Closed Bug 1295002 (CVE-2017-5422) Opened 8 years ago Closed 8 years ago

Recursive keyword fixup for many-nested view-source: URLs crashes

Categories

(Core :: DOM: Navigation, defect)

48 Branch
x86
Windows 10
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla52
Tracking Status
firefox50 --- wontfix
firefox51 --- wontfix
firefox52 --- fixed

People

(Reporter: alex, Assigned: Gijs)

Details

(4 keywords, Whiteboard: [adv-main52+] stack exhaustion)

Crash Data

Attachments

(2 files)

Attached file example.html
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Build ID: 20160726073904 Steps to reproduce: Lots of view-source: strung together cause the browser to crash. Actual results: The browser crashed. Expected results: Viewing the source of view-source is pointless & should be blocked.
Keywords: crash
OS: Unspecified → Windows 10
Hardware: Unspecified → x86
Thanks for taking the time to report this! Please provide the crash ID from about:crashes : https://developer.mozilla.org/en/How_to_get_a_stacktrace_for_a_bug_report explains how to do this. When doing so, please also add the keyword "crashreportid" to the "Keywords" field of this report.
Flags: needinfo?(alex)
Crash Signature: bp-68bc2ca0-5bce-44d3-a1c0-839af2160814
Keywords: crashreportid
Flags: needinfo?(alex)
Crash Signature: bp-68bc2ca0-5bce-44d3-a1c0-839af2160814 → [@ mozilla::Tokenizer::Parse]
I tried reproducing this issue and got crash: bp-8e3b0f7f-1c64-450a-8478-62d842160817 User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0
Status: UNCONFIRMED → NEW
Ever confirmed: true
Component: Untriaged → Document Navigation
Product: Firefox → Core
Flags: needinfo?(gijskruitbosch+bugs)
Summary: view-source crash exploit → Recursive keyword fixup for many-nested view-source: URLs crashes
Whiteboard: stack exhaustion
Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED
Flags: needinfo?(gijskruitbosch+bugs)
Comment on attachment 8796980 [details] Bug 1295002 - don't accept nested view-source: references in nsDefaultURIFixup, I'm not docshell peer.
Attachment #8796980 - Flags: review?(bugs)
Attachment #8796980 - Flags: review?(amarchesini)
Attachment #8796980 - Flags: feedback+
Comment on attachment 8796980 [details] Bug 1295002 - don't accept nested view-source: references in nsDefaultURIFixup, https://reviewboard.mozilla.org/r/82606/#review81338 I guess we can do this. Stipping view-source in a loop might be a bit nicer, but shouldn't really matter.
Attachment #8796980 - Flags: review?(bugs) → review+
Comment on attachment 8796980 [details] Bug 1295002 - don't accept nested view-source: references in nsDefaultURIFixup, https://reviewboard.mozilla.org/r/82606/#review81338 Er, stripping
Pushed by gijskruitbosch@gmail.com: https://hg.mozilla.org/integration/autoland/rev/b7ccf1f2df8f don't accept nested view-source: references in nsDefaultURIFixup, r=smaug
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Whiteboard: stack exhaustion → [adv-main52+] stack exhaustion
Alias: CVE-2017-5422
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: