Closed Bug 1416307 Opened 7 years ago Closed 7 years ago

When RefreshURI gets called with a null principal, we end up using the page's referrer as a principal

Categories

(Core :: DOM: Navigation, defect, P1)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla60
Tracking Flags:
Tracking Status
firefox-esr52 59+ fixed
firefox58 --- wontfix
firefox59 + fixed
firefox60 + fixed

People

(Reporter: valentin, Assigned: smaug)

References

Details

(Keywords: csectype-sop, sec-high, Whiteboard: [keep hidden until 1414425 embargo ends][post-critsmash-triage][adv-main59-][adv-esr52.7-])

Attachments

(1 file, 2 obsolete files)

Set triggeringPrincipal to current document's principal, if aPrincipal is not given. r=bz
5.44 KB, patch
ritu
: approval-mozilla-beta+
ritu
: approval-mozilla-esr52+
abillings
: sec-approval+
Details | Diff | Splinter Review
(In reply to Valentin Gosu [:valentin] from bug 1414425 comment 12) > (In reply to Boris Zbarsky [:bz] (no decent commit message means r-)) > > Comment on attachment 8926440 [details] [diff] [review] > > Make sure the appropriate triggeringPrincipal is set for a meta refresh > > > > >+ * May be null, in which case a principal will be built based on the > > >+ * referrer URI, or will use the system principal when there is none. > > > > What referrer URI? This API doesn't take a referrer URI... > > We get the referrer from the docshell: > http://searchfox.org/mozilla-central/rev/ed212c79cfe86357e9a5740082b9364e7f6e526f/docshell/base/nsDocShell.cpp#6940-6942 > > And we use that if there is no triggeringPrincipal > http://searchfox.org/mozilla-central/rev/ed212c79cfe86357e9a5740082b9364e7f6e526f/docshell/base/nsDocShell.cpp#1571-1579 (In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment bug 1414425 comment 16) > Comment on attachment 8926888 [details] [diff] [review] > Make sure the appropriate triggeringPrincipal is set for a meta refresh > > >+++ b/browser/base/content/tab-content.js > > OK, so now that we understand the setup here, this code looks like a > security bug. It will use the referrer of the page in the docshell as the > triggering principal, whereas it should probably be using that page's > principal or so... Please file a followup bug on this? > > >+++ b/browser/base/content/test/general/browser_refreshBlocker.js > > Similar.
Group: core-security → dom-core-security
Hi Valentin, are you going to take this?
Flags: needinfo?(valentin.gosu)
I'd rather someone else took this. Thanks!
Flags: needinfo?(valentin.gosu)
Samael, please help this, thanks!
Flags: needinfo?(sawang)
Priority: -- → P1
Assignee: nobody → sawang
Flags: needinfo?(sawang)
Can you bump this in your queue, Samael?
Flags: needinfo?(sawang)
Comment on attachment 8940079 [details] [diff] [review] Set triggeringPrincipal to the principal constructed from mCurrentURI in ForceRefreshURI in case of meta refresh. r?bz Since the referrer is set to mCurrentURI for non-meta refreshes, it looks to me that all we want to do is to set triggeringPrincipal based on mCurrentURI in the case of a meta refresh. Is that right?
Flags: needinfo?(sawang)
Attachment #8940079 - Flags: review?(bzbarsky)
Comment on attachment 8940079 [details] [diff] [review] Set triggeringPrincipal to the principal constructed from mCurrentURI in ForceRefreshURI in case of meta refresh. r?bz I don't think we should be involving referrers or uris in any way here. If we want to use the currently loaded document's principal as the triggering principal, let's do that directly instead of using things that might sort of match it, maybe, or might not.
Attachment #8940079 - Flags: review?(bzbarsky) → review-
Attachment #8940079 - Attachment is obsolete: true
Attached patch v1 (obsolete) — Splinter Review
MozReview-Commit-ID: 8lxKFeUlyzq
Comment on attachment 8942131 [details] [diff] [review] v1 Could you take a look on this one?
Attachment #8942131 - Flags: review?(bzbarsky)
Comment on attachment 8942131 [details] [diff] [review] v1 GetDocument() has side-effects. Probably better to not call it until we really need it (so if aPrincipal) is null. You need to update the API documentation at https://searchfox.org/mozilla-central/rev/7476b71e0010ab3277b77cc0ae4d998c4b1d2b64/docshell/base/nsIRefreshURI.idl#38-41 r=me with those two issues fixed.
Attachment #8942131 - Flags: review?(bzbarsky) → review+
Attachment #8942131 - Attachment description: Set triggeringPrincipal to current document's principal, if aPrincipal is not given. → v1
Attachment #8942131 - Attachment is obsolete: true
Comment on attachment 8942574 [details] [diff] [review] Set triggeringPrincipal to current document's principal, if aPrincipal is not given. r=bz [Security approval request comment] How easily could an exploit be constructed based on the patch? The triggering principal on meta refresh would become the referrer's principal whereas it should be the current document's principal. Various security checks can be incorrect, but I don't really know how to construct an attack based on this. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. Which older supported branches are affected by this flaw? If not all supported branches, which bug introduced the flaw? All supported branches are affected. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? No, but it should be farely easy. How likely is this patch to cause regressions; how much testing does it need? Should be at low risk.
Attachment #8942574 - Flags: sec-approval?
This can land on February 6, two weeks into the next cycle. We're about to make the Firefox 58 release candidate. This missed the window for sec-approval now.
Whiteboard: [checkin on 2/6]
Attachment #8942574 - Flags: sec-approval? → sec-approval+
We'll just need someone to land the patch on 2/6, and maybe also rebase the patch for ESR later, not sure.
Assignee: freesamael → nobody
Flags: needinfo?(overholt)
Olli, can you land this on February 6?
Flags: needinfo?(overholt) → needinfo?(bugs)
Does this *need* to land today? smaug is on PTO this week ...
Flags: needinfo?(bugs) → needinfo?(ryanvm)
https://hg.mozilla.org/integration/mozilla-inbound/rev/9fcf48189000ab8ee16f236be57c9659c7243b42 This grafts cleanly to Beta and ESR52 as-landed. Please request approval on it when you get a chance.
Assignee: nobody → bugs
status-firefox58: affectedwontfix
status-firefox59: ?affected
status-firefox60: --- → affected
status-firefox-esr52: --- → affected
tracking-firefox59: --- → +
tracking-firefox60: --- → +
tracking-firefox-esr52: --- → 59+
Flags: needinfo?(ryanvm) → needinfo?(bugs)
Whiteboard: [checkin on 2/6]
https://hg.mozilla.org/mozilla-central/rev/9fcf48189000
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox60: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Comment on attachment 8942574 [details] [diff] [review] Set triggeringPrincipal to current document's principal, if aPrincipal is not given. r=bz [Approval Request Comment] See comment 12
Flags: needinfo?(bugs)
Attachment #8942574 - Flags: approval-mozilla-esr52?
Attachment #8942574 - Flags: approval-mozilla-beta?
Comment on attachment 8942574 [details] [diff] [review] Set triggeringPrincipal to current document's principal, if aPrincipal is not given. r=bz Sec-high, Beta59+, ESR52.7+
Attachment #8942574 - Flags: approval-mozilla-esr52?
Attachment #8942574 - Flags: approval-mozilla-esr52+
Attachment #8942574 - Flags: approval-mozilla-beta?
Attachment #8942574 - Flags: approval-mozilla-beta+
Group: dom-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [keep hidden until 1414425 embargo ends][post-critsmash-triage]
Whiteboard: [keep hidden until 1414425 embargo ends][post-critsmash-triage] → [keep hidden until 1414425 embargo ends][post-critsmash-triage][adv-main59-][adv-esr52.7-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: