1411748 - TBE-01-007: "Reload Page" dialog runs Javascript with external attachment because we only disable JavaScript for nsIMsgMessageUrls

Status: RESOLVED FIXED

(MailNews Core :: Attachments, defect)

Description

[Ben Bucksch (:BenB)]

Thunderbird supports rendering of HTML tags inside an email body but it disables the support to execute JavaScript. It was discovered possible to enable JavaScript execution inside the email body by exploiting an issue with external attachments and “Reload Page” functionality.

First, the user needs to click on “Save” on an external message body of a received email. The specified HTTP resource redirects to file://smb/share URI. This will display the “Corrupted Content Error” page in Thunderbird, in essence letting a user reload the HTTP resource. In case the user decides to reload the page, the HTTP resource can return a normal HTML page, meaning one that can execute JavaScript.

Steps to reproduce (tested on Windows 7):
1. Load external_attachment.eml in Thunderbird.
2. Right click on “NameWhichIsShownInTheGui.html” and opt for “Save”.
3. Thunderbird will fetch http://example.com/redir.php and the attacker’s server answers with the following HTTP response:

GET http://example.com/redir.php HTTP/1.1
[...]
HTTP/1.1 302 Found
Date: Tue, 19 Sep 2017 20:46:23 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: file://example.com/thunderbird/file

4. The “Corrupted Content Error” page is shown in Thunderbird.
5. Click on “Try Again”.
6. Thunderbird will fetch http://example.com/redir.php again and the attacker’s
server answers with the following HTTP response:
GET http://example.com/redir.php HTTP/1.1
[...]
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<h1>123</h1>
<script> alert(1); </script>
7. The page will be displayed in Thunderbird and JavaScript is executed.

File:
External_attachment.eml

Code:
Content-Type: multipart/alternative; boundary="------------
2DEE3F98D70BD2C65FBA7373"
MIME-Version: 1.0
Subject: Link
From: email@email.com
To: email@email.com
--------------2DEE3F98D70BD2C65FBA7373
Content-Type: multipart/related; boundary="------------A320A96F6639F3C578F35383"
--------------A320A96F6639F3C578F35383
Content-Type: text/html
Content-Transfer-Encoding: 7Bit
<!DOCTYPE html>
<body>
<h1>dummy body</h1>
--------------A320A96F6639F3C578F35383
Content-Type: message/external-body; access-type=whatever;
name="NameWhichIsShownInTheGui.html"
X-Mozilla-External-Attachment-URL: http://example.com/redir.php
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="thisigui3.html"
Content-Transfer-Encoding: binary
Cure53, Berlin · 10/11/17
24/35Dr.-Ing. Mario Heiderich, Cure53
Bielefelder Str. 14
D 10709 Berlin
cure53.de · mario@cure53.de
[Ghost Body1234]
--------------A320A96F6639F3C578F35383--
--------------2DEE3F98D70BD2C65FBA7373--

A different handling should concern HTTP/HTTPS URLs specified in an external attachment URL. Specifically, when HTTP/HTTPS URLs are being opened, Thunderbird should utilize the default web browser without fetching the resource beforehand. Another approach could be to either disable or modify the “Corrupted Content Error” page, so as to disallow the reloading of the corrupted HTTP resource.

For the original report as PDF; see bug 1411701.

Comment 1

[Ben Bucksch (:BenB)]

Which security context does the javascript run from? If it's normal content principal, like webpages, I don't think this is something to worry about.

If the Javascript runs with chrome privileges, this should be fixed.
Even then, this needs a lot of very unlikely user interaction.

Comment 2

[Ben Bucksch (:BenB)]

Can somebody reproduce this and check which security context this runs in?

Or just fix it?

Comment 3

[Daniel Veditz [:dveditz]]

Why is the "reload" enabling javascript? If the user is clicking "Save" why are we displaying it at all?

If we are going to display it presumably we're limited to a web context and the origin is the remote origin, but two bad outcomes which are possible are 1) it's a chrome context (unlikely) or 2) it's the mailbox: context which raises the possibility of the attachment being able to read other mail.

Why are we fetching remote content without making it clear to users we're fetching remote content? This looks like an "attachment" to users which they think are local things sent to their mail server, not ratting them out about exactly when they opened it.

Comment 4

[Magnus Melin [:mkmelin]]

I can reproduce and check this. 
JavaScript is run because, we only disable JavaScript for nsIMsgMessageUrls, and this is displaying a remote page. It's limited to the web context and has the remote origin (window.location.origin says localhost when I'm testing a local page). 

(In reply to Daniel Veditz [:dveditz] from comment #3)
> Why is the "reload" enabling javascript? If the user is clicking "Save" why
> are we displaying it at all?

Since getting the file to save fails, we end up with the error page shown. When the "Try again" button is used, the content is loaded, but at that point that we were really saving and not trying to view the page is forgotten.

> Why are we fetching remote content without making it clear to users we're
> fetching remote content? This looks like an "attachment" to users which they
> think are local things sent to their mail server, not ratting them out about
> exactly when they opened it.

Yes there is room for improvements here.

Comment 5

[Magnus Melin [:mkmelin]]

Attachment: bug1411748_External_attachment.eml (test case)

Comment 6

[Wayne Mery (:wsmwk)]

clearing NI, answered by magnus

Comment 7

[Philipp Kewisch [:Fallen] [:📆][:🧩]]

Attachment: Fix - v1

I was only able to reproduce this with content disposition attachment. What I think we should go ahead and do is hide external attachments that are not file:// attachments for now.

It seems to me that bug 1345167 might allow us to restore this functionality as it would display external links differently, but I would be inclined to remove the feature to have remote external attachments, since this sounds to me like an under-tested feature that has a lot of attack surface.

Comment 8

[Magnus Melin [:mkmelin]]

I have to say, I'm not sure. Basically this bug is just about bad UI as a result of an unexpected response. Disabling external attachments (feed enclosures) seems like an overkill.

Comment 9

[Philipp Kewisch [:Fallen] [:📆][:🧩]]

Of course I don't have telemetry to back it up, but allowing this via http seems to be a rather obscure feature to me, and the way we present it in the UI is also not very great (to be fixed in bug 1345167). As much as I hate quick fixes, my point with this bug was to provide a patch that serves as a quick fix that we could backport, possibly down to 52.

Maybe I am unaware of what else external attachments are really used for, do you know? My understanding was that this is for detached attachments, which will always be behind a file:// url. If there is no use case for remote external attachments, and no way to create them without forging a message, I think we should remove the feature and any code associated with it.

Comment 10

[Magnus Melin [:mkmelin]]

I believe the primary use case is for enclosures in feeds (kind of like attachments, media for the article), so you will certainly find valid cases where it's used. Podcasts an such. Of course, it can be debated how important it is.

While this bug is about a kind of odd behavior, it's a bit questionable if there's anything really wrong, apart from that a failed save-as shouldn't load the "failed" page in the UI, avoiding the whole situation.

I wonder if a reasonable thing would be to, at least for 52, just launch the browser for http external attachments - both for save and open.

Comment 11

[Philipp Kewisch [:Fallen] [:📆][:🧩]]

(In reply to Magnus Melin from comment #10)
> I believe the primary use case is for enclosures in feeds (kind of like
> attachments, media for the article), so you will certainly find valid cases
> where it's used. Podcasts an such. Of course, it can be debated how
> important it is.
What kind of feeds use this? How common is this? If this is optimizing for an edge case I think we should rather remove the feature.

> 
> While this bug is about a kind of odd behavior, it's a bit questionable if
> there's anything really wrong, apart from that a failed save-as shouldn't
> load the "failed" page in the UI, avoiding the whole situation.
We could also set the docShell useErrorPages = false. I tried that and it showed an ugly confirm alert we'd have to see if we can get rid of.


> 
> I wonder if a reasonable thing would be to, at least for 52, just launch the
> browser for http external attachments - both for save and open.
I think this would be reasonable even past 52. 

Let me know what approach you prefer.

Comment 12

[Magnus Melin [:mkmelin]]

(In reply to Philipp Kewisch [:Fallen]  from comment #11)
> What kind of feeds use this? How common is this? If this is optimizing for
> an edge case I think we should rather remove the feature.

E.g. http://feeds.wnyc.org/radiolab
I'd say podcasts are fairly common in general, but I have no feel for how much they are used in Thunderbird.

> Let me know what approach you prefer.

Either way is ok for me.

Comment 13

[Philipp Kewisch [:Fallen] [:📆][:🧩]]

So I checked, useErrorPages = false shows an ugly modal alert on each failure, which can get annoying when accidentally loading feed while offline. Looking at the code, there seems no way to prevent the confirm dialog: https://searchfox.org/comm-central/source/mozilla/docshell/base/nsDocShell.cpp#4924

In that case I'd rather go for removing this feature. I'm sure there are valid use cases, but as this is not supported by other major email clients I don't think there is a lot of motivation for publishers to use this feature.

Magnus, if you agree, please continue with the review at your convenience.

Comment 14

[Philipp Kewisch [:Fallen] [:📆][:🧩]]

review ping on this, can we agree to move forward in disabling external attachments? Given this is an edge case feature not supported by other major clients I think it should be ok.

Comment 15

[Jorg K (CEST = GMT+2)]

Hmm, Magnus just landed a patch in bug 1411732, so I see no move to disabling external attachments.

Comment 16

[Magnus Melin [:mkmelin]]

I believe alta88 is on this.

AFAICT, bug 1345167 doesn't fix this per se since while that checks the remote file (using HEAD) there's nothing preventing the next call to that URL to lead somewhere else. Or that HEAD/GET would give different results.

But I think it could fairly easily be modified to do so. We need to do the fetch before accessing, then make sure to access the result we already have.

Comment 17

[alta88]

The “Corrupted Content Error” page will now not ever be shown (as the spoofed nonexistent local file will be checked and failed by the fetch() in the Bug 1345167 patch), thus a reload to the malicious site url can't happen. There isn't a next call, and the link is disabled for further clicks. At least with eml testcase above.

If the spoofed file happens to exist, it will open via the filetype handler, I believe. Not much to gain for an attacker, but not good and so perhaps http urls that resolve to file urls should be rejected specifically. But what does Firefox do for links that resolve to a local file?

It would be good if any additional holes here could be probed post Bug 1345167.

Comment 18

[Magnus Melin [:mkmelin]]

So with the patch from bug 1345167, when selecting open

A) tb checks it receives an ok response from the server (using HTTP HEAD), then
B) goes on to try to open that file

Even if the check in A is ok, there is no reason it will be ok in call B. Which can cause the corrupted content page and the reload scenario. Or what am I missing?

Firefox doesn't allow http->file http redirects - that gives an error page. That's why the error page allowing to try again occurs in the first place.

Comment 19

[alta88]

A response of 302 (moved temporarily) makes gecko follow to the redirect url and do a fetch() HEAD on the nonexistent file url, which returns a fail. So the Open won't happen. And I used HEAD to just check and not download anything, which by spec should return the same things as GET without the content. As per above, a check could be added to reject successful redirect fetch() to an existing file from http origin.

Comment 20

[alta88]

Attachment: redirectSpoof.patch

depends on Bug 1345167 patch.

Comment 21

[Magnus Melin [:mkmelin]]

Comment on attachment 9055378 [details] [diff] [review]
redirectSpoof.patch

Review of attachment 9055378 [details] [diff] [review]:
-----------------------------------------------------------------

::: mail/base/content/msgHdrView.js
@@ +1912,5 @@
>          return response;
>        })
>        .then(async (response) => {
>          if (this.isExternalAttachment) {
> +          if (this.isLinkAttachment && response && !(/^https?:/.test(response.url))) {

I think there is always a response
But, do you really ever get to this case? Isn't a file:// redirect treated as an error and you end up in catch?

There are also other things you could do to get the error page, like redirecting to something non-existant over http.

Comment 22

[Magnus Melin [:mkmelin]]

(In reply to alta88 from comment #19)
I think you're missing the part that the response can vary between calls. That's why I'm trying to say that for the attack scenario it's not really useful to rely on anything else than what we already have obtained. So: the spec may say HEAD returns the exact same thing as GET, but it could easily not (and many setups won't actually follow this, unfortunately.)

I'm not saying any of this is particularly likely to happen in the real world. It can be used as one of the stepping stones of some attack though.

Comment 23

[alta88]

(In reply to Magnus Melin [:mkmelin] from comment #21)

Comment on attachment 9055378 [details] [diff] [review]
redirectSpoof.patch

Review of attachment 9055378 [details] [diff] [review]:

::: mail/base/content/msgHdrView.js
@@ +1912,5 @@

     return response;
   })
   .then(async (response) => {
     if (this.isExternalAttachment) {

•      if (this.isLinkAttachment && response && !(/^https?:/.test(response.url))) {
  

I think there is always a response
But, do you really ever get to this case? Isn't a file:// redirect treated
as an error and you end up in catch?

You're missing that the response.url will be the redirect url, and will differ from request.url. For fetch() it is one call only but 2 calls in gecko, which you can even see in the console with xhr and request toggled on. There is one response to fetch() which is for the redirect url. I don't know what 'response can vary between calls' means, it doesn't work that way.

If you end up in the catch, that's great. The result is a no length size and our error dialog. Any no length size prevents further open. You see that there will be no open unless isEmpty() returns true, right? If the HEAD response by the server choosing to take "should" in the spec literally and not return a content-length, then no open.

There are also other things you could do to get the error page, like
redirecting to something non-existant over http.

No. Unless you have some testcase rather than conjecture. A redirect to a non existent http is a 304 :/ and a redirect to a non http means no size and isEmpty() returns true (error).

I'll attach a debug patch and eml with live redirect url.

Comment 24

[alta88]

Attachment: redirectSpoof.patch

debug.

Comment 25

[alta88]

Attachment: FOSDEM Talk: Video Available.eml

link attachment that redirects.

Comment 26

[alta88]

Attachment: redirectSpoof.patch

rebase debug. also, s/unless isEmpty() returns true/unless isEmpty() returns false.

Comment 27

[Magnus Melin [:mkmelin]]

(In reply to alta88 from comment #23)

You're missing that the response.url will be the redirect url, and will
differ from request.url. For fetch() it is one call only but 2 calls in
gecko, which you can even see in the console with xhr and request toggled
on. There is one response to fetch() which is for the redirect url. I don't
know what 'response can vary between calls' means, it doesn't work that way.

It means that the attacker can have call #1 return A and call #2 return B even if the url is the same. It also means he can set HEAD to respond C and GET to respond D.

There are also other things you could do to get the error page, like
redirecting to something non-existant over http.

No. Unless you have some testcase rather than conjecture.

I don't mean something you get a response from. E.g. a server that doesn't respond at all.

Comment 28

[alta88]

(In reply to Magnus Melin [:mkmelin] from comment #27)

(In reply to alta88 from comment #23)

You're missing that the response.url will be the redirect url, and will
differ from request.url. For fetch() it is one call only but 2 calls in
gecko, which you can even see in the console with xhr and request toggled
on. There is one response to fetch() which is for the redirect url. I don't
know what 'response can vary between calls' means, it doesn't work that way.

It means that the attacker can have call #1 return A and call #2 return B even if the url is the same. It also means he can set HEAD to respond C and GET to respond D.

I see finally what you're describing, a timing attack where a successful HEAD response is turned into a malicious response on the open/GET to the same url. And for such an attack, doing a GET instead of HEAD doesn't necessarily prevent that either, so testing fetch() etc etc isn't the answer.

nsMessenger::OpenURL() loads the url in messagepane docShell so a content handler can be invoked on it. The url could be sent to a browser via nsIExternalProtocolService/nsIWebNavigation loadURI() but this would be a very degraded UX.

How about an override of netError.xhtml in aboutRedirector.js and simply removing the retry button or testing the errors in a netError.js stub and hiding it for certain conditions.

Edit: Btw, sorry for being slow to get this, I was somehow fixated on a specific flow..

Comment 29

[alta88]

Ok, so putting up a redirect server, pointing it to a file:// redirect url and using the test eml above, will make fetch() get a 200 response for HEAD (and continue to the corrupt page as a result of OpenURL()) but will catch with a Network Error with GET.

Comment 30

[Magnus Melin [:mkmelin]]

I guess overriding netError could work, maybe to make Retry open the URL open in the external browser for error conditions?

Another possible route would be doing the fetch, putting the verified ok'd data into a data: url and have sMessenger::OpenURL open that.

Comment 31

[alta88]

(In reply to Magnus Melin [:mkmelin] from comment #30)

I guess overriding netError could work, maybe to make Retry open the URL open in the external browser for error conditions?

I think it's not great UX to load the error page and leave the message; there's then no way to get back without deselect/select. If the error occurs in the first place, it won't work in the browser either. If we go this route, I'd say the button should say Return to Message or such.

Another possible route would be doing the fetch, putting the verified ok'd data into a data: url and have sMessenger::OpenURL open that.

Even if the link is to a 100M video (like the now obsolete testcase I attached before)?

If we replace HEAD with GET, a redirect to both an existing and non existing local file fails with Network Error, and there will be no open and no error page. Do we agree that fixes the case here?

In the case of a long server non response (fetch eventually times out) I made it so if the message has changed (likely) the response will just die. And if not, it will be a caught error.

What potential issues remain?

Comment 32

[Magnus Melin [:mkmelin]]

(In reply to alta88 from comment #31)

(In reply to Magnus Melin [:mkmelin] from comment #30)

I guess overriding netError could work, maybe to make Retry open the URL open in the external browser for error conditions?

I think it's not great UX to load the error page and leave the message;
there's then no way to get back without deselect/select. If the error occurs
in the first place, it won't work in the browser either. If we go this
route, I'd say the button should say Return to Message or such.

Sounds ok, or just disable the button.

Another possible route would be doing the fetch, putting the verified ok'd data into a data: url and have sMessenger::OpenURL open that.

Even if the link is to a 100M video (like the now obsolete testcase I
attached before)?

Might not be so nice, no.

If we replace HEAD with GET, a redirect to both an existing and non existing
local file fails with Network Error, and there will be no open and no error
page. Do we agree that fixes the case here?

I'm not sure I follow. If you're replacing HEAD with GET you do need to use the result of the GET. But, perhaps we won't take this route. I'm open to suggestions.

What potential issues remain?

Can't think of any.

Comment 33

[alta88]

(In reply to Magnus Melin [:mkmelin] from comment #32)

(In reply to alta88 from comment #31)

(In reply to Magnus Melin [:mkmelin] from comment #30)

I guess overriding netError could work, maybe to make Retry open the URL open in the external browser for error conditions?

I think it's not great UX to load the error page and leave the message;
there's then no way to get back without deselect/select. If the error occurs
in the first place, it won't work in the browser either. If we go this
route, I'd say the button should say Return to Message or such.

Sounds ok, or just disable the button.

Another possible route would be doing the fetch, putting the verified ok'd data into a data: url and have sMessenger::OpenURL open that.

Even if the link is to a 100M video (like the now obsolete testcase I
attached before)?

Might not be so nice, no.

If we replace HEAD with GET, a redirect to both an existing and non existing
local file fails with Network Error, and there will be no open and no error
page. Do we agree that fixes the case here?

I'm not sure I follow. If you're replacing HEAD with GET you do need to use the result of the GET. But, perhaps we won't take this route. I'm open to suggestions.

In the case here, with a redirect to file, the GET fetch() will fail and the attack cannot proceed.

Hypothetically, the fetch() (first GET) has to succeed, and then the url response changed for the open (second GET) to show the error page. But how can the attacker know there's a second GET coming. This seems implausible.

Anyway, I suggest we change it to GET (http only) for the first case (this bug), and change netError to return to message for the second case.

What potential issues remain?

Can't think of any.

Comment 34

[Magnus Melin [:mkmelin]]

But how can the attacker know there's a second GET coming. This seems implausible.

If there is just a distinction between data from HEAD vs GET that would be easy. For GET+GET, I suppose one could match up on remote IP and take an educated guess... but sure, harder.

Anyway, I suggest we change it to GET (http only) for the first case (this bug), and change netError to > return to message for the second case.

Sounds good.

Comment 35

[alta88]

Attachment: reloadMessage on netError button

Yes, it's sure possible to trick even 2 GETs: read this bug, user agent, ip, second GET within a second..

The button should Return to Messge in general, as Retry usually fails, and the UX is nicer now for that page.

I don't think we want to clone netError.xhtml and netError.js, so did it this way.

Comment 36

[Magnus Melin [:mkmelin]]

Comment on attachment 9056000 [details] [diff] [review]
reloadMessage on netError button

Review of attachment 9056000 [details] [diff] [review]:
-----------------------------------------------------------------

::: mail/locales/en-US/chrome/overrides/netError.dtd
@@ +5,5 @@
>  <!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd">
>  %brandDTD;
>  
>  <!ENTITY loadError.label "Problem loading page">
> +<!ENTITY retry.label "Return to Message">

Since you'd need to bump the l10n key, it would seem easier to just add a new button dynamically and hide the original retry button.

Or, we wouldn't change the string but only swap the click handling to do the Reload instead. Perhaps that's preferable.

Comment 37

[alta88]

Attachment: reloadMessage.patch

no string change.

Comment 38

[Magnus Melin [:mkmelin]]

Comment on attachment 9056130 [details] [diff] [review]
reloadMessage.patch

Review of attachment 9056130 [details] [diff] [review]:
-----------------------------------------------------------------

::: mail/base/content/mailWindow.js
@@ +214,5 @@
> +  messagepane.addEventListener("DOMContentLoaded", (event) => {
> +    if (!event.target.documentURI.startsWith("about:neterror?")) {
> +      return;
> +    }
> +    let button = event.target.getElementById("errorTryAgain");

Could you add an explanation in the code for this. It's not exactly clear to someone unfamilar with this bug why we would change the event handler.

::: mail/base/content/msgHdrView.js
@@ +1871,5 @@
>  
>      let url = this.url;
>      let empty = true;
>      let size = 0;
> +    let options = { method: "GET" };

I think this should stay HEAD, or otherwise we could fetch a large file more than once (uncless cache kicks in). 

When using HEAD, and then a GET that fails, you still get the neterror page and can reload the message so it seem to me this is all fixed even when this stays as HEAD

Comment 39

[alta88]

Attachment: reloadMessage.patch

Comment 40

[Jorg K (CEST = GMT+2)]

Sorry, this doesn't pass linting:
$ ../mach eslint mail/base/content/
c:\mozilla-source\comm-central\comm\mail\base\content\mailWindow.js
219:54 error 'retryThis' is not defined. no-undef (eslint)
? 1 problem (1 error, 0 warnings)

... and I wouldn't know how to fix it. This seems to come from netError.js.

Comment 41

[Magnus Melin [:mkmelin]]

/* global retryThis */ on top of the file should do it. But perhaps we don't need the retryThis at all, since removing the eventListener doesn't look at the actual function.

Comment 42

[alta88]

Attachment: reloadMessage.patch

declare global.

Comment 43

[Jorg K (CEST = GMT+2)]

https://hg.mozilla.org/comm-central/rev/5e3c486189d48c8cfa6084be270236cd807c8205
On netError page change retry button to reload message. r=mkmelin