Closed Bug 125583 Opened 22 years ago Closed 22 years ago

Disable automatic XLinks in Mail

Categories

(Core :: Security, defect, P2)

defect

Tracking

()

VERIFIED FIXED
mozilla1.0.1

People

(Reporter: security-bugs, Assigned: hjtoi-bugzilla)

References

Details

(Whiteboard: [ADT2 RTM] [fixed on trunk 6/14, branch 6/19])

Attachments

(1 file, 1 obsolete file)

xlink in xml allows opening new windows even with javascript disabled.
While this is not quite big issue, it may be used for advertising purpose and
more importantly it may be used to escape the email sandbox by circumventing
javascript and force the user to visit a page which contain javascript.
The following xml file:
----xlink1.xml------------
<zvon:logo xmlns:zvon = "http://www.zvon.org"
   xmlns:xlink="http://www.w3.org/1999/xlink"
   xlink:type="simple"
   xlink:href="http://www.guninski.com"
   xlink:show="new"
   xlink:actuate="onLoad">
 </zvon:logo>
--------------------------
Shall open www.guninski.com in new window without any interaciotn and even if
javascript is disabled.

Email example:
Put the following in html message:
<iframe src="http://URL_TO_XLINK1/xlink1.xml"></iframe>

When the user previews the message, a new window shall be opened in which
javascript may be enabled.

So if html exploit pops up with this bug it may be exploited by html email
without user interaction.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.0
Mozilla1.1
Target Milestone: mozilla1.0 → mozilla1.1
-> heikki
Assignee: mstoltz → heikki
Status: ASSIGNED → NEW
Whiteboard: [ADT2 RTM]
This is related to bug 132105.

I am thinking I could disable automatic XLinks completely in mailnews (without
even giving any prefs). How can I detect if a page is in mailnews window?
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: mozilla1.1alpha → mozilla1.0.1
This is strange, nsXMLElement::MaybeTriggerAutoLink() calls CheckLoadURI() with
nsIScriptSecurityManager::DISALLOW_FROM_MAIL, so why does this not stop
automatically loading XLinks in mail? Need to run this through the debugger...
Ok, so DISALLOW_FROM_MAIL only checks that the link is not allowed to point to
mail protocols.

Mitch pointed out that I could look at
nsScriptSecurityManager::CanExecuteScripts() in order to find out how to detect
if the document is in mailnews window. I looked at it briefly, but one problem
is that the method uses JSContext to get the root docshell, which it uses to
check for apptype. I don't use JSContext at all in nsXMLElement, and I am not
sure how to get the correct one. I do have a webshell though, and I can get a
docshell from there. Maybe I'll be able to get the root docshell from there.
Need to check tomorrow.
Attached patch Proposed fix 1 (obsolete) — Splinter Review
Seems like I can get the docshell and app type by doing QIs etc. from the
webshell. I have disabled automatic XLinks completely in Mail. I don't think we
need a pref at this point, but it will be easy to add if/when it becomes an
issue. I think we would like a pref and more fine grained control if/when
embedding XLinks are implemented (images would work as embedded XLinks, for
example).

I also tweaked a bit how open-during-load pref works for XLinks. Setting it
used to change automatic XLinks that open in new windows into replacing links,
but I think it is better to completely disable those links if the pref is set.
Changing summary to reflect what the fix will be, and adding Harish and Johnny
to Cc so that they can review.
Summary: Xlink allows opening windows with JS disabled → Disable automatic XLinks in Mail
Comment on attachment 86685 [details] [diff] [review]
Proposed fix 1

r=harishd
Attachment #86685 - Flags: review+
Comment on attachment 86685 [details] [diff] [review]
Proposed fix 1

+	   docShellItem->GetRootTreeItem(getter_AddRefs(rootItem));
+	   if (rootItem) {
+	     nsCOMPtr<nsIDocShell> docshell(do_QueryInterface(rootItem));
+	     if (docshell) {

The "if (rootItem)" check is not needed, do_QueryInterface() does that for you.

sr=jst if you remove that redundant check.
Attachment #86685 - Flags: superreview+
Attachment #86685 - Attachment is obsolete: true
Safe fix, can only regress automatically loading XLinks at most. Since JS is
disabled in mail by default this makes sure you cannot go a around that by using
XLinks.
Keywords: adt1.0.1
Whiteboard: [ADT2 RTM] → [ADT2 RTM][fixinhand]
adt1.0.1+ (on ADT's behalf) approval for checkin to the 1.0 branch, pending
Driver's approval. pls check this into the 1.0 branch, then add the "fixed1.0.1"
keyword.
Blocks: 143047
Keywords: adt1.0.1adt1.0.1+, approval
Approval request sent to drivers@mozilla.org
Checked in on trunk.
Whiteboard: [ADT2 RTM][fixinhand] → [ADT2 RTM][fixed on trunk 6/14]
resolving as fixed, since this has landed on the trunk. pls add the fixe1.0.1
keyword, once this has been landed on the 1.0 branch. thanks!

bsharma - can you pls verify this fix on the trunk? thanks!
Keywords: verifyme
Whiteboard: [ADT2 RTM][fixed on trunk 6/14] → [ADT2 RTM] [fixed on trunk 6/14] [ETA 06/20]
Comment on attachment 86696 [details] [diff] [review]
Fixed jst's concerns

Approved for 1.0 branch.  Please remove mozilla1.0.1+ when it's fixed and add
fixed1.0.1
Attachment #86696 - Flags: superreview+
Attachment #86696 - Flags: review+
Attachment #86696 - Flags: approval+
Fixed on branch too, but only the "Disable automatic XLinks in Mail" part
because the branch does not have code for making XLinks obey the popup prefs.
Marking fixed.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Whiteboard: [ADT2 RTM] [fixed on trunk 6/14] [ETA 06/20] → [ADT2 RTM] [fixed on trunk 6/14, branch 6/19]
Verified on 2002-06-19-trunk build on WinNT

The above test case runs fine on browser and mail client.

Status: RESOLVED → VERIFIED
Keywords: verifyme
Ran the test cases for the browser and the mail on 2002-06-19-branch build on WinNT.

The test for the browser is passing but the test for the mail is failing.

JS is disabled in both clients.

Reopening the bug.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
This works for me on the branch, how did you test? I sent a test email to
myself, where the mail was in HTML format and the body of the message was
inserted with Insert > HTML... from the menus, and the inserted HTML was:

<iframe src="http://green.nscp.aoltw.net/heikki/125583/xlink1.xml"></iframe>

When I create the message, the automatic XLink fires (so I guess I would also
need to disable it for editor?), but when I receive it, and read it, the XLink
does not work.

There is no browser patr of the test, except to regression test (see that
automatic XLinks still work in browser).
I just noticed that Bindu tested with 6/19 build, but I only fixed this one the
branch on that day. So I don't think that build had the fix yet. Please verify
with a 6/20 or later branch build. Closing again as fixed.
Status: REOPENED → RESOLVED
Closed: 22 years ago22 years ago
Resolution: --- → FIXED
Verified on 2002-06-27-trunk and 2002-06-27-branch build on Win2K.

The above test case works as expected in Mail.
Adding verified1.0.1 keyword.
Status: RESOLVED → VERIFIED
Group: security?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: