Closed
Bug 1405195
Opened 8 years ago
Closed 8 years ago
Web content can specify arbitrary triggering principal for images
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla58
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox56 | --- | unaffected |
| firefox57 | --- | unaffected |
| firefox58 | + | fixed |
People
(Reporter: kmag, Assigned: allstars.chh)
References
Details
(Keywords: csectype-priv-escalation, regression, sec-critical)
Attachments
(1 file)
|
1.82 KB,
patch
|
baku
:
review+
|
Details | Diff | Splinter Review |
We currently allow web content to specify any arbitrary triggering principal for image loads by adding a loadingprincipal attribute with a serialized principal blob:
http://searchfox.org/mozilla-central/rev/a4702203522745baff21e519035b6c946b7d710d/dom/base/nsContentUtils.cpp#10452-10463
The code asserts that it's only ever used in system principal documents, but that assertion only runs in debug builds.
I don't know if this vulnerability existed before bug 1376971, but I recall seeing that code before and verifying that it was safe. It is definitely not safe now, though. I've confirmed that setting this attribute in ordinary web content load the image with the given principal.
|
Assignee | |
Comment 1•8 years ago
|
||
Thanks for filing this, my bad.
Should I change to MOZ_RELEASE_ASSERT?
Or what should we do when we found out content is trying to do so?
|
Reporter | |
Comment 2•8 years ago
|
||
We should probably just ignore it if the document principal is not the system principal. Crashing just because some content page adds a `loadingprincipal` attribute to an image doesn't sound like a great user experience...
|
|
Reporter | |
Comment 3•8 years ago
|
||
Also probably worth noting that we shouldn't even try to deserialize the object if the document doesn't have the system principal. The deserialization code is not really hardened enough to be exposed to the web.
|
|
Assignee | |
Comment 4•8 years ago
|
||
Assignee: nobody → allstars.chh
Attachment #8914628 -
Flags: review?(amarchesini)
|
||
Updated•8 years ago
|
Attachment #8914628 -
Flags: review?(amarchesini) → review+
|
||
Updated•8 years ago
|
status-firefox56:
--- → unaffected
status-firefox57:
--- → unaffected
status-firefox58:
--- → affected
status-firefox-esr52:
--- → unaffected
tracking-firefox58:
--- → ?
Keywords: regression
|
||
Updated•8 years ago
|
Group: core-security → dom-core-security
|
|
Reporter | |
Comment 6•8 years ago
|
||
Adding bz, since he'll almost certainly also notice this when he reviews bug 1406278.
|
|
||
Comment 7•8 years ago
|
||
Wait. Why are we wasting time getting the attribute in the common, non-systemprincipal, case?
Why is any of this code running at all in the non-systemprincipal case?
Why does GetLoadingPrincipalForXULNode have a misleading name? It has nothing whatsoever to do with "XUL"; it never checks for "XUL", and it works on all elements. Maybe the name sort of made sense as long as nsImageBoxFrame was the only consumer, but the changes to use this in nsImageLoadingContent and HTMLMediaElement clearly have nothing to do with "XUL".
Why does the documentation for GetLoadingPrincipalForXULNode talk about "if aLoadingPrincipal has 'loadingprincipal' attributes"? aLoadingPrincipal is an out param, and principals can't have attributes.
Please file a followup bug to clean this stuff up to be sane.
Flags: needinfo?(amarchesini)
Flags: needinfo?(allstars.chh)
|
|
||
Comment 8•8 years ago
|
||
Also, GetLoadingPrincipalForXULNode is getting a triggering principal, not a loading principal....
|
|
||
Comment 9•8 years ago
|
||
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
|
|
||
Updated•8 years ago
|
Group: dom-core-security → core-security-release
|
|
Reporter | |
Comment 12•8 years ago
|
||
This shouldn't have landed without sec-approval, especially not with such a descriptive commit message. :(
But at least it hasn't made it to a release channel yet...
|
|
||
Comment 13•8 years ago
|
||
The description made it sound like this only affected trunk. Is that not the case? If so, please update the status flags accordingly.
Flags: needinfo?(kmaglione+bmo)
|
|
Reporter | |
Comment 14•8 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #13)
> The description made it sound like this only affected trunk. Is that not the
> case? If so, please update the status flags accordingly.
Like I said in comment 0, I'm not sure that this wasn't a problem before bug 1376971, just that bug 1376971 made it worse. The previous code was already pretty suspect, so I would have liked a sec analyst to make the call on whether this was safe to land.
Either way, the commit message painted a clear bulls-eye on the issue, which is undesirable even if it does only affect trunk.
Flags: needinfo?(kmaglione+bmo)
|
|
||
Comment 15•8 years ago
|
||
So... The GetContentPolicyTypeForUIImageLoading function was added in bug 1319908 and hence dates back to Firefox 53. But it just moved around code that was added in bug 1277803 (Firefox 52). All that code was totally unsafe if a content node was involved, but was restricted to nsImageBoxFrame (Firefox 52) or Mac menu items (Firefox 53) so wasn't a problem unless remote XUL was enabled.
Bug 1376971 started using this totally-unsafe function from code exposed to the web. So this _was_ a nightly-only regression, though checking that it is is not trivial.
Andrea, Yoshi, I would really appreciate a response to comment 7.
|
|
Assignee | |
Comment 16•8 years ago
|
||
Sorry for the late response, was on holiday in the past week.
I filed bug 1407498 for this.
Flags: needinfo?(amarchesini)
Flags: needinfo?(allstars.chh)
|
|
||
Updated•8 years ago
|
Group: core-security-release
|
||
Updated•7 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•