Closed Bug 1281204 Opened 5 years ago Closed 5 years ago
Incomplete localhost blacklist allows arbitrary pages to open local URLs
48 bytes, text/x-github-pull-request
|Details | Review|
There are many ways to express 127.0.0.1; see https://www.psyon.org/tools/ip_address_converter.php?ip=127.0.0.1. It's also possible to create different combinations of the addresses listed there (e.g., "0x7f.1") or add zero padding to the different components (e.g., "127.0.0.0001"). That means the blacklist-based fix in bug 1263627 is useless unless we're able cover all possible combinations, which will require breaking the IP down into components and normalizing them. This attack vector can lead to exploits like bug 1279787 if our local pages aren't protected.
Worse, anyone can just create a DNS entry that points to 127.0.0.1. FOr example localhost.xs4all.nl resolves to 127.0.0.1.
Rather than trying to enumerate all possible localhost equivalents (which is impossible anyway, as Stefan pointed out), this makes the server return content only when the requested host matches our "isLocal" test. Effectively, this transforms isLocal into a host whitelist, so now we strictly control which hosts we accept.
Attachment #8764346 - Flags: review?(sarentz)
Comment on attachment 8764346 [details] [review] Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/1932 This looks like a good fix if request.URL takes the hostname from the Host: header in the HTTP request.
Attachment #8764346 - Flags: review?(sarentz) → review+
master: https://github.com/mozilla/firefox-ios/commit/4c8ee0021ad2fb7e05bc3ac0e6828cd5f2e75044 v5.x: 6621e74
You need to log in before you can comment on or make changes to this bug.