Closed Bug 1513003 Opened 6 years ago Closed 4 years ago

PasswordManager:findLogins/:autoCompleteLogins actor topics allow querying for any origin's login

Categories

(Toolkit :: Password Manager, defect, P2)

Product:
Toolkit
Component:
Password Manager
Platform:
All
Unspecified
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla79
Project Flags:
Fission Milestone Future
Tracking Flags:
Tracking Status
firefox79 --- fixed

People

(Reporter: tjr, Assigned: severin)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Whiteboard: security:passwords)

Attachments

(1 file)

Bug 1513003 - only allow child process to query logins for the current base domain;r=Mattn
47 bytes, text/x-phabricator-request
Details | Review
The PasswordManager:findLogins request and PasswordManager:loginsFound response allows any origin to query for saved logins for any origin. We should ensure that the form and action urls that are passed to the parent are valid for the Content Process they originate from.
Blocks: fission-ipc
I think this one belongs into IPC rather than dom:sec - pushing it over.
Component: DOM: Security → IPC
Assuming the problem is the ominous TODO at [1], `./mach file-info bugzilla-component` says this belongs to Toolkit :: Password Manager. [1] https://searchfox.org/mozilla-central/rev/adcc169dcf58c2e45ba65c4ed5661d666fc3ac74/toolkit/components/passwordmgr/LoginManagerParent.jsm#74
Component: IPC → Password Manager
Product: Core → Toolkit
Priority: -- → P2
See Also: → 1166113
Whiteboard: security:passwords
Summary: RemoteLogins:findLogins MessageManager Topic allows querying for any origin's login → PasswordManager:findLogins MessageManager Topic allows querying for any origin's login

PasswordManager:autoCompleteLogins is also guilty of this.

See Also: → 1555209
See Also: 1166113

This bug is not a Fission MVP blocker.

Fission Milestone: --- → Future
Assignee: nobody → severin.mozilla
Status: NEW → ASSIGNED
Type: enhancement → defect
Flags: qe-verify-
Hardware: Unspecified → All
Summary: PasswordManager:findLogins MessageManager Topic allows querying for any origin's login → PasswordManager:findLogins/:autoCompleteLogins actor topics allow querying for any origin's login
Pushed by apavel@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/319bbb220b30 only allow child process to query logins for the current base domain;r=MattN

https://hg.mozilla.org/mozilla-central/rev/319bbb220b30

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox79: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla79
Regressions: 1651186
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: