Closed Bug 1513003 Opened 6 years ago Closed 4 years ago

PasswordManager:findLogins/:autoCompleteLogins actor topics allow querying for any origin's login

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla79

Project Flags:

Fission Milestone

Future

Tracking Flags:

Tracking

Status

firefox79

---

fixed

People

(Reporter: tjr, Assigned: severin)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Whiteboard: security:passwords)

Attachments

(1 file)

Bug 1513003 - only allow child process to query logins for the current base domain;r=Mattn 4 years ago :severin Rudie 47 bytes, text/x-phabricator-request		Details \| Review

Multiple Authors

Description

•

5 years ago

•

Edited

The PasswordManager:findLogins request and PasswordManager:loginsFound response allows any origin to query for saved logins for any origin.

We should ensure that the form and action urls that are passed to the parent are valid for the Content Process they originate from.

Tom Ritter [:tjr] (OOTO until mid-August)

Reporter

Updated

•

6 years ago

Blocks: fission-ipc

Christoph Kerschbaumer [:ckerschb]

Comment 1

•

6 years ago

I think this one belongs into IPC rather than dom:sec - pushing it over.

Component: DOM: Security → IPC

Jed Davis [:jld] (on leave until 08-31)

Comment 2

•

6 years ago

Assuming the problem is the ominous TODO at [1], `./mach file-info bugzilla-component` says this belongs to Toolkit :: Password Manager.

[1] https://searchfox.org/mozilla-central/rev/adcc169dcf58c2e45ba65c4ed5661d666fc3ac74/toolkit/components/passwordmgr/LoginManagerParent.jsm#74

Component: IPC → Password Manager

Product: Core → Toolkit

Matthew N. [:MattN]

Updated

•

6 years ago

Priority: -- → P2

Matthew N. [:MattN]

Updated

•

6 years ago

Updated

•

6 years ago

Whiteboard: security:passwords

Matthew N. [:MattN]

Updated

•

5 years ago

Summary: RemoteLogins:findLogins MessageManager Topic allows querying for any origin's login → PasswordManager:findLogins MessageManager Topic allows querying for any origin's login

Matthew N. [:MattN]

Comment 3

•

5 years ago

PasswordManager:autoCompleteLogins is also guilty of this.

Matthew N. [:MattN]

Updated

•

5 years ago

Updated

•

5 years ago

Comment 5

•

5 years ago

This bug is not a Fission MVP blocker.

Fission Milestone: --- → Future

Matthew N. [:MattN]

Updated

•

4 years ago

Assignee: nobody → severin.mozilla

Status: NEW → ASSIGNED

Type: enhancement → defect

Flags: qe-verify-

Hardware: Unspecified → All

Summary: PasswordManager:findLogins MessageManager Topic allows querying for any origin's login → PasswordManager:findLogins/:autoCompleteLogins actor topics allow querying for any origin's login

:severin Rudie

Assignee

Comment 6

•

4 years ago

Attached file Bug 1513003 - only allow child process to query logins for the current base domain;r=Mattn — Details

Pulsebot

Comment 7

•

4 years ago

Pushed by apavel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/319bbb220b30
only allow child process to query logins for the current base domain;r=MattN

Razvan Maries

Comment 8

•

4 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/319bbb220b30

Status: ASSIGNED → RESOLVED

Closed: 4 years ago

status-firefox79: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla79

Matthew N. [:MattN]

Updated

•

4 years ago

Regressions: 1651186

You need to log in before you can comment on or make changes to this bug.