Closed Bug 1475641 Opened 4 years ago Closed 1 year ago

Move ProxyAutoConfig to socket process

Categories

(Core :: Networking: HTTP, enhancement, P3)

enhancement

Tracking

()

RESOLVED FIXED
95 Branch
Tracking Status
firefox63 --- wontfix
firefox95 --- fixed

People

(Reporter: Alex_Gaynor, Assigned: kershaw)

References

(Blocks 1 open bug, )

Details

(Keywords: sec-want, Whiteboard: [necko-triaged][webcompat-sci-exclude][adv-main95-])

Attachments

(1 file)

PAC files are javascript files, which are run to get proxy configuration automatically, as obtained via the network. The code for this runs in the parent process: https://searchfox.org/mozilla-central/source/netwerk/base/ProxyAutoConfig.cpp#754-756

As a result of this, someone able to exploit a vulnerability in the Javascript VM (not including the DOM, and with limited globals I believe) can, given a position on the network, exploit this vulnerability directly in the unsandboxed parent process -- not the sandboxed content process where we usually run JS.

We should endeavor to move PAC files into a sandboxed process. I imagine this could be happen either via (1) the upcoming network process, (2) spinning up a temporary child process to run the PAC file.

(This may not need to be s-s, since it's not a specific vulnerability, but I figured better safe than sorry to get the conversation started)
Group: core-security → network-core-security
https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html has some good background on the issues around PAC.

When I filed this, I had forgotten that WPAD was a distinct spec from PAC; do we support WPAD? It looks like yes, but I'm not sure if it's on by default or not.
Group: network-core-security
Keywords: sec-want
Depends on: socket-proc
Priority: -- → P3
Whiteboard: [necko-triaged]
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #1)
> https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-
> windows-10-in_18.html has some good background on the issues around PAC.
> 
> When I filed this, I had forgotten that WPAD was a distinct spec from PAC;
> do we support WPAD? It looks like yes, but I'm not sure if it's on by
> default or not.

We do support WPAD, but not by default. The user has to manually enable it in the proxy settings.
Whiteboard: [necko-triaged] → [necko-triaged][webcompat-sci-exclude]

This is actually a part of socket process project.

Assignee: nobody → kershaw
Blocks: socket-proc
Severity: normal → N/A
No longer depends on: socket-proc
Summary: ProxyAutoConfig runs network provided javascript code in unsandboxed parent process → Move ProxyAutoConfig to socket process
Attachment #9241614 - Attachment description: Bug 1475641 - Move PAProxyAutoConfig to socket process, r=#necko → Bug 1475641 - Move ProxyAutoConfig to socket process, r=#necko
Attachment #9241614 - Attachment description: Bug 1475641 - Move ProxyAutoConfig to socket process, r=#necko → Bug 1475641 - Move PAProxyAutoConfig to socket process, r=#necko
Pushed by kjang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/da95455590d7
Move PAProxyAutoConfig to socket process, r=necko-reviewers,dragana
Depends on: 1732150
Flags: needinfo?(kershaw)
Pushed by kjang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/45877c2e8d6b
Move PAProxyAutoConfig to socket process, r=necko-reviewers,dragana

Backed out for causing GTest failures on SocketProcessChild.cpp

Flags: needinfo?(kershaw)
Flags: needinfo?(kershaw)
Pushed by kjang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/21bb8cd199ba
Move PAProxyAutoConfig to socket process, r=necko-reviewers,dragana
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch
Whiteboard: [necko-triaged][webcompat-sci-exclude] → [necko-triaged][webcompat-sci-exclude][adv-main95-]
You need to log in before you can comment on or make changes to this bug.