple" xlink:href="http://www.guninski.com" xlink:show="new" xlink:actuate="onLoad"> </zvon:logo> -------------------------- Shall open www.guninski.com in new window without any interaciotn and even if javascript is disabled. Email example: Put the following in html message: <iframe src="http://URL_TO_XLINK1/xlink1.xml"></iframe> When the user previews the message, a new window shall be opened in which javascript may be enabled. So if html exploit pops up with this bug it may be exploited by html email without user interaction.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.0
Mozilla1.1
Target Milestone: mozilla1.0 → mozilla1.1
-> heikki
Assignee: mstoltz → heikki
Status: ASSIGNED → NEW
Keywords: mozilla1.0.1, nsbeta1+
Whiteboard: [ADT2 RTM]
This is related to bug 132105. I am thinking I could disable automatic XLinks completely in mailnews (without even giving any prefs). How can I detect if a page is in mailnews window?
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: mozilla1.1alpha → mozilla1.0.1
This is strange, nsXMLElement::MaybeTriggerAutoLink() calls CheckLoadURI() with nsIScriptSecurityManager::DISALLOW_FROM_MAIL, so why does this not stop automatically loading XLinks in mail? Need to run this through the debugger...
Ok, so DISALLOW_FROM_MAIL only checks that the link is not allowed to point to mail protocols. Mitch pointed out that I could look at nsScriptSecurityManager::CanExecuteScripts() in order to find out how to detect if the document is in mailnews window. I looked at it briefly, but one problem is that the method uses JSContext to get the root docshell, which it uses to check for apptype. I don't use JSContext at all in nsXMLElement, and I am not sure how to get the correct one. I do have a webshell though, and I can get a docshell from there. Maybe I'll be able to get the root docshell from there. Need to check tomorrow.
Attached patch Proposed fix 1 (obsolete) — Splinter Review
Seems like I can get the docshell and app type by doing QIs etc. from the webshell. I have disabled automatic XLinks completely in Mail. I don't think we need a pref at this point, but it will be easy to add if/when it becomes an issue. I think we would like a pref and more fine grained control if/when embedding XLinks are implemented (images would work as embedded XLinks, for example). I also tweaked a bit how open-during-load pref works for XLinks. Setting it used to change automatic XLinks that open in new windows into replacing links, but I think it is better to completely disable those links if the pref is set.
Changing summary to reflect what the fix will be, and adding Harish and Johnny to Cc so that they can review.
Summary: Xlink allows opening windows with JS disabled → Disable automatic XLinks in Mail
Comment on attachment 86685 [details] [diff] [review] Proposed fix 1 r=harishd
Attachment #86685 - Flags: review+
Comment on attachment 86685 [details] [diff] [review] Proposed fix 1 + docShellItem->GetRootTreeItem(getter_AddRefs(rootItem)); + if (rootItem) { + nsCOMPtr<nsIDocShell> docshell(do_QueryInterface(rootItem)); + if (docshell) { The "if (rootItem)" check is not needed, do_QueryInterface() does that for you. sr=jst if you remove that redundant check.
Attachment #86685 - Flags: superreview+
Attachment #86685 - Attachment is obsolete: true
Safe fix, can only regress automatically loading XLinks at most. Since JS is disabled in mail by default this makes sure you cannot go a around that by using XLinks.
Keywords: adt1.0.1
Whiteboard: [ADT2 RTM] → [ADT2 RTM][fixinhand]
adt1.0.1+ (on ADT's behalf) approval for checkin to the 1.0 branch, pending Driver's approval. pls check this into the 1.0 branch, then add the "fixed1.0.1" keyword.
Blocks: 143047
Keywords: adt1.0.1adt1.0.1+, approval
Approval request sent to drivers@mozilla.org
Checked in on trunk.
Whiteboard: [ADT2 RTM][fixinhand] → [ADT2 RTM][fixed on trunk 6/14]
resolving as fixed, since this has landed on the trunk. pls add the fixe1.0.1 keyword, once this has been landed on the 1.0 branch. thanks! bsharma - can you pls verify this fix on the trunk? thanks!
Keywords: verifyme
Whiteboard: [ADT2 RTM][fixed on trunk 6/14] → [ADT2 RTM] [fixed on trunk 6/14] [ETA 06/20]
Comment on attachment 86696 [details] [diff] [review] Fixed jst's concerns Approved for 1.0 branch. Please remove mozilla1.0.1+ when it's fixed and add fixed1.0.1
Attachment #86696 - Flags: superreview+
Attachment #86696 - Flags: review+
Attachment #86696 - Flags: approval+
Fixed on branch too, but only the "Disable automatic XLinks in Mail" part because the branch does not have code for making XLinks obey the popup prefs. Marking fixed.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Keywords: mozilla1.0.1+fixed1.0.1
Resolution: --- → FIXED
Whiteboard: [ADT2 RTM] [fixed on trunk 6/14] [ETA 06/20] → [ADT2 RTM] [fixed on trunk 6/14, branch 6/19]
Verified on 2002-06-19-trunk build on WinNT The above test case runs fine on browser and mail client.
Status: RESOLVED → VERIFIED
Keywords: verifyme
Ran the test cases for the browser and the mail on 2002-06-19-branch build on WinNT. The test for the browser is passing but the test for the mail is failing. JS is disabled in both clients. Reopening the bug.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
This works for me on the branch, how did you test? I sent a test email to myself, where the mail was in HTML format and the body of the message was inserted with Insert > HTML... from the menus, and the inserted HTML was: <iframe src="http://green.nscp.aoltw.net/heikki/125583/xlink1.xml"></iframe> When I create the message, the automatic XLink fires (so I guess I would also need to disable it for editor?), but when I receive it, and read it, the XLink does not work. There is no browser patr of the test, except to regression test (see that automatic XLinks still work in browser).
I just noticed that Bindu tested with 6/19 build, but I only fixed this one the branch on that day. So I don't think that build had the fix yet. Please verify with a 6/20 or later branch build. Closing again as fixed.
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
Verified on 2002-06-27-trunk and 2002-06-27-branch build on Win2K. The above test case works as expected in Mail. Adding verified1.0.1 keyword.
Status: RESOLVED → VERIFIED
Keywords: fixed1.0.1verified1.0.1
Group: security?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: