SOP bypass using drag and drop of image.
Categories
(Core :: DOM: Copy & Paste and Drag & Drop, defect)
Tracking
()
People
(Reporter: qab, Assigned: Gijs)
Details
(Keywords: reporter-external, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main71+])
Attachments
(6 files)
1.23 KB,
text/html
|
Details | |
266 bytes,
text/html
|
Details | |
1.26 KB,
text/html
|
Details | |
4.81 MB,
video/mp4
|
Details | |
47 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr68+
|
Details | Review |
313 bytes,
text/plain
|
Details |
Reporter | ||
Comment 1•8 years ago
|
||
Reporter | ||
Comment 2•8 years ago
|
||
Reporter | ||
Comment 3•8 years ago
|
||
Reporter | ||
Comment 4•8 years ago
|
||
Reporter | ||
Updated•8 years ago
|
Assignee | ||
Comment 5•8 years ago
|
||
Reporter | ||
Comment 6•8 years ago
|
||
Updated•8 years ago
|
Comment hidden (obsolete) |
Assignee | ||
Comment 8•8 years ago
|
||
Updated•8 years ago
|
Reporter | ||
Comment 9•8 years ago
|
||
Comment 10•8 years ago
|
||
Assignee | ||
Comment 11•8 years ago
|
||
Assignee | ||
Comment 12•8 years ago
|
||
Reporter | ||
Comment 13•8 years ago
|
||
Reporter | ||
Comment 14•8 years ago
|
||
Reporter | ||
Comment 15•8 years ago
|
||
Reporter | ||
Comment 16•8 years ago
|
||
Assignee | ||
Comment 17•8 years ago
|
||
Reporter | ||
Comment 18•8 years ago
|
||
Reporter | ||
Comment 19•8 years ago
|
||
Reporter | ||
Comment 20•8 years ago
|
||
Comment 21•8 years ago
|
||
Updated•8 years ago
|
Reporter | ||
Comment 22•8 years ago
|
||
Reporter | ||
Comment 23•8 years ago
|
||
Assignee | ||
Comment 24•8 years ago
|
||
Assignee | ||
Comment 25•8 years ago
|
||
Comment 26•8 years ago
|
||
Reporter | ||
Comment 27•8 years ago
|
||
Comment 28•8 years ago
|
||
Comment hidden (off-topic) |
Comment hidden (off-topic) |
Updated•7 years ago
|
Reporter | ||
Comment 31•5 years ago
|
||
Updated the original PoC since it was relying on the (now disabled) ability to programmatically navigate/open a data:text/html, url.
Modified it to work with latest FF (tested latest nightly). Replaced Data: with blob:
Hope someone can work on this soon.
Assignee | ||
Comment 32•5 years ago
|
||
(In reply to Abdulrahman Alqabandi from comment #31)
Created attachment 9104483 [details]
thing.htmlUpdated the original PoC since it was relying on the (now disabled) ability to programmatically navigate/open a data:text/html, url.
Modified it to work with latest FF (tested latest nightly). Replaced Data: with blob:
Hope someone can work on this soon.
I can't reproduce with the new testcase on macOS, Firefox 71 beta or nightly 72a1, even after downloading and serving on localhost (to avoid potential for breakage due to bmo's CSP). The files[0]
on the datatransfer is undefined
. What OS did you test on? Is there somewhere specific I should be dropping the box? Is it possible closing the origin window is breaking this (maybe I'm too slow dropping the image?)
Reporter | ||
Comment 33•5 years ago
|
||
(In reply to :Gijs (he/him) from comment #32)
I can't reproduce with the new testcase on macOS, Firefox 71 beta or nightly 72a1, even after downloading and serving on localhost (to avoid potential for breakage due to bmo's CSP). The
files[0]
on the datatransfer isundefined
. What OS did you test on? Is there somewhere specific I should be dropping the box? Is it possible closing the origin window is breaking this (maybe I'm too slow dropping the image?)
I tested on Windows 10 home on Nightly 72.0a1 (2019-10-27) (64-bit). Attached video of it in action. Notice there is a little lag in the drag motion somewhere there, I believe its possible if you drop too soon it may not work.
But just to be sure, could you instead drag and drop the broken image (from popup) into the big 'O' located in https://leucosite.com/dnds.html (drop it on the top most O)
For me, I am getting an HTML file with name 'test.html' containing the content of Mozilla website. I would like to see what doing this looks on your OS. (if you dont manage to repro by adjusting steps)
Reporter | ||
Comment 34•5 years ago
|
||
Forgot one thing
Is there somewhere specific I should be dropping the box?
Make sure to drop it within document and outside of the textarea.
Assignee | ||
Comment 35•5 years ago
|
||
I can repro on Windows. I get the same content on the leucosite thing, with two exceptions - one is that the x-moz-file-promise-dest-filename
is test.html
on Windows and just test
on Mac. Making the target URL end in test.html
fixes that, but doesn't make it work.
The other difference is that on mac, there's a text/_moz_requestmime
type, which brought me to https://searchfox.org/mozilla-central/source/dom/base/nsContentAreaDragDrop.cpp#248,256-257, which makes me think something probably breaks there if we get a non-image response. So yay, mac is not affected, more or less by accident I guess?
Anyway, this has actually led me to some of the relevant code at https://searchfox.org/mozilla-central/rev/74cc0f4dce444fe0757e2a6b8307d19e4d0e0212/dom/base/nsContentAreaDragDrop.cpp#680 so I will see if I can get a patch for this together.
Assignee | ||
Comment 36•5 years ago
|
||
Assignee | ||
Comment 37•5 years ago
|
||
Comment 38•5 years ago
|
||
Updated•5 years ago
|
Assignee | ||
Comment 39•5 years ago
|
||
I think we should uplift this but it seems sensible to wait at least a little bit to see if we've accidentally broken something people were relying on in terms of copying/dragging images. I'll request uplift for beta next week. Ni to remind myself.
Updated•5 years ago
|
Assignee | ||
Comment 40•5 years ago
|
||
Comment on attachment 9104890 [details]
Bug 1322864, r?NeilDeakin
Beta/Release Uplift Approval Request
- User impact if declined: security risk of dragging things that are pretending to be images but aren't
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: See comment 0 with the attachment from comment #31. Drag the black square to the area to the left of the text input in the main window. We shouldn't get HTML output in the text area. AFAICT this was never reproducible on mac.
- List of other uplifts needed: n/a
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): I'm just moving a security check into a utility function to ensure checks we added for copy/paste also apply to drag/drop
- String changes made/needed: nope
Updated•5 years ago
|
Comment 41•5 years ago
|
||
I verified this issue on Windows 10 x 64 with FF 72.0a1(2019-11-03) and I can't reproduce the issue from comment 0 using the attachment from comment 31. Based on this I will mark this issue as verified.
Note: I was able to reproduce the issue on FF Release 70, and I also tested the issue on Mac OS X 10.14 and Ubuntu 16.04 but I couldn't reproduce it, the only OS where this issue is repro is on Windows.
Comment 42•5 years ago
|
||
Comment on attachment 9104890 [details]
Bug 1322864, r?NeilDeakin
Low risk, verified by QA on nightly, uplift approved for 71 beta 8, thanks.
Comment 43•5 years ago
|
||
uplift |
Comment 44•5 years ago
•
|
||
I verified this issue on Windows 10 x64 with FF Beta 71.0b8 and I can confirm the fix.
Comment 45•5 years ago
|
||
Does this need an ESR68 approval request? It grafts cleanly as-landed.
Assignee | ||
Comment 46•5 years ago
|
||
Comment on attachment 9104890 [details]
Bug 1322864, r?NeilDeakin
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-moderate, straightforward patch
- User impact if declined: sec-moderate security issue
- Fix Landed on Version: 72 uplifted to 71
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It's a pretty small patch. Effectively, there were 2 callsites for 1 utility function, and we moved an extant security check from one of those 2 callsites into the utility function, so it now applies to both copy and drag/drop support.
- String or UUID changes made by this patch: nope
Comment 47•5 years ago
|
||
Comment on attachment 9104890 [details]
Bug 1322864, r?NeilDeakin
Moves a security check so it applies to both callers. Approved for 68.3esr.
Comment 48•5 years ago
|
||
uplift |
Updated•5 years ago
|
Comment 49•5 years ago
|
||
Updated•5 years ago
|
Updated•8 months ago
|
Description
•