1281204 - Incomplete localhost blacklist allows arbitrary pages to open local URLs

Status: RESOLVED FIXED

(Firefox for iOS :: Browser, defect)

Description

[Brian Nicholson (:bnicholson)]

There are many ways to express 127.0.0.1; see https://www.psyon.org/tools/ip_address_converter.php?ip=127.0.0.1. It's also possible to create different combinations of the addresses listed there (e.g., "0x7f.1") or add zero padding to the different components (e.g., "127.0.0.0001"). That means the blacklist-based fix in bug 1263627 is useless unless we're able cover all possible combinations, which will require breaking the IP down into components and normalizing them.

This attack vector can lead to exploits like bug 1279787 if our local pages aren't protected.

Comment 1

[Stefan Arentz | :st3fan | ⏰ EST | he/him]

Worse, anyone can just create a DNS entry that points to 127.0.0.1. FOr example localhost.xs4all.nl resolves to 127.0.0.1.

Comment 2

[Brian Nicholson (:bnicholson)]

Attachment: Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/1932

Rather than trying to enumerate all possible localhost equivalents (which is impossible anyway, as Stefan pointed out), this makes the server return content only when the requested host matches our "isLocal" test. Effectively, this transforms isLocal into a host whitelist, so now we strictly control which hosts we accept.

Comment 3

[Brian Nicholson (:bnicholson)]

Should land this in 5.0 just to be safe.

Comment 4

[Stefan Arentz | :st3fan | ⏰ EST | he/him]

Comment on attachment 8764346 [details] [review]
Link to Github pull-request: https://github.com/mozilla/firefox-ios/pull/1932

This looks like a good fix if request.URL takes the hostname from the Host: header in the HTTP request.

Comment 5

[Brian Nicholson (:bnicholson)]

master: https://github.com/mozilla/firefox-ios/commit/4c8ee0021ad2fb7e05bc3ac0e6828cd5f2e75044
v5.x: 6621e74