Closed Bug 1411716 (CVE-2017-7846) Opened 7 years ago Closed 7 years ago

TBE-01-014: JavaScript Execution via RSS in mailbox:// origin

Categories

(MailNews Core :: Feed Reader, defect)

Product:
MailNews Core
Component:
Feed Reader
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(thunderbird_esr5257+ fixed, thunderbird57 unaffected, thunderbird58 unaffected)

Status:
RESOLVED FIXED
Milestone:
Thunderbird 58.0
Tracking Flags:
Tracking Status
thunderbird_esr52 57+ fixed
thunderbird57 --- unaffected
thunderbird58 --- unaffected

People

(Reporter: BenB, Assigned: alta88)

References

Details

(Keywords: csectype-sop, sec-high)

Attachments

(4 files, 4 obsolete files)

bug1411716_feed_data_disable_js.patch - For demonstration only, not to be landed.
1.42 KB, patch
Details | Diff | Splinter Review
parserLink.patch
15.67 KB, patch
jorgk-bmo
: review+
Details | Diff | Splinter Review
parserLinkRegex.patch
1008 bytes, patch
alta88
: review+
Details | Diff | Splinter Review
98e543540fb6478308915be0849a5217ad2d0db1.patch (v2)
15.32 KB, patch
Details | Diff | Splinter Review 
In case a user views RSS feeds as a website, e.g. via “View -> Feed article -> Website” or in the standard format of “View -> Feed article -> default format”, it is possible to execute JavaScript in the parsed RSS feed.

When either one of the aforementioned two settings is in place, Thunderbird will check for the presence of a <link> element in a RSS item. It will then fetch and display the specified origin. The remote web page is from then on allowed to execute JavaScript like any normal web page. This is not a straightforward security issue, as the default Same Origin Policy is applied. In case where no <link> element is present, Thunderbird will parse the description element but will forbid JavaScript execution. A possibility to bypass the restriction was uncovered with relation to specifying a data:text/html URL for a <link> element. Thunderbird parses the data: URL and displays the defined HTML page, which then operates in the mailbox:// origin and is allowed to execute JavaScript:

PoC RSS Feed:
<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
<channel>
<title>Feed1</title>
<link>http://example.com</link>
<item>
<title>Feed1</title>
<link>data:text/html,%3ch1%3easdf%3c/h1%3e%3cscript%3ealert(123)
%3c/script%3e</link>
</item>
</channel>
</rss>

It is recommended to only allow HTTP/HTTPS URLs in <link> tags. This ensures that a feed can exclusively specify real remote web pages, therefore being restricted to its own origin.
For the original report as PDF; see bug 1411701.
Attached patch parserLink.patch (obsolete) — Splinter Review 
Disallow all non http* <link> type urls.
Attachment #8922854 - Flags: review?(mkmelin+mozilla)
Keywords: csectype-sop, sec-high
Summary: JavaScript Execution via RSS in mailbox:// Origin → TBE-01-014: JavaScript Execution via RSS in mailbox:// Origin
Attached patch parserLink.patch (obsolete) — Splinter Review 
tweaks.
Assignee: nobody → alta88
Attachment #8922854 - Attachment is obsolete: true
Attachment #8922854 - Flags: review?(mkmelin+mozilla)
Attachment #8922969 - Flags: review?(mkmelin+mozilla)
(In reply to Ben Bucksch (:BenB) from comment #0)
> In case where no <link> element is present, Thunderbird will parse
> the description element but will forbid JavaScript execution. A possibility
> to bypass the restriction was uncovered with relation to specifying a
> data:text/html URL for a <link> element. Thunderbird parses the data: URL
> and displays the defined HTML page, which then operates in the mailbox://
> origin and is allowed to execute JavaScript:

data uris are treated as unique opaque origins and do not inherit their origin, so whatever is happening here, there's some misunderstanding about why it's happening.
Status: NEW → ASSIGNED
Regardless of whether there is a principal/origin problem for a data: url load in this case, I would like the patch to go in.

The parser should not store junk for <link> nor do the feed specs anywhere mention data: as a valid url for <link>, (not even atom's iri spec reference for links), so data: is neither within the law and certainly not within the spirit for what a <link> type tag value should be.
Ah, the data uris shouldn't inherit origin is for v57 and above (bug 1324406). So, this bug is not a problem for trunk, we just need to handle it in 52.
And to be clear, this isn't about the principal but only origin. The problem it can cause is potential information disclosure in other mailbox:// uris if the attacker manages to the exact URLs.
(In reply to alta88 from comment #5)
> The parser should not store junk for <link> nor do the feed specs anywhere
> mention data: as a valid url for <link>, (not even atom's iri spec reference
> for links), so data: is neither within the law and certainly not within the
> spirit for what a <link> type tag value should be.

data uris are perfectly valid iris, so I do think the spec allows them (implicitly).
We could also just disable JavaScript for data: links. 
For 57 and above, it's not needed since there the origin is not inherited. Any script executed there can be compared to one executed for a remote origin.
Without getting into the weeds of either the feed specs or spec for the now long obsolete Content-Base header in the coerced mail message from feed entry, "implicitly" is a big stretch. There is no reason to support data: uris in <link> type tags stored as mail headers.

Allowing a data: uri potentially laden with js, and then creating a policy for it at load time, is not a better practice than simply not allowing data: or other non http to be stored in the first place.
Comment on attachment 8922969 [details] [diff] [review]
parserLink.patch

Review of attachment 8922969 [details] [diff] [review]:
-----------------------------------------------------------------

Ok let's go with this one. r=mkmelin

::: mailnews/extensions/newsblog/content/feed-parser.js
@@ +908,5 @@
>  
>      return matchingChildren.length ? matchingChildren : null;
>    },
>  
> +  validLink: function(link)

Please add a short documentation for the method.

@@ +910,5 @@
>    },
>  
> +  validLink: function(link)
> +  {
> +    if (link && link.startsWith("http"))

Simpler and more bullet proof as

if(/https?:/.test(link))

@@ +1012,5 @@
>      options.updates.updateBase = updateBase;
>      aFeed.options = options;
>    },
>  
> +  removeUnprintableASCII: function(s)

Here too, add documentation that you're removing ascii control chars such as \n
Attachment #8922969 - Flags: review?(mkmelin+mozilla) → review+
Attached patch parserLink.patchSplinter Review 
updated for comments.
Attachment #8922969 - Attachment is obsolete: true
Attachment #8926442 - Flags: sec-approval?
Blocks: CVE-2017-7848
Does sec-approval even apply to TB only code? This is a gray area.
Flags: needinfo?(dveditz)
Also, alta88, you need to fill out the sec-approval? template when you set that flag anyway.
Flags: needinfo?(alta88)
Comment on attachment 8926442 [details] [diff] [review]
parserLink.patch

The flag was set because it was requested at first diagnosis.  I don't think this patch rises to sec review level.  It merely sanitizes a string to prevent non http urls.

Sec can decide if it's review worthy and any input is appreciated. Clearing for now.
Attachment #8926442 - Flags: sec-approval?
Flags: needinfo?(alta88)
Keywords: checkin-needed
Attachment #8925664 - Attachment description: bug1411716_feed_data_disable_js.patch → bug1411716_feed_data_disable_js.patch - For demonstration only, not to be landed.
Comment on attachment 8926442 [details] [diff] [review]
parserLink.patch

No indication on what to land here, so I assume it's this one.
Attachment #8926442 - Flags: review+
https://hg.mozilla.org/comm-central/rev/98e543540fb6478308915be0849a5217ad2d0db1
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 58.0
(In reply to Magnus Melin from comment #11)
> @@ +910,5 @@
> >    },
> >  
> > +  validLink: function(link)
> > +  {
> > +    if (link && link.startsWith("http"))
> 
> Simpler and more bullet proof as
> 
> if(/https?:/.test(link))

It seems to me this will match also any "http:" in the middle of the string (e.g. in the Javascript we wanted to disallow).

Should it have been
if (/^https?:\/\//.test(link)) or link.startsWith("http://") || link.startsWith("https://") ?
Of course, thanks for checking aceman.
Attachment #8927088 - Flags: review+
Keywords: checkin-needed
change status for sheriff search..
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Hi the "sheriff developer" here:
Do you really mean: |if (/^https?:\/\//.test(link))|? What is the ? meant to match? Or do you mean |if (/^http?:\/\//.test(link))| where the ? can match an "s"? Looking at the original patch, you mean the latter.
Keywords: checkin-needed
? means optionally having the preceding s, that is matching http and https
Keywords: checkin-needed
(In reply to Magnus Melin from comment #22)
> ? means optionally having the preceding s, that is matching http and https
Sorry, that just occurred to me, too. Here we go:

https://hg.mozilla.org/comm-central/rev/3c4fb63620220649e337cf826b3f1afc39824075
Status: REOPENED → RESOLVED
Closed: 7 years ago7 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
(In reply to Al Billings [:abillings] from comment #13)
> Does sec-approval even apply to TB only code? This is a gray area.

I'm going to guess not because Tbird isn't supporting multiple branches and don't need to worry as much about 0-daying themselves.
Flags: needinfo?(dveditz)
Group: mail-core-security → core-security-release
Why are TB 57 and TB 58 "unaffected" and why did nobody request TB 52 uplift?
Flags: needinfo?(mkmelin+mozilla)
Flags: needinfo?(alta88)
Because for 57 and above the origin is not inherited (mozilla-central tightened security).
Flags: needinfo?(mkmelin+mozilla)
Attachment #8927088 - Flags: approval-comm-esr52?
Attachment #8927088 - Flags: approval-comm-esr52? → approval-comm-esr52+
Flags: needinfo?(alta88)
Comment on attachment 8927088 [details] [diff] [review]
parserLinkRegex.patch

Sadly these
https://hg.mozilla.org/comm-central/rev/98e543540fb6478308915be0849a5217ad2d0db1
https://hg.mozilla.org/comm-central/rev/3c4fb63620220649e337cf826b3f1afc39824075
don't apply to c-esr52 at all, many merge conflicts.

I could try to hand-craft patches for TB 52, but feeds might just break in the middle if I get something wrong.
Flags: needinfo?(alta88)
Attachment #8927088 - Flags: approval-comm-esr52+
Hand-made comm-esr52 patch merging the two patches.
Oops, wrong patch attached.
Attachment #8938350 - Attachment is obsolete: true
Removed some contentBase stuff which slipped in from the TB 58 version.
Attachment #8938351 - Attachment is obsolete: true
Not sure what the needinfo action is. Looks like you have in under control.
Flags: needinfo?(alta88)
You could check the patch while I'm doing bug 1411699 and bug 1418666.
It looks fine, working around the xmlbase patch is annoying.. The patch in the other bug, on top of this one, also is fine.
Alias: CVE-2017-7846
Summary: TBE-01-014: JavaScript Execution via RSS in mailbox:// Origin → TBE-01-014: JavaScript Execution via RSS in mailbox:// origin
Depends on: 1428374
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: