Closed
Bug 1388015
(CVE-2019-11737)
Opened 7 years ago
Closed 6 years ago
Partial Content Security Policy bypass if host-part contains wildcard
Categories
(Core :: DOM: Security, defect, P2)
Core
DOM: Security
Tracking
()
RESOLVED
FIXED
mozilla70
People
(Reporter: xiaoyin.l, Assigned: sstreich)
References
Details
(Keywords: sec-low, Whiteboard: [domsecurity-active][post-critsmash-triage][adv-main69+][adv-esr68.1+])
Attachments
(2 files)
|
289 bytes,
text/html
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr68+
|
Details | Review |
A Content-Security-Policy: img-src https://*:4433 should only allow port 4433, but Firefox allows a URL with all ports.
Reproducible in Firefox Stable 54 and Nightly 57.0a1. Not reproducible in Edge and Chrome.
This is the same issue as https://bugs.chromium.org/p/chromium/issues/detail?id=682673 in Chromium.
|
||
Updated•7 years ago
|
Group: core-security → dom-core-security
|
Reporter | |
Comment 1•7 years ago
|
||
I think the issue is at Line 644 in nsCSPUtils.cpp [1]. If the Host part is *, the function returns true if the scheme is not one of blob:, data:, or filesystem:, without checking the port or path. I think Bug 1075230 is related, since
> + // 2) host matching: Enforce a single *
> + if (mHost.EqualsASCII("*")) {
> + return true;
> + }
was introduced in the patch for that bug.
[1] https://hg.mozilla.org/mozilla-central/file/7f21a31de9fa/dom/security/nsCSPUtils.cpp#l644
|
||
Comment 2•7 years ago
|
||
Yeah, I think we bail early and allow the load if the wildcard is used for the host without checking the port. I am going to look into that and get that fixed.
Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Priority: -- → P2
Whiteboard: [domsecurity-active]
|
|
||
Comment 3•7 years ago
|
||
Calling this sec-low because if you'll accept any arbitrary host it would be easy for an attacker to use whatever port they needed to bypass CSP anyway. But sure, if the spec says to enforce port then we should do that.
We should check that path is enforced too.
Keywords: sec-low
|
|
Reporter | |
Comment 4•7 years ago
•
|
||
Any updates on this?
|
||
Comment 5•6 years ago
|
||
Moving to p3 because no activity for at least 1 year(s).
See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
|
|
||
Updated•6 years ago
|
Assignee: ckerschb → streich.mobile
Priority: P3 → P2
|
Assignee | |
Comment 6•6 years ago
|
||
|
|
Assignee | |
Updated•6 years ago
|
Keywords: checkin-needed
|
||
Comment 7•6 years ago
|
||
Keywords: checkin-needed
|
|
||
Comment 8•6 years ago
|
||
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox70:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
|
||
Comment 9•6 years ago
|
||
Please nominate this patch for Beta and ESR68 approval when you're comfortable doing so.
status-firefox68:
--- → wontfix
status-firefox69:
--- → affected
status-firefox-esr60:
--- → wontfix
status-firefox-esr68:
--- → affected
Flags: needinfo?(streich.mobile)
Flags: in-testsuite+
|
|
Assignee | |
Comment 10•6 years ago
|
||
Comment on attachment 9073020 [details]
Bug 1388015 - Add checks to respect CSP-wildcard + Ports r=ckerschb
Beta/Release Uplift Approval Request
- User impact if declined: The user is left vulnerable to a CSP-Bypass Attack, if the Page uses a "Wildcard+Port" host in its CSP-Rule
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch just adds a single check in case a "*" is present in the CSP host declaration,
all the other Code paths for checking the host are left untouched. - String changes made/needed:
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Currently Firefox ignores the Port in a CSP Host declaration if the host is "*"
Which opens a Vector for CSP-Bypassing. - User impact if declined: The user is left vulnerable to a CSP-Bypass Attack.
- Fix Landed on Version: Nightly 70
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch just adds a single check in case a "*" is present in the CSP host declaration,
all the other Code paths for checking the host are left untouched. - String or UUID changes made by this patch:
Flags: needinfo?(streich.mobile)
Attachment #9073020 -
Flags: approval-mozilla-esr68?
Attachment #9073020 -
Flags: approval-mozilla-beta?
|
|
||
Comment 11•6 years ago
|
||
Comment on attachment 9073020 [details]
Bug 1388015 - Add checks to respect CSP-wildcard + Ports r=ckerschb
CSP security improvement with automated tests. Approved for 69.0b6 and 68.1esr.
Attachment #9073020 -
Flags: approval-mozilla-esr68?
Attachment #9073020 -
Flags: approval-mozilla-esr68+
Attachment #9073020 -
Flags: approval-mozilla-beta?
Attachment #9073020 -
Flags: approval-mozilla-beta+
|
|
||
Comment 12•6 years ago
|
||
| uplift | ||
|
|
||
Comment 13•6 years ago
|
||
| uplift | ||
|
||
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [domsecurity-active] → [domsecurity-active][post-critsmash-triage]
|
||
Updated•5 years ago
|
Alias: CVE-2019-11737
|
|
||
Updated•5 years ago
|
Whiteboard: [domsecurity-active][post-critsmash-triage] → [domsecurity-active][post-critsmash-triage][adv-main68+][adv-esr68.1+]
|
|
||
Updated•5 years ago
|
Whiteboard: [domsecurity-active][post-critsmash-triage][adv-main68+][adv-esr68.1+] → [domsecurity-active][post-critsmash-triage][adv-main69+][adv-esr68.1+]
|
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•