Closed Bug 16521 Opened 20 years ago Closed 20 years ago

Scripts in mail messages run from wrong origins

Categories

(MailNews Core :: Security, defect, P3, major)

All
Windows NT

Tracking

(Not tracked)

VERIFIED DUPLICATE of bug 16672

People

(Reporter: norrisboyd, Assigned: norrisboyd)

References

Details

Subject:
             Re: structure of XUL document containing message
        Date:
             Fri, 15 Oct 1999 10:39:33 -0700
       From:
             norris@netscape.com (Norris Boyd)
 Organization:
             Netscape Communications
         To:
             Rich Pizzarro <rhp@netscape.com>
         CC:
             norris@netscape.com
  References:
             1 , 2




Thanks for the very descriptive answer. That helps a lot.

I tried a test with a script embedded inside a mail message and unfortunately
the script executes with the file: origin of the temp
file rather than the imap: or mailbox: origin. In the HTML model, scripts
execute with the origin of the enclosing document. This
is why the chrome scripts execute with imap: or mailbox: origins, and why
scripts in mail messages execute from file: origins.
Both are bad.

I'll open a bug on this and paste all this text into it.

I don't yet have a good idea of how to make this work. Thanks for your help and
I'm sure I'll have more questions later.

--Norris

Rich Pizzarro wrote:

  Hi Norris,
  Looks like you've got a pretty good handle on what is going on with
  mail display, but just to make sure, let me summarize what is going
  on when a message is displayed:

  When you select a message in the thread pane, you are actually firing
  a URL which is:

      - IMAP://  - for IMAP mail messages
      - mailbox:// - for local/POP mail messages

  The data is retrieved by the IMAP or Mailbox protocol handler and
  when the content type of message/rfc822 is encountered, the MIME
  stream converter is instantiated. libmime (as is affectionately known)
  starts reading the stream and parsing the RFC822 mail message.
  Since this is a display operation, libmime generates a XUL document
  for message display. This used to be an HTML document (in 4.x) but
  we need the UI capabilities of XUL for things like the attachment menus,
  etc...

  The top of this XUL document pulls in the following 2 JavaScript files:

                  chrome://messenger/content/attach.js
                  chrome://messenger/content/mime.js

  These will be used for saving attachments, toggling long address lists,
  etc... NOTE: there is also the ability for externally registered XPCOM
  objects to add included JavaScript to the header of the XUL document.
  These modules (which is native code running on the machine) will have the
  ability to insert output next to each persons address...an example would
  be "Click to Call" functionality. The click to call module could setup the
  link information to make a voice call and insert a pretty button next to
  each name that would allow for the user to click and make a voice call.
  For an example of this, see "mozilla/mailnews/mime/abstatus"  This
  example just puts an address book icon next to each name.

  Now, this is the interesting part and should be where we can keep mail
  messages in a "sandbox". All of what is described above is generated
  for the HEADERS of an RFC822 message. When the body of the message
  is encountered, a new temporary HTML file is written to disk and the following
  line is added to the XUL document:

  <html:iframe id="mail-body-frame" type="content-primary"
  src="file:///C|/TEMP/nsMimeBody.html" border="0" scrolling="auto" resize="yes"
  width="100%" flex="1"/>

  The contents of the mail message are not included in the XUL document, other
  than through this link. (Note, the name is random so you can't count on that,
but
  the ID of this IFRAME is not) Hopefully, we can control this IFRAME and
anything
  included within it to lock down security.

  You asked about the 4.x capability of turning off JavaScript. Well, would it
  be possible to turn off the JavaScript running in the IFRAME described above,
  but leaving the header JavaScript active. We have to leave that active,
otherwise
  users won't be able to save attachments, add people to their address book,
etc...

  Well, I hope this sheds some light on what we are doing, and hopefully, we'll
  be able to come up with a solution that is safe yet functional.

  - Rich

  Norris Boyd wrote:

  > Hi, I'm working on security for SeaMonkey and am trying to understand
  > how the XUL document containing messages is structured. The reason I
  > care is that I want to make sure that any JavaScript embedded in the
  > HTML of the message doesn't have any special privileges, while
  > JavaScript that you embed has all the privileges it needs to get its job
  > done. I'm copying Georgi Guniski, who's also working to find any
  > security holes in SeaMonkey.
  >
  > >From what I can tell by looking at nsMimeXULEmitter.cpp, the document is
  > generated dynamically and contains at least two JavaScript files,
  > attach.js and mime.js. (Are there others?) These scripts need special
  > privileges to execute because they access the XPConnect Components
  > object, which will soon be restricted from access by anything but
  > scripts loaded from chrome. When running with the XPConnect checks
  > enabled, I get security violations from attach.js because my code
  > currently computes it as being loaded from an imap: URI.
  >
  > Now I see in XULContentSinkImpl::DoneLoadingScript that there is
  > sink->mCurrentScriptURL which is "chrome://messenger/content/attach.js".
  > I could use the fact that this is a chrome URI and propagate principals
  > down to JavaScript so that this script is privileged. However, I'm
  > concerned that then scripts in mail messages or in web documents could
  > then reference chrome scripts and get access to privileged access.
  >
  > We don't have this problem for web documents because there is a XUL
  > document for the chrome and a HTML document for the web content. Is
  > there any way we could structure mail messages similarly so that chrome
  > scripts aren't mixed in with untrusted JavaScript?
  >
  > Also, 4.x has a pref for disabling JavaScript in email messages only. I
  > noticed that IMAP mail is loaded from the imap: protocol. What is POP
  > mail loaded from? Would it make sense to disable execution of JavaScript
  > from these protocols if the user doesn't wish to execute JavaScript in
  > mail?
  >
  > Thanks,
  > Norris

  --

  Rich Pizzarro
  rhp@netscape.com
  AIM Nickname: RHPizzarro
  http://people.netscape.com/rhp
Status: NEW → ASSIGNED
Blocks: 12633
Subject:
            Re: [Fwd: [Fwd: structure of XUL document containing message]]
       Date:
            Fri, 15 Oct 1999 11:28:26 -0700
      From:
            hyatt@netscape.com (David Hyatt)
        To:
            Norris Boyd <norris@netscape.com>
 References:
            1




Sandboxing is based off an attribute...

<html:iframe/> is not sandboxed

<html:iframe type="content"/> and <html:iframe type="content-primary"/> are.

layout/html/document/src/nsFrameFrame.cpp is where the sandboxing is set up on
the nsWebShell.

If you plan to muck around with this sandboxing code, let me know.  I'll want to
review changes.

Dave

Norris Boyd wrote:

  Is it the case that  HTML frames contained inside chrome containers can't
reach outside their frame? Is that the mechanism
  by which web content is embedded in the XUL chrome for the browser?

  Thanks,
  Norris
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Guninski's bug has an exploit and is thus verifiable. Closing this bug in favor
of his.

*** This bug has been marked as a duplicate of 16672 ***
Blocks: 16950
Status: RESOLVED → VERIFIED
Bulk moving all MailNews Security bugs to new Security: General component.  The 
previous Security component for MailNews will be deleted.
Component: Security → Security: General
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.