Closed
Bug 1513470
Opened 5 years ago
Closed 5 years ago
Redirect content is shown when redirecting to an invalid data URI
Categories
(Core :: Networking, defect)
Core
Networking
Tracking
()
RESOLVED
FIXED
mozilla66
| Tracking | Status | |
|---|---|---|
| firefox66 | --- | fixed |
People
(Reporter: jwkbugzilla, Assigned: mayhemer)
References
Details
(Whiteboard: [necko-triaged])
Attachments
(1 file)
|
2.04 KB,
patch
|
dragana
:
review+
|
Details | Diff | Splinter Review |
When a website serves up a redirect, it can provide some HTML content along with it. In the past, web browsers used to display that content under some circumstances. As a result, open redirect vulnerabilities in websites would occasionally be "upgraded" into XSS vulnerabilities (see bug 255119). So now Firefox will display "Corrupted Content Error" instead, which prevents such issues. There are apparently loopholes however. I already filed one under bug 1506821, and the challenge under https://www.bugbountynotes.com/challenge?id=18 makes use of another (presumably based on a real vulnerability found in a web application). Redirecting to a data: URI will normally be blocked. However, if that data: URI is supposed to be base64-encoded yet the contents aren't valid base64, Firefox will still fall back to displaying redirect content. For testing: * https://palant.de/test/data_redirect/ - redirects to data:text/html;base64,Zm9vYmFy and fails silently (Navigation to toplevel data: URI not allowed). * https://palant.de/test/data_redirect_invalid/ - redirects to data:text/html;base64,<foobar> and displays redirect content (302 Found). Reproduced in Firefox 63 on Kubuntu. Chrome 71 displays ERR_UNSAFE_REDIRECT for both URLs.
|
Assignee | |
Comment 2•5 years ago
|
||
The reason we show the redirect response content is that opening the data channel in nsHttpChannel::ContinueProcessRedirection failed (AsyncOpen returns NS_ERROR_ILLEGAL_VALUE). converting to (or returning from AsyncOpen) NS_ERROR_MALFORMED_URI (both reasonable) this will prevent rendering. I want to alter how nsDataChannel::OpenContentStream behaves. This can have some impact...
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•5 years ago
|
||
see previous comment for rational. https://treeherder.mozilla.org/#/jobs?repo=try&revision=2cd27535a9d1309faf8cfdc6e9a0d720a82c96d7
Attachment #9030843 -
Flags: review?(dd.mozilla)
|
|
Assignee | |
Comment 4•5 years ago
|
||
Try looks good !
|
||
Updated•5 years ago
|
Attachment #9030843 -
Flags: review?(dd.mozilla) → review+
|
||
Updated•5 years ago
|
Whiteboard: [necko-triaged]
|
|
Assignee | |
Updated•5 years ago
|
Keywords: checkin-needed
Pushed by ncsoregi@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/048bb05eebbc Block redirect content from being shown when target data URL is broken, r=dragana
Keywords: checkin-needed
|
||
Comment 6•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/048bb05eebbc
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
You need to log in
before you can comment on or make changes to this bug.
Description
•