Closed
Bug 1475641
Opened 6 years ago
Closed 3 years ago
Move ProxyAutoConfig to socket process
Categories
(Core :: Networking: HTTP, enhancement, P3)
Core
Networking: HTTP
Tracking
()
RESOLVED
FIXED
95 Branch
People
(Reporter: Alex_Gaynor, Assigned: kershaw)
References
(Blocks 1 open bug, )
Details
(Keywords: sec-want, Whiteboard: [necko-triaged][webcompat-sci-exclude][adv-main95-])
Attachments
(1 file)
PAC files are javascript files, which are run to get proxy configuration automatically, as obtained via the network. The code for this runs in the parent process: https://searchfox.org/mozilla-central/source/netwerk/base/ProxyAutoConfig.cpp#754-756
As a result of this, someone able to exploit a vulnerability in the Javascript VM (not including the DOM, and with limited globals I believe) can, given a position on the network, exploit this vulnerability directly in the unsandboxed parent process -- not the sandboxed content process where we usually run JS.
We should endeavor to move PAC files into a sandboxed process. I imagine this could be happen either via (1) the upcoming network process, (2) spinning up a temporary child process to run the PAC file.
(This may not need to be s-s, since it's not a specific vulnerability, but I figured better safe than sorry to get the conversation started)
Updated•6 years ago
|
Group: core-security → network-core-security
Updated•6 years ago
|
Reporter | ||
Comment 1•6 years ago
|
||
https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html has some good background on the issues around PAC.
When I filed this, I had forgotten that WPAD was a distinct spec from PAC; do we support WPAD? It looks like yes, but I'm not sure if it's on by default or not.
Updated•6 years ago
|
Comment 2•6 years ago
|
||
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #1)
> https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-
> windows-10-in_18.html has some good background on the issues around PAC.
>
> When I filed this, I had forgotten that WPAD was a distinct spec from PAC;
> do we support WPAD? It looks like yes, but I'm not sure if it's on by
> default or not.
We do support WPAD, but not by default. The user has to manually enable it in the proxy settings.
Updated•5 years ago
|
Whiteboard: [necko-triaged] → [necko-triaged][webcompat-sci-exclude]
Assignee | ||
Comment 3•3 years ago
|
||
This is actually a part of socket process project.
Assignee: nobody → kershaw
Blocks: socket-proc
Severity: normal → N/A
No longer depends on: socket-proc
Assignee | ||
Updated•3 years ago
|
Summary: ProxyAutoConfig runs network provided javascript code in unsandboxed parent process → Move ProxyAutoConfig to socket process
Assignee | ||
Comment 4•3 years ago
|
||
Updated•3 years ago
|
Attachment #9241614 -
Attachment description: Bug 1475641 - Move PAProxyAutoConfig to socket process, r=#necko → Bug 1475641 - Move ProxyAutoConfig to socket process, r=#necko
Updated•3 years ago
|
Attachment #9241614 -
Attachment description: Bug 1475641 - Move ProxyAutoConfig to socket process, r=#necko → Bug 1475641 - Move PAProxyAutoConfig to socket process, r=#necko
Pushed by kjang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/da95455590d7
Move PAProxyAutoConfig to socket process, r=necko-reviewers,dragana
Comment 6•3 years ago
|
||
Backed out for marionette crashes on test_profile_management.py
Backout link: https://hg.mozilla.org/integration/autoland/rev/229a08cc3fa5a6db8b6ca7b5a0da43981da6e204
Log link: https://treeherder.mozilla.org/logviewer?job_id=352278841&repo=autoland&lineNumber=49127
Flags: needinfo?(kershaw)
Comment 7•3 years ago
|
||
Assignee | ||
Updated•3 years ago
|
Flags: needinfo?(kershaw)
Pushed by kjang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/45877c2e8d6b
Move PAProxyAutoConfig to socket process, r=necko-reviewers,dragana
Comment 9•3 years ago
|
||
Backed out for causing GTest failures on SocketProcessChild.cpp
Flags: needinfo?(kershaw)
Assignee | ||
Updated•3 years ago
|
Flags: needinfo?(kershaw)
Comment 10•3 years ago
|
||
Pushed by kjang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/21bb8cd199ba
Move PAProxyAutoConfig to socket process, r=necko-reviewers,dragana
Comment 11•3 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox95:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch
Updated•3 years ago
|
Updated•3 years ago
|
Whiteboard: [necko-triaged][webcompat-sci-exclude] → [necko-triaged][webcompat-sci-exclude][adv-main95-]
You need to log in
before you can comment on or make changes to this bug.
Description
•