Closed Bug 1281204 Opened 5 years ago Closed 5 years ago

Incomplete localhost blacklist allows arbitrary pages to open local URLs

Categories

(Firefox for iOS :: Browser, defect)

All
iOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
fxios-v5.0 --- fixed
fxios-v6.0 --- fixed
fxios 5.0+ ---

People

(Reporter: bnicholson, Assigned: bnicholson)

References

Details

Attachments

(1 file)

There are many ways to express 127.0.0.1; see https://www.psyon.org/tools/ip_address_converter.php?ip=127.0.0.1. It's also possible to create different combinations of the addresses listed there (e.g., "0x7f.1") or add zero padding to the different components (e.g., "127.0.0.0001"). That means the blacklist-based fix in bug 1263627 is useless unless we're able cover all possible combinations, which will require breaking the IP down into components and normalizing them.

This attack vector can lead to exploits like bug 1279787 if our local pages aren't protected.
Worse, anyone can just create a DNS entry that points to 127.0.0.1. FOr example localhost.xs4all.nl resolves to 127.0.0.1.
Rather than trying to enumerate all possible localhost equivalents (which is impossible anyway, as Stefan pointed out), this makes the server return content only when the requested host matches our "isLocal" test. Effectively, this transforms isLocal into a host whitelist, so now we strictly control which hosts we accept.
Attachment #8764346 - Flags: review?(sarentz)
Should land this in 5.0 just to be safe.
Comment on attachment 8764346 [details] [review]
Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/1932

This looks like a good fix if request.URL takes the hostname from the Host: header in the HTTP request.
Attachment #8764346 - Flags: review?(sarentz) → review+
master: https://github.com/mozilla/firefox-ios/commit/4c8ee0021ad2fb7e05bc3ac0e6828cd5f2e75044
v5.x: 6621e74
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Group: firefox-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.