firefox crashes by opening a maps link, if Apple Maps app is deleted
Categories
(Firefox for iOS :: General, defect)
Tracking
()
People
(Reporter: man9our.ah, Unassigned)
Details
(Keywords: csectype-dos, sec-low)
Attachments
(2 files)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0
Firefox for Android
Steps to reproduce:
If the client have firefox for iOS as a default web browser, a malicious website can simply opens (or redirect) to https://maps.apple.com/?address=1
which will trigger the bug. As a simple test Just visit this website https://gts3.org/~mansourah/testBug.html
which contain:
<meta http-equiv="refresh" content="1; URL=https://maps.apple.com/?address=1" />
I am on the latest Firefox for iOS on the appstore (Firefox Daylight 29.2 3120) and iOS version 14.0.1. I am not sure if there are further settings that need to be set in order for this to be triggered.
Actual results:
It seems that firefox identify the url as a maps url correctly in
https://github.com/mozilla-mobile/firefox-ios/blob/bae2b929bd134cc0409e0fb578ff6d8e52dc5520/Client/Frontend/Browser/BrowserViewController/BrowserViewController%2BWebViewDelegates.swift#L386
but then when it passes the URL to UIApplication it will try to open it in Firefox, which will cause an infinite loop until Firefox eventually crashes.
I have attached a screen recorded video of what happens when you open a website that redirect to https://maps.apple.com/?address=1
.
Expected results:
It seems to me that Firefox should have handled such infinite loop and not try to open a new tab or not pass the URL to UIApplication.
I just updated the iOS to the latest version (14.2), the bug is still triggered.
Updated•4 years ago
|
I think I found one more thing need to be set for the bug to be triggered: The user must have deleted Apple Maps. Only then the UIApplication will keep calling Firefox with the same url and enter an infinite loop. Chrome does not seem to suffer from this.
Comment 3•4 years ago
|
||
Why would this affect Firefox for iOS and not Safari? I guess the apple maps site detects it's on iOS and tries to launch the app even if you're trying to use the browser? Seems like a classic loop where we send a request for an external handler to the OS, and the OS decides we're the correct handler for it and sends it back, ad infinitum.
Comment 4•4 years ago
|
||
Can we move this issue to GitHub? Adding Jeremy on this one.
Updated•4 years ago
|
On Firefox for iOS v102 I can't reproduce this anymore. I do get the redirect to Apple Maps using <meta http-equiv="refresh" content="1; URL=https://maps.apple.com/?address=1" />, but there's now a prompt (as shown in attached screenshot) that blocks the infinite loop from happening. If I click "Cancel" nothing happens, if I click "Show in App Store" then we're just brought to the App Store.
Closing this issue and opened a Github ticket so we can harden this part of the code: https://github.com/mozilla-mobile/firefox-ios/issues/11342
Indeed. This is resolved in new versions.
Does this bug have a cve id?
I think this was fixed in the OS and not by Firefox for iOS peeps. I'm not aware of CVE id for this
Updated•2 years ago
|
Description
•