Closed Bug 1434634 (CVE-2019-9808) Opened 4 years ago Closed 3 years ago

Incomplete fix of bug 1366357

Categories

(Firefox :: Site Identity, defect, P3)

defect

Tracking

()

VERIFIED FIXED
Tracking Status
firefox-esr60 --- wontfix
firefox64 --- wontfix
firefox65 --- wontfix
firefox66 --- fixed
firefox67 --- verified

People

(Reporter: s.h.h.n.j.k, Assigned: johannh)

References

Details

(Keywords: csectype-spoof, sec-low, Whiteboard: [fixed by bug 1371741][post-critsmash-triage][adv-main66+])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.119 Safari/537.36

Steps to reproduce:

1. Go to https://vuln.shhnjk.com/iframer.php?url=//test.shhnjk.com/permission.html
2. Click on "Cam Data" button


Actual results:

Permission notification says "Unknown origin" is requesting permission.


Expected results:

Bug 1366357 fix made "Unknown protocol" to "Unknown origin", which I don't think solved the issue of confusing permission request.

Tested in Latest Nightly.
Component: Untriaged → Site Identity and Permission Panels
Summary: Incomplete fix of Bug 1366357 → Incomplete fix of bug 1366357
Johann, can you take a look? Off-hand, I would imagine we should prompt for the origin that created the blob?
Flags: needinfo?(jhofmann)
This will be fixed by bug 1371741 by disallowing null-principals from accessing data:, which is why I ignored the issue in bug 1366357. I'm not sure what the status of bug 1371741 is. I have a patch waiting for jib to review there so I'll defer to him to sort out this bug :)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(jhofmann) → needinfo?(jib)
Priority: -- → P3
> disallowing null-principals from accessing data:

I meant from accessing getUserMedia :)
Okay, seems like CSP sandbox is not considered in WebRTC permission.

PoC
https://shhnjk.azurewebsites.net/csp_sandbox.php?csp=allow-scripts&xss=%3Cscript%3Enavigator.mediaDevices.getUserMedia({video:%20{facingMode:%20%27user%27}})%3C/script%3E

It shows origin based on URL and does not check whether Document is sandbox. Should I file this as a separate bug?
Flags: needinfo?(jhofmann)
Hm, that's the same thing, it's a null principal so it should just get disallowed in bug 1371741. I'll try to get a hold of jib for answering this...
Flags: needinfo?(jhofmann)
Oh, yeah it's clearly mentioned there :D Sorry :P
No worries, thanks for looking into this!

Now that bug 1371741 got fixed I think we can close this as done as well, Jun, can you confirm that you can no longer request permissions for "Unknown Origin" in the latest Nightly?

Assignee: nobody → jhofmann
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(jib) → needinfo?(s.h.h.n.j.k)
Resolution: --- → FIXED
Whiteboard: [fixed by bug 1371741]
Group: firefox-core-security → core-security-release
Flags: qe-verify+
Whiteboard: [fixed by bug 1371741] → [fixed by bug 1371741][post-critsmash-triage]

Jun, does this issue still need verification?
If yes, can you explain exactly what should be verified?
I could confirm the fix in all the main OSes.

Thank you for your contribution!

Sorry just noticed this. I can confirm that this is fixed in Nightly :)

Flags: needinfo?(s.h.h.n.j.k)

Thanks Jun, I think that's enough to verify :)

Status: RESOLVED → VERIFIED

Alright. Thank you!

Flags: qe-verify+
Whiteboard: [fixed by bug 1371741][post-critsmash-triage] → [fixed by bug 1371741][post-critsmash-triage][adv-main66+]
Alias: CVE-2019-9808
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.