Closed
Bug 1289273
(CVE-2016-9073)
Opened 8 years ago
Closed 8 years ago
windows.create schema doesn't specify "format": "relativeUrl"
Categories
(WebExtensions :: General, defect, P2)
WebExtensions
General
Tracking
(firefox49 wontfix, firefox50 fixed, firefox51 fixed, firefox52 fixed)
RESOLVED
FIXED
mozilla52
People
(Reporter: wbamberg, Assigned: kmag)
Details
(Keywords: sec-moderate, Whiteboard: [post-critsmash-triage][adv-main50+] triaged)
Attachments
(3 files)
|
2.05 KB,
application/zip
|
Details | |
|
6.11 KB,
patch
|
aswan
:
review+
ritu
:
approval-mozilla-aurora+
ritu
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
|
2.43 KB,
patch
|
aswan
:
review+
|
Details | Diff | Splinter Review |
I've attached a WebExtension, that does this:
chrome.browserAction.onClicked.addListener((tab) => {
chrome.windows.create({
url: "popups/popup.html"
});
});
"popups/popup.html" is a path to a file packaged with the add-on. In Chrome, the document is loaded. In Firefox, A new window opens, and tries to load "http://www.popups.com/popup.html".
|
Reporter | |
Comment 1•8 years ago
|
||
Sorry, this isn't a security-sensitive bug.
|
||
Updated•8 years ago
|
Group: toolkit-core-security
|
||
Updated•8 years ago
|
Group: core-security
|
Assignee | |
Comment 2•8 years ago
|
||
We don't currently do any resolution or security checks for these URLs. The most obvious problem this causes is that relative URLs don't work. But it also gives extensions the ability to load arbitrary URLs with the DANGEROUS_TO_LOAD flag, which is a much bigger problem.
Assignee: nobody → kmaglione+bmo
Keywords: sec-moderate
Summary: chrome.windows.create doesn't work with relative paths → windows.create schema doesn't specify "format": "relativeUrl"
|
||
Updated•8 years ago
|
Group: core-security → toolkit-core-security
|
||
Comment 3•8 years ago
|
||
[Tracking Requested - why for this release]:
status-firefox51:
--- → affected
status-firefox52:
--- → affected
Priority: -- → P2
Whiteboard: triaged
|
|
Assignee | |
Comment 4•8 years ago
|
||
MozReview-Commit-ID: 3TUIK6EvO3q
Attachment #8798176 -
Flags: review?(aswan)
|
|
Assignee | |
Comment 5•8 years ago
|
||
MozReview-Commit-ID: LuswsfZ7CHH
Attachment #8798177 -
Flags: review?(aswan)
|
||
Updated•8 years ago
|
Attachment #8798176 -
Flags: review?(aswan) → review+
|
|
Assignee | |
Comment 6•8 years ago
|
||
Comment on attachment 8798176 [details] [diff] [review] Resolve URLs passed to windows.create relative to the caller [Security approval request comment] How easily could an exploit be constructed based on the patch? Not easily, without further details about the bug. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? This patch does not, but the follow-up patch with additional security tests does. Which older supported branches are affected by this flaw? All supported branches are affected. If not all supported branches, which bug introduced the flaw? N/A Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? This patch should apply cleanly, or with minimal modification, to all non-ESR branches. ESR may require non-trivial modification. How likely is this patch to cause regressions; how much testing does it need? Not likely. The method that this changes is relatively well-tested, and the changes do not affect existing tests. Existing code should only be adversely affected if it is already passing illegal URLs, either maliciously or inadvertantly.
Attachment #8798176 -
Flags: sec-approval?
|
|
||
Comment 7•8 years ago
|
||
Comment on attachment 8798177 [details] [diff] [review] Add tests for attempted loads of unsafe URLs This makes sense as far as testing that common URLs rejected by checkLoadURL() aren't valid parameters for windows.create(), but I don't really understand what URI_DANGEROUS_TO_LOAD means and hence what the vulnerability in this is. So either a review by somebody who does understand or a more detailed explanation here would be good.
Attachment #8798177 -
Flags: review?(aswan) → review+
|
|
||
Comment 8•8 years ago
|
||
Comment on attachment 8798176 [details] [diff] [review] Resolve URLs passed to windows.create relative to the caller sec-approval+ for trunk. As a sec-moderate, it doesn't technically require it but I'll give it. https://wiki.mozilla.org/Security/Bug_Approval_Process
Attachment #8798176 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Comment 9•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/92022bcd75830b63fb8247badbbffc16e6c34375 Bug 1289273: Resolve URLs passed to windows.create relative to the caller. r=aswan a=al
|
|
Assignee | |
Updated•8 years ago
|
Keywords: leave-open
|
|
Assignee | |
Comment 10•8 years ago
|
||
Comment on attachment 8798176 [details] [diff] [review] Resolve URLs passed to windows.create relative to the caller Approval Request Comment [Feature/regressing bug #]: N/A [User impact if declined]: This bug allows WebExtensions to load privileged URLs, and to potentially break out of their security sandbox. [Describe test coverage new/current, TreeHerder]: The API that this change affects is covered by existing tests, and this patch adds additional tests for the changes. A separate patch adds tests for the security issues that this addresses. [Risks and why]: Low. The method that this changes is relatively well-tested, and the changes do not affect existing tests. Existing code should only be adversely affected if it is already passing illegal URLs, either maliciously or inadvertantly. [String/UUID change made/needed]: None.
Attachment #8798176 -
Flags: approval-mozilla-beta?
Attachment #8798176 -
Flags: approval-mozilla-aurora?
|
||
Comment 11•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/92022bcd7583
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
|
|
||
Comment 12•8 years ago
|
||
Whoops.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: mozilla52 → ---
status-firefox50:
--- → affected
Comment on attachment 8798176 [details] [diff] [review] Resolve URLs passed to windows.create relative to the caller Sec-mod, Aurora51+, Beta50+
Attachment #8798176 -
Flags: approval-mozilla-beta?
Attachment #8798176 -
Flags: approval-mozilla-beta+
Attachment #8798176 -
Flags: approval-mozilla-aurora?
Attachment #8798176 -
Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/e2714cdbc9db https://hg.mozilla.org/releases/mozilla-beta/rev/35517b0212e4
|
|
Assignee | |
Updated•8 years ago
|
Status: REOPENED → RESOLVED
Closed: 8 years ago → 8 years ago
Keywords: leave-open
Resolution: --- → FIXED
|
|
Assignee | |
Updated•8 years ago
|
|
|
||
Updated•8 years ago
|
Target Milestone: --- → mozilla52
|
|
Assignee | |
Updated•8 years ago
|
Flags: in-testsuite+ → in-testsuite?
|
|
||
Updated•8 years ago
|
Group: toolkit-core-security → core-security-release
|
||
Updated•8 years ago
|
Flags: qe-verify-
Whiteboard: triaged → [post-critsmash-triage] triaged
|
|
||
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage] triaged → [post-critsmash-triage][adv-main50+] triaged
|
|
||
Updated•8 years ago
|
Alias: CVE-2016-9073
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
||
Updated•6 years ago
|
Product: Toolkit → WebExtensions
You need to log in
before you can comment on or make changes to this bug.
Description
•