Bug 1295002 (CVE-2017-5422)

Recursive keyword fixup for many-nested view-source: URLs crashes

RESOLVED FIXED in Firefox 52

Status

()

Core
Document Navigation
RESOLVED FIXED
10 months ago
3 months ago

People

(Reporter: Alex B, Assigned: Gijs)

Tracking

(4 keywords)

48 Branch
mozilla52
x86
Windows 10
crash, crashreportid, csectype-dos, sec-low
Points:
---

Firefox Tracking Flags

(firefox50 wontfix, firefox51 wontfix, firefox52 fixed)

Details

(Whiteboard: [adv-main52+] stack exhaustion, crash signature)

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(2 attachments)

(Reporter)

Description

10 months ago
Created attachment 8780885 [details]
example.html

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160726073904

Steps to reproduce:

Lots of view-source: strung together cause the browser to crash.


Actual results:

The browser crashed.


Expected results:

Viewing the source of view-source is pointless & should be blocked.
(Reporter)

Updated

10 months ago
Keywords: crash
OS: Unspecified → Windows 10
Hardware: Unspecified → x86

Comment 1

10 months ago
Thanks for taking the time to report this!
Please provide the crash ID from about:crashes : https://developer.mozilla.org/en/How_to_get_a_stacktrace_for_a_bug_report explains how to do this. When doing so, please also add the keyword "crashreportid" to the "Keywords" field of this report.
Flags: needinfo?(alex)
(Reporter)

Updated

10 months ago
Crash Signature: bp-68bc2ca0-5bce-44d3-a1c0-839af2160814
Keywords: crashreportid
(Reporter)

Updated

10 months ago
Flags: needinfo?(alex)

Comment 2

10 months ago
bp-68bc2ca0-5bce-44d3-a1c0-839af2160814

Updated

9 months ago
Crash Signature: bp-68bc2ca0-5bce-44d3-a1c0-839af2160814 → [@ mozilla::Tokenizer::Parse]

Comment 3

9 months ago
I tried reproducing this issue and got crash: bp-8e3b0f7f-1c64-450a-8478-62d842160817

User Agent 	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0
Status: UNCONFIRMED → NEW
Ever confirmed: true

Updated

8 months ago
Component: Untriaged → Document Navigation
Product: Firefox → Core
(Assignee)

Updated

8 months ago
Flags: needinfo?(gijskruitbosch+bugs)
Keywords: csectype-dos, sec-low
Summary: view-source crash exploit → Recursive keyword fixup for many-nested view-source: URLs crashes
Whiteboard: stack exhaustion
Comment hidden (mozreview-request)
(Assignee)

Updated

8 months ago
Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED
Flags: needinfo?(gijskruitbosch+bugs)
Comment on attachment 8796980 [details]
Bug 1295002 - don't accept nested view-source: references in nsDefaultURIFixup,

I'm not docshell peer.
Attachment #8796980 - Flags: review?(bugs)
Attachment #8796980 - Flags: review?(amarchesini)
Attachment #8796980 - Flags: feedback+

Comment 6

8 months ago
mozreview-review
Comment on attachment 8796980 [details]
Bug 1295002 - don't accept nested view-source: references in nsDefaultURIFixup,

https://reviewboard.mozilla.org/r/82606/#review81338

I guess we can do this. Stipping view-source in a loop might be a bit nicer, but shouldn't really matter.
Attachment #8796980 - Flags: review?(bugs) → review+

Comment 7

8 months ago
mozreview-review-reply
Comment on attachment 8796980 [details]
Bug 1295002 - don't accept nested view-source: references in nsDefaultURIFixup,

https://reviewboard.mozilla.org/r/82606/#review81338

Er, stripping

Comment 8

8 months ago
Pushed by gijskruitbosch@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/b7ccf1f2df8f
don't accept nested view-source: references in nsDefaultURIFixup, r=smaug

Comment 9

8 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/b7ccf1f2df8f
Status: ASSIGNED → RESOLVED
Last Resolved: 8 months ago
status-firefox52: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
status-firefox50: --- → affected
status-firefox51: --- → affected
status-firefox50: affected → wontfix
status-firefox51: affected → wontfix
Whiteboard: stack exhaustion → [adv-main52+] stack exhaustion
Alias: CVE-2017-5422
You need to log in before you can comment on or make changes to this bug.