Closed Bug 1705094 (CVE-2022-22749) Opened 4 years ago Closed 3 years ago

QR code scanner allows opening non-HTTP URLs

Categories

(Fenix :: General, defect)

Product:
Fenix
Component:
General
Platform:
Unspecified
Android
Type:
defect

Tracking

(firefox94 wontfix, firefox95 wontfix, firefox96 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox94 --- wontfix
firefox95 --- wontfix
firefox96 --- fixed

People

(Reporter: jwkbugzilla, Assigned: royang)

Details

(Keywords: sec-moderate, Whiteboard: [adv-main96+])

Attachments

(2 files, 2 obsolete files)

qr_deny_non_https_2.patch
6.12 KB, patch
csadilek
: review+
Details | Diff | Splinter Review
advisory.txt
285 bytes, text/plain
Details

As implemented right now, QR code scanner imposes no restrictions on the URL scheme. As I understand the logic under https://github.com/mozilla-mobile/fenix/blob/d702af5a536f3a0040980acbaba4b0ca40c9c06e/app/src/main/java/org/mozilla/fenix/search/SearchDialogFragment.kt#L423, the same restrictions are imposed here as on manually entered URLs. This means no javascript: URLs, but privileged URLs like about:config are allowed. These pages are considered not safe to be opened by websites due to potential vulnerabilities, but QR codes can currently open them.

There is also lack of URL normalization (see bug 1691472), so the confirmation message displayed cannot be considered sufficient protection.

I thought this was already a bug we fixed once?! maybe that was fennec and we reproduced the bug in fenix.

most of our about: urls are safe enough, but there are a couple (and always risks for more) that take parameters that would allow for mischief. Also same for resource: urls.

Keywords: sec-moderate

I did test resource: URLs, they don’t load here (and neither when entered manually).

I did test resource: URLs, they don’t load here (and neither when entered manually).

Yes, we block loads of resource://, content:// and file:// URIs in general: https://github.com/mozilla-mobile/android-components/blob/master/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt#L152

So those shouldn't load via the QR scanner either. We should still limit to just http(s) for the scanner.

ni to check why this was allowed

Flags: needinfo?(agi)

OK I verified that using LOAD_FLAGS_EXTERNAL fixes this problem (and a host of other ones). Unfortunately, EXTERNAL is not the default as I thought. We maybe should consider switching the default so you have to pass in LOAD_FLAGS_INTERNAL for example for internal page loads, instead of the other way around.

Flags: needinfo?(agi)
Assignee: nobody → royang
Status: NEW → ASSIGNED
Attachment #9247309 - Flags: review?(csadilek)
Attachment #9247309 - Flags: review?(agi)
Attachment #9247309 - Attachment is obsolete: true
Attachment #9247309 - Flags: review?(csadilek)
Attachment #9247309 - Flags: review?(agi)
Attached patch qr_deny_non_https_1.patch (obsolete) — Splinter Review
Attachment #9247782 - Flags: review?(csadilek)
Comment on attachment 9247782 [details] [diff] [review] qr_deny_non_https_1.patch Review of attachment 9247782 [details] [diff] [review]: ----------------------------------------------------------------- Something wrong with the condition, see inline. Did you mean to check for both `http` and `https`? We should also call into our normalize URL functions first. ::: app/src/main/java/org/mozilla/fenix/search/SearchDialogFragment.kt @@ +504,4 @@ > requestPermissions(permissions, REQUEST_CODE_CAMERA_PERMISSIONS) > }, > onScanResult = { result -> > + if (!URLUtil.isHttpsUrl(result) && !URLUtil.isHttpsUrl(result)) { Looks like you're checking the same condition twice here.
Attachment #9247782 - Flags: review?(csadilek) → review-

If you pass the external flag you shouldn't be able to load javascript: URIs, so the http/https check is redundant (mentioning in case you see something else in your testing).

Attachment #9247782 - Attachment is obsolete: true
Attachment #9247798 - Flags: review?(csadilek)

If you pass the external flag you shouldn't be able to load javascript: URIs, so the http/https check is redundant (mentioning in case you see something else in your testing).

Yes, the external flag is working fine and already landed. So the page load is already prevented. This patch here is to improve the user experience, as we would otherwise still open a tab for those invalid URLs...not load it but still display it.

Comment on attachment 9247798 [details] [diff] [review] qr_deny_non_https_2.patch Review of attachment 9247798 [details] [diff] [review]: ----------------------------------------------------------------- Looks good to me now!
Attachment #9247798 - Flags: review?(csadilek) → review+

Fix merged in Fenix Nightly with https://github.com/mozilla-mobile/fenix/pull/22268

status-firefox96: --- → fixed
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED

Is this something we wanted to backport to v95 or should it ride 96?

status-firefox94: --- → wontfix
status-firefox95: --- → affected
Flags: needinfo?(royang)

(In reply to Ryan VanderMeulen [:RyanVM] from comment #14)

Is this something we wanted to backport to v95 or should it ride 96?

This will just ride the v96 train. The critical fix is already in v94 and v95. This fix is just UI feedback to the user. Thanks,

Flags: needinfo?(royang)
Group: mobile-core-security → core-security-release
Whiteboard: [adv-main96+]
Attached file advisory.txt
Alias: CVE-2022-22749
Group: core-security-release
Component: Security: Android → General
OS: Unspecified → Android
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: