Closed
Bug 1259849
Opened 8 years ago
Closed 8 years ago
Access to components object using video tag
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: qab, Unassigned)
Details
Attachments
(1 file)
221 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36 Steps to reproduce: View attached PoC file and follow instructions Actual results: Seems like the data uri is opened in unexpected context and within this context a Componenets object is exposed. Not sure if this is the same object that could lead to RCE, but from my brief googling its possible these functions have elevated privileges (ref: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIXMLHttpRequest ) Expected results: Best course of action would be to open the data uri with the context of the website you opened from (similar to when you open a data uri using an anchor tag). Alternatively, disallow video html tag from hosting non-video data uris. side note: If you choose 'save video' the debugger shows the following error, thought no actual crash exists: (7c4.4064): Unknown exception - code 8001010e (first chance)
Comment 1•8 years ago
|
||
I'm not sure I understand what this POC is supposed to be doing. When I right-click on the video element and choose "View video", I get a blank page and |data:text/html,<script>console.dir(Components.interfaces)</script>| in the location bar. Both on a current nightly build and the Fx45 release build. I tried opening the POC both from bugzilla after saving it locally.
Flags: needinfo?(qab)
Comment 2•8 years ago
|
||
Doesn't document.location = "data:text/html,<script>console.dir(Components.interfaces)</script>" do the same thing? We are deprecating the non-standard Components object, but the version available to a non-privileged context is quite different from the full-powered one in privileged contexts. Seems like a bug that we're offering "video" menu items for an element with a non-video content-type, but it doesn't seem to be a security bug.
Comment 3•8 years ago
|
||
Ryan: the test case dumps the Components.interfaces object on the console, so you have to open dev tools to see anything.
Comment 4•8 years ago
|
||
> but the version available to a non-privileged context is quite different from the full-powered one in privileged contexts
Indeed. The test is whether Components.utils is present. Components.interfaces in a non-privileged context is just a mapping of some random (well, not totally random, but having nothing to do with any specs) strings to DOM interface objects.
Comment 5•8 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2) > Seems like a bug that we're offering "video" menu items for an element with > a non-video content-type, but it doesn't seem to be a security bug. I don't know that we can detect this from the context menu... Jared, do you?
Flags: needinfo?(jaws)
Comment 6•8 years ago
|
||
(In reply to :Gijs Kruitbosch from comment #5) > (In reply to Daniel Veditz [:dveditz] from comment #2) > > Seems like a bug that we're offering "video" menu items for an element with > > a non-video content-type, but it doesn't seem to be a security bug. > > I don't know that we can detect this from the context menu... Jared, do you? We can't really trust content-types, in fact we explicitly ignore them since https://bugzilla.mozilla.org/show_bug.cgi?id=1048579 and https://www.w3.org/Bugs/Public/show_bug.cgi?id=11984.
Flags: needinfo?(jaws)
Updated•8 years ago
|
Summary: Access to componenets object using video tag → Access to components object using video tag
Comment 7•8 years ago
|
||
Component.utils does not appear to be present, so based on comment 4, this does not appear to be an issue. Abdulrahman, do you agree?
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
Reporter | ||
Comment 8•8 years ago
|
||
(In reply to Matt Wobensmith [:mwobensmith][:matt:] from comment #7) > Component.utils does not appear to be present, so based on comment 4, this > does not appear to be an issue. > > Abdulrahman, do you agree? Yes, after more testing it seems like the Components object which was discussed here sort of exists everywhere. For example, open the console here and just type in Components and hit enter. Suddenly the object appears, but no utils. Think its safe to say this is Invalid, apologies for the mistake.
Flags: needinfo?(qab)
Updated•8 years ago
|
Group: firefox-core-security
Resolution: WORKSFORME → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•