Open
Bug 1491113
Opened 6 years ago
Updated 2 years ago
IPDLs in dom/clients/manager can be constructed using fraudulent Principals from a rogue Content Process
Categories
(Core :: DOM: Service Workers, enhancement, P3)
Core
DOM: Service Workers
Tracking
()
NEW
Fission Milestone | Future |
People
(Reporter: tjr, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
The following IPC Protocols are constructed using a principal from the Content Process, and appear to result in an actor associated with that principal. Ultimately, this means that a rogue Content Process can construct and operate on any of the following Protocols in the context of another origin:
The most concerning of these are
https://searchfox.org/mozilla-central/source/dom/clients/manager/PClientSource.ipdl
https://searchfox.org/mozilla-central/source/dom/clients/manager/PClientHandle.ipdl
which have their own IPC methods attached.
The result of these seem to correspond to individual operations and do not have additional IPC actions:
https://searchfox.org/mozilla-central/source/dom/clients/manager/PClientHandleOp.ipdl
https://searchfox.org/mozilla-central/source/dom/clients/manager/PClientManagerOp.ipdl
https://searchfox.org/mozilla-central/source/dom/clients/manager/PClientSourceOp.ipdl
When constructing these actors, all of which are contructed through structs in https://searchfox.org/mozilla-central/source/dom/clients/manager/ClientIPCTypes.ipdlh, we should assert that the principal provided is permissible for the content proces suppliying the data.
Updated•6 years ago
|
Component: IPC → DOM: Service Workers
Updated•6 years ago
|
Priority: -- → P3
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•