Closed
Bug 1416307
Opened 7 years ago
Closed 6 years ago
When RefreshURI gets called with a null principal, we end up using the page's referrer as a principal
Categories
(Core :: DOM: Navigation, defect, P1)
Core
DOM: Navigation
Tracking
()
RESOLVED
FIXED
mozilla60
People
(Reporter: valentin, Assigned: smaug)
References
Details
(Keywords: csectype-sop, sec-high, Whiteboard: [keep hidden until 1414425 embargo ends][post-critsmash-triage][adv-main59-][adv-esr52.7-])
Attachments
(1 file, 2 obsolete files)
|
5.44 KB,
patch
|
ritu
:
approval-mozilla-beta+
ritu
:
approval-mozilla-esr52+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
(In reply to Valentin Gosu [:valentin] from bug 1414425 comment 12) > (In reply to Boris Zbarsky [:bz] (no decent commit message means r-)) > > Comment on attachment 8926440 [details] [diff] [review] > > Make sure the appropriate triggeringPrincipal is set for a meta refresh > > > > >+ * May be null, in which case a principal will be built based on the > > >+ * referrer URI, or will use the system principal when there is none. > > > > What referrer URI? This API doesn't take a referrer URI... > > We get the referrer from the docshell: > http://searchfox.org/mozilla-central/rev/ed212c79cfe86357e9a5740082b9364e7f6e526f/docshell/base/nsDocShell.cpp#6940-6942 > > And we use that if there is no triggeringPrincipal > http://searchfox.org/mozilla-central/rev/ed212c79cfe86357e9a5740082b9364e7f6e526f/docshell/base/nsDocShell.cpp#1571-1579 (In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment bug 1414425 comment 16) > Comment on attachment 8926888 [details] [diff] [review] > Make sure the appropriate triggeringPrincipal is set for a meta refresh > > >+++ b/browser/base/content/tab-content.js > > OK, so now that we understand the setup here, this code looks like a > security bug. It will use the referrer of the page in the docshell as the > triggering principal, whereas it should probably be using that page's > principal or so... Please file a followup bug on this? > > >+++ b/browser/base/content/test/general/browser_refreshBlocker.js > > Similar.
|
||
Updated•7 years ago
|
Group: core-security → dom-core-security
|
|
||
Updated•7 years ago
|
Keywords: csectype-sop,
sec-high
|
||
Updated•7 years ago
|
status-firefox59:
--- → ?
|
Reporter | |
Comment 2•7 years ago
|
||
I'd rather someone else took this. Thanks!
Flags: needinfo?(valentin.gosu)
|
||
Updated•7 years ago
|
Assignee: nobody → sawang
Flags: needinfo?(sawang)
|
|
||
Comment 5•6 years ago
|
||
MozReview-Commit-ID: IFipvjSf8GG
|
|
||
Comment 6•6 years ago
|
||
Comment on attachment 8940079 [details] [diff] [review] Set triggeringPrincipal to the principal constructed from mCurrentURI in ForceRefreshURI in case of meta refresh. r?bz Since the referrer is set to mCurrentURI for non-meta refreshes, it looks to me that all we want to do is to set triggeringPrincipal based on mCurrentURI in the case of a meta refresh. Is that right?
Flags: needinfo?(sawang)
Attachment #8940079 -
Flags: review?(bzbarsky)
|
||
Comment 7•6 years ago
|
||
Comment on attachment 8940079 [details] [diff] [review] Set triggeringPrincipal to the principal constructed from mCurrentURI in ForceRefreshURI in case of meta refresh. r?bz I don't think we should be involving referrers or uris in any way here. If we want to use the currently loaded document's principal as the triggering principal, let's do that directly instead of using things that might sort of match it, maybe, or might not.
Attachment #8940079 -
Flags: review?(bzbarsky) → review-
|
|
||
Updated•6 years ago
|
Attachment #8940079 -
Attachment is obsolete: true
|
|
||
Comment 8•6 years ago
|
||
MozReview-Commit-ID: 8lxKFeUlyzq
|
|
||
Comment 9•6 years ago
|
||
Comment on attachment 8942131 [details] [diff] [review] v1 Could you take a look on this one?
Attachment #8942131 -
Flags: review?(bzbarsky)
|
|
||
Comment 10•6 years ago
|
||
Comment on attachment 8942131 [details] [diff] [review] v1 GetDocument() has side-effects. Probably better to not call it until we really need it (so if aPrincipal) is null. You need to update the API documentation at https://searchfox.org/mozilla-central/rev/7476b71e0010ab3277b77cc0ae4d998c4b1d2b64/docshell/base/nsIRefreshURI.idl#38-41 r=me with those two issues fixed.
Attachment #8942131 -
Flags: review?(bzbarsky) → review+
|
|
||
Updated•6 years ago
|
Attachment #8942131 -
Attachment description: Set triggeringPrincipal to current document's principal, if aPrincipal is not given. → v1
Attachment #8942131 -
Attachment is obsolete: true
|
|
||
Comment 11•6 years ago
|
||
MozReview-Commit-ID: 8lxKFeUlyzq
|
|
||
Comment 12•6 years ago
|
||
Comment on attachment 8942574 [details] [diff] [review] Set triggeringPrincipal to current document's principal, if aPrincipal is not given. r=bz [Security approval request comment] How easily could an exploit be constructed based on the patch? The triggering principal on meta refresh would become the referrer's principal whereas it should be the current document's principal. Various security checks can be incorrect, but I don't really know how to construct an attack based on this. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. Which older supported branches are affected by this flaw? If not all supported branches, which bug introduced the flaw? All supported branches are affected. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? No, but it should be farely easy. How likely is this patch to cause regressions; how much testing does it need? Should be at low risk.
Attachment #8942574 -
Flags: sec-approval?
|
||
Comment 13•6 years ago
|
||
This can land on February 6, two weeks into the next cycle. We're about to make the Firefox 58 release candidate. This missed the window for sec-approval now.
Whiteboard: [checkin on 2/6]
|
|
||
Updated•6 years ago
|
Attachment #8942574 -
Flags: sec-approval? → sec-approval+
|
|
||
Comment 14•6 years ago
|
||
We'll just need someone to land the patch on 2/6, and maybe also rebase the patch for ESR later, not sure.
Assignee: freesamael → nobody
Flags: needinfo?(overholt)
|
||
Comment 15•6 years ago
|
||
Olli, can you land this on February 6?
Flags: needinfo?(overholt) → needinfo?(bugs)
|
|
||
Comment 16•6 years ago
|
||
Does this *need* to land today? smaug is on PTO this week ...
Flags: needinfo?(bugs) → needinfo?(ryanvm)
|
||
Comment 17•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/9fcf48189000ab8ee16f236be57c9659c7243b42 This grafts cleanly to Beta and ESR52 as-landed. Please request approval on it when you get a chance.
Assignee: nobody → bugs
status-firefox60:
--- → affected
status-firefox-esr52:
--- → affected
tracking-firefox59:
--- → +
tracking-firefox60:
--- → +
tracking-firefox-esr52:
--- → 59+
Flags: needinfo?(ryanvm) → needinfo?(bugs)
Whiteboard: [checkin on 2/6]
|
|
||
Comment 18•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9fcf48189000
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
|
Assignee | |
Comment 19•6 years ago
|
||
Comment on attachment 8942574 [details] [diff] [review] Set triggeringPrincipal to current document's principal, if aPrincipal is not given. r=bz [Approval Request Comment] See comment 12
Flags: needinfo?(bugs)
Attachment #8942574 -
Flags: approval-mozilla-esr52?
Attachment #8942574 -
Flags: approval-mozilla-beta?
Comment on attachment 8942574 [details] [diff] [review] Set triggeringPrincipal to current document's principal, if aPrincipal is not given. r=bz Sec-high, Beta59+, ESR52.7+
Attachment #8942574 -
Flags: approval-mozilla-esr52?
Attachment #8942574 -
Flags: approval-mozilla-esr52+
Attachment #8942574 -
Flags: approval-mozilla-beta?
Attachment #8942574 -
Flags: approval-mozilla-beta+
|
|
||
Comment 21•6 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/9df27a7142ff
|
|
||
Updated•6 years ago
|
Group: dom-core-security → core-security-release
|
|
||
Comment 22•6 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr52/rev/54f2f7f93b30
|
||
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
|
||
Updated•6 years ago
|
Whiteboard: [post-critsmash-triage] → [keep hidden until 1414425 embargo ends][post-critsmash-triage]
|
|
||
Updated•6 years ago
|
Whiteboard: [keep hidden until 1414425 embargo ends][post-critsmash-triage] → [keep hidden until 1414425 embargo ends][post-critsmash-triage][adv-main59-][adv-esr52.7-]
|
|
||
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•