Closed Bug 1695590 Opened 4 years ago Closed 4 years ago

openpgp alias: prevent sending if alias file was malformed, don't send unencrypted

Categories

(MailNews Core :: Security: OpenPGP, defect)

Product:
MailNews Core
Component:
Security: OpenPGP
Type:
defect

Tracking

(thunderbird_esr78+ fixed, thunderbird87 fixed)

Status:
RESOLVED FIXED
Milestone:
88 Branch
Tracking Flags:
Tracking Status
thunderbird_esr78 + fixed
thunderbird87 --- fixed

People

(Reporter: mkmelin, Assigned: mkmelin)

References

Details

(Keywords: regression)

Attachments

(2 files)

bug1695590_alias_parsing_fail.patch
3.60 KB, patch
KaiE
: review+
wsmwk
: approval-comm-beta+
wsmwk
: approval-comm-esr78+
Details | Diff | Splinter Review
bug1695590_alias_send_testfail.patch
1.77 KB, patch
KaiE
: review+
wsmwk
: approval-comm-beta+
wsmwk
: approval-comm-esr78+
Details | Diff | Splinter Review

If the alias file is malformed (or other problems with accessing it), we currently send unencrypted, which we shouldn't. This is due to messy code...

We of course need to get rid of the capi.sync... but for now we can paper over the problem a bit.

When the promise rejects with an Error, that needs to be propagated up. Due to how XPCOM treats the object it's not even instanceof Error at the receiving end anymore...

At the moment, gotResult is an object. We could potentially return null also, but actually throwing is what it would look like when we get rid of the capi.sync() calls later, so maybe better to just do it right away. With the throwing the error is also not swallowed, but you get to see the error message in the error console.

Attachment #9206024 - Flags: review?(kaie)
Status: NEW → ASSIGNED
Comment on attachment 9206024 [details] [diff] [review] bug1695590_alias_parsing_fail.patch Review of attachment 9206024 [details] [diff] [review]: ----------------------------------------------------------------- ::: mail/extensions/openpgp/content/modules/cryptoAPI/interface.js @@ +43,5 @@ > inspector.exitNestedEventLoop(); > }) > .catch(gotResult => { > console.log("CryptoAPI.sync() failed result: %o", gotResult); > + if (gotResult instanceof Error) { Can we be certain that any related code will always throw type Error() ? If we aren't certain, it might be better to throw any error. As a test, I added ```throw "error";``` in enigmailMsgComposeOverlay.js determineSendFlags() and a message was sent unencrypted.

Syntax errors and IO errors will be "the right type". It's generally a bad idea to throw strings, but it can technically occur.
In general, it should throw for all errors here, but I wanted to be conservative since the api is used elsewhere too and it's hard to reason about all the call sites. If it's not an error that's thrown, we also handle a falsy return value ok for the send case.

Comment on attachment 9206024 [details] [diff] [review]
bug1695590_alias_parsing_fail.patch

Thanks for the explanation.

I'm OK with this, r=kaie, but as I understand it, it won't catch any kind of potential exception, so it seems we should still implement an additional fix for bug 1648019.

(You say it catches other types if they are falsy - but a string isn't falsy.)

Attachment #9206024 - Flags: review?(kaie) → review+

Looking more deeply and after some experiments - in the third chunk of your patch (sendMessageListener) you're handling exceptions of any type. With that, most exceptions should cause sending to abort.

But in CryptoAPI.sync you limit it to exceptions instances of type Error. As a result, exceptions in code that is called by CryptoAPI.sync, which throws an exception of an unexpected type, will not cause sending to abort. I think that's inconsistent.

You say the CryptoAPI.sync API is used elsewhere, and you want to be conservative.

However, your patch already changes the behavior of the API. Before your patch, it never throws. Now, it throws in some scenarios. I think by allowing the function to throw, you've no longer conservative. It seems to me that throwing for all sorts of exceptions isn't much worse.

I think we shouldn't delay this patch, because it fixes the known issue. Follow up fixes can be added in bug 1648019.

Keywords: checkin-needed-tb

Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/7ce196669f1c
openpgp alias: prevent sending if alias file was malformed, don't send unencrypted. r=kaie

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

This is causing a test failure for testEncryptedOneRecipientKeyNotAvailableMessageComposition. But I think the explanation is easy: no key -> can't get key block from empty string -> exception (which was earlier just swallowed)

Attachment #9206629 - Flags: review?(kaie)
status-thunderbird87: --- → affected
status-thunderbird_esr78: --- → affected
tracking-thunderbird_esr78: --- → +
Target Milestone: --- → 88 Branch

Comment on attachment 9206629 [details] [diff] [review]
bug1695590_alias_send_testfail.patch

Function commonProcessAttachedKey already returns without data, if no list could be extracted from the parameter, so this change should be safe.

r=kaie

Attachment #9206629 - Flags: review?(kaie) → review+
Pushed by mkmelin@iki.fi: https://hg.mozilla.org/comm-central/rev/1d767781ecba don't try to process empty key data; that will (now) throw and prevent normal functionality. r=kaie DONTBUILD
Keywords: regression

Comment on attachment 9206024 [details] [diff] [review]
bug1695590_alias_parsing_fail.patch

[Approval Request Comment]
Regression caused by (bug #): 1644085
User impact if declined: risk of accidentally sending wihtout encryption
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): low

Attachment #9206024 - Flags: approval-comm-esr78?

Comment on attachment 9206629 [details] [diff] [review]
bug1695590_alias_send_testfail.patch

[Approval Request Comment]
Regression caused by (bug #): this bug
User impact if declined: none, only affects tests
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): low

Attachment #9206629 - Flags: approval-comm-esr78?

Comment on attachment 9206024 [details] [diff] [review]
bug1695590_alias_parsing_fail.patch

this will go in the next beta

Attachment #9206024 - Flags: approval-comm-beta?

Comment on attachment 9206629 [details] [diff] [review]
bug1695590_alias_send_testfail.patch

this will go in the next beta

Attachment #9206629 - Flags: approval-comm-beta?

Thanks for the beta approval. That's actually what I had intended. Let's postpone the esr78 request for a bit.

Attachment #9206024 - Flags: approval-comm-esr78?
Attachment #9206629 - Flags: approval-comm-esr78?

Comment on attachment 9206629 [details] [diff] [review]
bug1695590_alias_send_testfail.patch

[Triage Comment]
Approved for beta

Attachment #9206629 - Flags: approval-comm-beta? → approval-comm-beta+

Comment on attachment 9206024 [details] [diff] [review]
bug1695590_alias_parsing_fail.patch

[Triage Comment]
Approved for beta

Attachment #9206024 - Flags: approval-comm-beta? → approval-comm-beta+

Comment on attachment 9206024 [details] [diff] [review]
bug1695590_alias_parsing_fail.patch

[Approval Request Comment]
Regression caused by (bug #): 1644085
User impact if declined: required follow-up fix for bug 1644085
Testing completed (on c-c, etc.): c-c, beta
Risk to taking this patch (and alternatives if risky): low

Attachment #9206024 - Flags: approval-comm-esr78?
Attachment #9206629 - Flags: approval-comm-esr78?

Comment on attachment 9206629 [details] [diff] [review]
bug1695590_alias_send_testfail.patch

[Triage Comment]
Approved for esr78

Attachment #9206629 - Flags: approval-comm-esr78? → approval-comm-esr78+

Comment on attachment 9206024 [details] [diff] [review]
bug1695590_alias_parsing_fail.patch

[Triage Comment]
Approved for esr78

Attachment #9206024 - Flags: approval-comm-esr78? → approval-comm-esr78+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: