nsIPrincipal::GetOriginNoSuffix doesn't escape the '^' character
Categories
(Core :: Security: CAPS, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox68 | --- | affected |
People
(Reporter: janv, Unassigned)
References
Details
We found this in bug 1535371.
Despite this comment in the code:
https://searchfox.org/mozilla-central/rev/11cfa0462a6b5d8c5e2111b8cfddcf78098f0141/caps/ContentPrincipal.cpp#188
Spec and HostPort both seem to not escape the '^' character.
MozURL::Origin probably needs to be fixed too.
|
Reporter | |
Updated•6 years ago
|
|
|
Reporter | |
Comment 1•6 years ago
|
||
GetOriginNoSuffix is called by PrincipalToPrincipalInfo here:
https://searchfox.org/mozilla-central/rev/11cfa0462a6b5d8c5e2111b8cfddcf78098f0141/ipc/glue/BackgroundUtils.cpp#95
QuotaManager then combines ContentPrincipalInfo::originNoSuffix() and ContentPrincipalInfo::attrs()
The "combined" origin string is then passed to OriginScope::SetFromOrigin which calls OriginAttributes::PopulateFromOrigin and that fails if the string after ^ can't be parsed as origin attributes.
See this test:
https://searchfox.org/mozilla-central/source/dom/quota/test/unit/test_originWithCaret.js
We fixed QuotaManager to detect origins like this, so all quota clients should be safe, but long term, we should fix the root cause.
|
||
Updated•6 years ago
|
|
||
Comment 2•6 years ago
|
||
(In reply to Jan Varga [:janv] from comment #0)
We found this in bug 1535371.
Despite this comment in the code:
https://searchfox.org/mozilla-central/rev/11cfa0462a6b5d8c5e2111b8cfddcf78098f0141/caps/ContentPrincipal.cpp#188
Spec and HostPort both seem to not escape the '^' character.
Nika wrote that comment initially in bug 1172080 so maybe she has relevant thoughts here?
(I'm not sure how urgent this is)
|
||
Comment 3•6 years ago
|
||
Marking as security sensitive to align with the other bug also filed here (bug 1548306)
See bug 1548306 comment 3 for more details.
|
||
Updated•5 years ago
|
Description
•