Closed
Bug 1284372
(CVE-2016-5267)
Opened 9 years ago
Closed 9 years ago
Firefox Mobile Address Bar Spoofing
Categories
(Firefox for Android Graveyard :: General, defect)
Tracking
(firefox47 wontfix, firefox48+ verified, firefox49+ verified, fennec48+, firefox50+ verified)
People
(Reporter: rbsoulhunter17, Assigned: sebastian)
References
Details
(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [adv-main48+])
Attachments
(5 files)
|
32.77 KB,
image/png
|
Details | |
|
79.39 KB,
image/png
|
Details | |
|
16.98 KB,
image/png
|
Details | |
|
6.76 KB,
patch
|
Grisha
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
|
25.06 KB,
image/png
|
Details |
spoofed1.png
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Firefox for Android
Steps to reproduce:
- Visit - https://jsfiddle.net/ktfegrhf/3/ using latest version of Firefox Mobile
- Click on the link and observe the URL
Actual results:
Due to mishandling of arabic RTL characters firefox for mobile causes the complete URL to be displayed from Right to left instead of left to right.
Expected results:
The URL should be been displayed from LTR:
Expected Result:
http://عربي.امارات/google.com/test/test/test
Rendered Results
google.com/test/test/test/عربي.امارات
This is perfectly fine on firefox for mobile
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Comment 2•9 years ago
|
||
|
|
Reporter | |
Updated•9 years ago
|
Component: Untriaged → General
Product: Firefox → Firefox for Android
Version: unspecified → 50 Branch
|
|
Reporter | |
Comment 3•9 years ago
|
||
Correction: This is perfectly fine on firefox for mobile
To
Correction: This is perfectly fine on Firefox Desktop Version.
|
||
Comment 4•9 years ago
|
||
Confirmed this behavior. Using the jsfiddle you need to long press and select open in new tab. NI to Margaret for an assignee.
Status: UNCONFIRMED → NEW
tracking-fennec: --- → ?
status-firefox47:
--- → affected
status-firefox48:
--- → affected
status-firefox49:
--- → affected
status-firefox50:
--- → affected
tracking-firefox48:
--- → ?
tracking-firefox49:
--- → ?
tracking-firefox50:
--- → ?
Ever confirmed: true
Flags: needinfo?(margaret.leibovic)
|
||
Comment 5•9 years ago
|
||
Sebastian, can you look into this?
Assignee: nobody → s.kaspari
Flags: needinfo?(margaret.leibovic) → needinfo?(s.kaspari)
|
Assignee | |
Updated•9 years ago
|
Status: NEW → ASSIGNED
Flags: needinfo?(s.kaspari)
|
|
Assignee | |
Comment 6•9 years ago
|
||
The same thing is happening in Chrome but as they are "scrolling" the URL (a variation of bug 1271998) and as their layout actually seems to support RTL it's not looking like a different domain.
I guess the correct solution would be to properly support RTL (at least in the toolbar): meta bug 702845.
In the short term we could try to force LTR. This will display the URL as expected in comment 0.
|
|
Assignee | |
Comment 7•9 years ago
|
||
Attachment #8768373 -
Flags: review?(margaret.leibovic)
|
|
Assignee | |
Comment 8•9 years ago
|
||
|
|
Reporter | |
Comment 9•9 years ago
|
||
Yes, LTR should be properly enforced and all URL's must always be displayed from Left-To-Right no matter what the direction of the content maybe, However, what needs to looked is if it won't cause any issues with appearance of RTL URL's.
|
|
Assignee | |
Comment 10•9 years ago
|
||
Comment on attachment 8768373 [details] [diff] [review]
1284372-force-LTR-URL.patch
@Grisha: Can you take a look? :)
Attachment #8768373 -
Flags: review?(margaret.leibovic) → review?(gkruglov)
|
||
Updated•9 years ago
|
Keywords: csectype-spoof,
sec-moderate
tracking-fennec: ? → 48+
|
||
Comment 11•9 years ago
|
||
Comment on attachment 8768373 [details] [diff] [review]
1284372-force-LTR-URL.patch
Review of attachment 8768373 [details] [diff] [review]:
-----------------------------------------------------------------
This looks fine. I don't know much about unicode directionality stuff; but, since you're adding a public method to StringUtils for forcing LTR, I'll ask: would that approach (appending a special char) work generally, outside of this specific usecase? e.g. can I pass in an already LTR string into it, and safely use/render/edit/etc result afterwards? Perhaps that method should assert that its input is RTL.
Attachment #8768373 -
Flags: review?(gkruglov) → review+
|
|
Assignee | |
Comment 12•9 years ago
|
||
https://hg.mozilla.org/integration/fx-team/rev/4f48e514c1ee8dbc7fea916f7b88659d20cfb655
Bug 1284372 - URL bar: Force LTR for the URL. r=grisha
|
||
Comment 13•9 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 50
|
|
Reporter | |
Updated•9 years ago
|
Flags: sec-bounty?
|
||
Comment 14•9 years ago
|
||
Rafay, please don't set sec-bounty? on your bugs. The procedure is to email security@mozilla.org and ask to be considered for bounties. See https://www.mozilla.org/en-US/security/client-bug-bounty/ under "Claiming a bounty".
|
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
Assignee | |
Comment 16•9 years ago
|
||
Comment on attachment 8768373 [details] [diff] [review]
1284372-force-LTR-URL.patch
This should be fairly easy to uplift.
Approval Request Comment
[Feature/regressing bug #]: All versions are affected. This might have been the case since the beginning of time.
[User impact if declined]: See screenshot in comment 0. We display some parts of a specifically crafted URLs in an unexpected order. This can be used to make you think you are browsing a different domain than you actually are.
[Describe test coverage new/current, TreeHerder]: Local testing and this is now in Nightly since a couple of days.
[Risks and why]: Lowish. We prepend (RTL) URLs with a control character that forces the view to display it like a LTR string. I can't think of any side effects because at this point this string is only used for displaying (not editing) the URL.
[String/UUID change made/needed]: -
Attachment #8768373 -
Flags: approval-mozilla-beta?
Attachment #8768373 -
Flags: approval-mozilla-aurora?
|
|
||
Updated•9 years ago
|
Group: firefox-core-security → core-security-release
|
||
Updated•9 years ago
|
|
|
||
Comment 17•9 years ago
|
||
Comment on attachment 8768373 [details] [diff] [review]
1284372-force-LTR-URL.patch
OK, fix this issue. Taking it.
Should be in 48 beta 8 or 9.
Ioana, could you verify this? Thanks
Attachment #8768373 -
Flags: approval-mozilla-beta?
Attachment #8768373 -
Flags: approval-mozilla-beta+
Attachment #8768373 -
Flags: approval-mozilla-aurora?
Attachment #8768373 -
Flags: approval-mozilla-aurora+
|
|
||
Updated•9 years ago
|
Flags: qe-verify+
Flags: needinfo?(ioana.chiorean)
|
|
||
Comment 18•9 years ago
|
||
|
|
||
Comment 19•9 years ago
|
||
|
||
Updated•9 years ago
|
Flags: needinfo?(ioana.chiorean)
|
||
Comment 20•9 years ago
|
||
Verified as fixed on all branches(48.0b9, Aurora 49.0a2/2016-07-18 and Nightly
50.0a1/2016-07-18) on a Samsung Galaxy S6 Edge (Android 6.0.1) and on a Samsung Galaxy Tab S2(Android 5.0.2)
|
|
||
Updated•9 years ago
|
Alias: CVE-2016-5267
Whiteboard: [adv-main48+]
|
|
||
Updated•8 years ago
|
Group: core-security-release
|
||
Updated•7 years ago
|
Status: RESOLVED → VERIFIED
Flags: qe-verify+
|
||
Updated•4 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
|
||
Updated•4 years ago
|
See Also: → CVE-2021-4221
|
||
Updated•9 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•