User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Steps to reproduce: 1. Unpack attached PoC addon 2. Go to about:debugging and temporarily load the unpacked addon 3. 'about:addons' is opened in new window Actual results: browser.identity.launchWebAuthFlow does not check whether the passed URL is http/s only. We can open privileged about: pages as well as file: urls. Expected results: It should only open http/s (maybe other) URI schemes.
Shane, given bug 1305421, I guess you know about this?
Group: firefox-core-security → toolkit-core-security
Component: Untriaged → WebExtensions: General
Product: Firefox → Toolkit
Redirecting to rpl.
Flags: needinfo?(mixedpuppy) → needinfo?(lgreco)
Redirecting back to Shane which is already looking into this.
Flags: needinfo?(lgreco) → needinfo?(mixedpuppy)
Assignee: nobody → mixedpuppy
Attachment #8938122 - Flags: review?(lgreco)
FYI I'm not certain this is any real security concern here. Extensions should get no more access to eg. about:addons opened this way than they would if a user opened a tab to it. Nonetheless, it is fixed.
(In reply to Shane Caraveo (:mixedpuppy) from comment #5) > FYI I'm not certain this is any real security concern here. Extensions > should get no more access to eg. about:addons opened this way than they > would if a user opened a tab to it. Nonetheless, it is fixed. This bug alone is not that dangerous, like the only security issue I can think of is opening 'about:addons' as soon as a user drags a link pointing to an addon and then once its dropped it will attempt to install. Another example is that I found an xss in one of the about: pages which alone is not exploitable due to having the victim type the url manually to open the effected about: page. But coupled with this bug the whole process is automated resulting in a sec-highISH security exploit. So technically this bug is a sec-moderate issue ( https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#0 )
The above URL should have a hash pointing to "CVE-2017-7816: WebExtensions can load about: URLs in extension UI" Not sure why it did that.
https://hg.mozilla.org/integration/mozilla-inbound/rev/0c4f3b8d311e4751dafc00d689c3bf07f17c15dd Bug 1425267 fix url param schema for launchWebAuthFlow, r=rpl
Comment on attachment 8938122 [details] [diff] [review] fix url param schema for launchWebAuthFlow Requesting now so this is not lost over the break. Approval Request Comment [Feature/Bug causing the regression]: identity api [User impact if declined]: possible to open local urls [Is this code covered by automated tests?]: yes [Has the fix been verified in Nightly?]: not yet [Needs manual test from QE? If yes, steps to reproduce]: yes, see opening comment for str [List of other uplifts needed for the feature/fix]: none [Is the change risky?]: no [Why is the change risky/not risky?]: no new code paths, just limiting api arguments via schema [String changes made/needed]: none
Attachment #8938122 - Flags: approval-mozilla-beta?
Comment on attachment 8938122 [details] [diff] [review] fix url param schema for launchWebAuthFlow Fix a security issue which is possible to open local urls. Beta58+.
Attachment #8938122 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Whiteboard: [adv-main58+] → [adv-main58+][post-critsmash-triage]
You need to log in before you can comment on or make changes to this bug.