Closed
Bug 1488180
(CVE-2018-18497)
Opened 6 years ago
Closed 6 years ago
Extensions can load arbitrary URLs in new windows via "|" separators
Categories
(WebExtensions :: General, defect, P1)
WebExtensions
General
Tracking
(firefox-esr60 wontfix, firefox62 wontfix, firefox63 wontfix, firefox64 verified)
VERIFIED
FIXED
mozilla64
People
(Reporter: robwu, Assigned: robwu)
References
Details
(Keywords: csectype-priv-escalation, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main64+])
Attachments
(1 file)
|
36.65 KB,
image/png
|
Details |
Postfix screenshot
Extensions are only allowed to load some URLs (http(s), ftp:, moz-extension:, and about:blank).
However, these restrictions can be bypassed by using pipes in the URL passed to the browser.windows.create API.
STR
1. Install any add-on (no extension permissions required).
2. Visit about:debugging and click on the Debug button at the add-on.
3. Run the following snippet:
browser.windows.create({
url: "about:blank?|file:///tmp/|about:config"
});
Expected:
- An "about:blank" URL should be opened (maybe with some junk in its query string).
Actual:
- Three tabs are opened: "about:blank", "file:///tmp" and "about:config". The last two URLs are restricted URLs.
The crazy behavior of | will hopefully be addressed by bug 1485961 (not adding see also because that bug is public).
I will covertly plug this hole (together with bug 1486738) via (public) bug 1393570.
|
Assignee | |
Comment 1•6 years ago
|
||
I have submitted the patch for bug 1393570: https://phabricator.services.mozilla.com/D4929
That patch fixes this bug, by adding a number of parameters so that the code goes through this branch:
https://searchfox.org/mozilla-central/rev/c3fef66a5b211ea8038c1c132706d02db408093a/browser/base/content/browser.js#1658
instead of this branch (which ends up splitting the URL on pipes, causing this bug):
https://searchfox.org/mozilla-central/rev/c3fef66a5b211ea8038c1c132706d02db408093a/browser/base/content/browser.js#1687-1688
https://searchfox.org/mozilla-central/rev/c3fef66a5b211ea8038c1c132706d02db408093a/browser/base/content/browser.js#2171-2188
|
||
Updated•6 years ago
|
Priority: -- → P1
|
||
Updated•6 years ago
|
Keywords: csectype-priv-escalation,
sec-moderate
|
|
Assignee | |
Comment 2•6 years ago
|
||
FIxed by bug 1393570.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
|
||
Updated•6 years ago
|
status-firefox62:
--- → wontfix
status-firefox63:
--- → wontfix
status-firefox64:
--- → fixed
status-firefox-esr60:
--- → wontfix
Target Milestone: --- → mozilla64
|
|
||
Updated•6 years ago
|
Group: toolkit-core-security → core-security-release
|
||
Updated•6 years ago
|
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
|
||
Comment 3•6 years ago
|
||
Verified as fixed using Firefox 64(buildid 20181105164654) on Winsows 10x64 and macOS 10.13.6.
I also confirmed that issue was reproducible on earlier FF versions.
I will attach a postfix screenshot.
Status: RESOLVED → VERIFIED
|
|
||
Updated•6 years ago
|
Flags: qe-verify+
|
|
||
Comment 4•6 years ago
|
||
|
||
Updated•6 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main64+]
|
|
||
Updated•6 years ago
|
Alias: CVE-2018-18497
|
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•