Closed Bug 1717042 Opened 3 years ago Closed 3 years ago

`navigator.registerProtocolHandler()` can crash Thunderbird @ mozilla::dom::Navigator::CheckProtocolHandlerAllowed

Categories

(Thunderbird :: General, defect, P1)

Product:
Thunderbird
Component:
General
Type:
defect

Tracking

(thunderbird_esr78+ verified, thunderbird91 fixed)

Status:
RESOLVED FIXED
Milestone:
92 Branch
Tracking Flags:
Tracking Status
thunderbird_esr78 + verified
thunderbird91 --- fixed

People

(Reporter: neil, Assigned: neil)

References

(
URL
)

Details

(Keywords: crash, topcrash-thunderbird, Whiteboard: [startupcrash])

Crash Data

Attachments

(2 files, 2 obsolete files)

Proposed patch
1.42 KB, patch
mkmelin
: review+
Details | Diff | Splinter Review
Fix, v4
2.42 KB, patch
mkmelin
: review+
BenB
: review+
wsmwk
: approval-comm-beta+
wsmwk
: approval-comm-esr78+
Details | Diff | Splinter Review

navigator.registerProtocolHandler() allows a small whitelist of permitted schemes. However some of these schemes are registered by Thunderbird. This means that if someone manages to access this API in Thunderbird but tries to pass one of those schemes then Thunderbird will immediately crash.

Severity: -- → S2
Priority: -- → P1
Assignee: nobody → neil
Status: NEW → ASSIGNED

Now that bug 1717833 is fixed, Trunk Thunderbird can defend itself by setting the appropriate preferences.

@Neil: Can you please attach a patch that sets the preferences accordingly, with all relevant URL schemes, and test that it fixes the bug?

Attached patch Proposed patchSplinter Review

Of course on trunk the problem isn't so bad because web pages run in content processes but we might as well set the preferences anyway.

Attachment #9229538 - Flags: review?(mkmelin+mozilla)
Whiteboard: [startupcrash]

Is that all protocols? Don't we have a lot more, like imap:, plus some internal ones like imap-message: and similar?

I've only added prefs for those that cause a crash.

OK, could you please add all protocols?

Comment on attachment 9229538 [details] [diff] [review] Proposed patch Review of attachment 9229538 [details] [diff] [review]: ----------------------------------------------------------------- ::: mail/app/profile/all-thunderbird.js @@ +378,5 @@ > pref("network.protocol-handler.warn-external.ftp", false); > > +// prevent web pages from registering mailnews protocol handlers > +pref("network.protocol-handler.external.mailto", false); > +pref("network.protocol-handler.external.news", false); snews as well I guess?
Attachment #9229538 - Flags: review?(mkmelin+mozilla) → review+

(In reply to Wayne Mery from comment #7)

Does this only affect version 78?

On trunk the main process doesn't crash, only the child process for the page trying to register the protocol handler. I don't know how that shows up in the crash statistics, if at all.

Flags: needinfo?(neil)
Attached patch All Thunderbird protocols (obsolete) — Splinter Review

snews isn't currently allowed by navigator.registerProtocolHandler(), which is why the original patch didn't have it. If we're going to add it, then as Ben suggested we should add the other 11 Thunderbird protocols as well, just in case.

Attachment #9230746 - Flags: feedback?(mkmelin+mozilla)

Comment on attachment 9230746 [details] [diff] [review]
All Thunderbird protocols

Thanks. Looks good to me.

Attachment #9230746 - Flags: feedback+

@Neil: You forgot imap-message:, news-message: etc., as mentioned in comment 4, see https://searchfox.org/comm-central/source/mailnews/base/src/nsNewMailnewsURI.cpp#49 for some.

Attachment #9230746 - Flags: feedback+ → review-

The -message versions aren't actually registered as Thunderbird protocols. I don't know what smile is doing in nsNewMailnewsURI.cpp but it's also not actually registered as a protocol.

Attachment #9230786 - Flags: feedback?(mkmelin+mozilla)
Attachment #9230786 - Flags: feedback?(ben.bucksch)

Comment on attachment 9230786 [details] [diff] [review]
All registered and some unregistered protocols

Good. There's no legitimate reason to have webpages register imap-message:, so better to block it, just in case.

Thanks. +1 from me.

Attachment #9230786 - Flags: feedback?(ben.bucksch) → feedback+
Attachment #9230746 - Attachment is obsolete: true
Attachment #9230746 - Flags: feedback?(mkmelin+mozilla)
Comment on attachment 9230786 [details] [diff] [review] All registered and some unregistered protocols Review of attachment 9230786 [details] [diff] [review]: ----------------------------------------------------------------- ::: mail/app/profile/all-thunderbird.js @@ +377,5 @@ > pref("network.protocol-handler.warn-external.https", false); > pref("network.protocol-handler.warn-external.ftp", false); > > +// prevent web pages from registering mailnews protocol handlers > +pref("network.protocol-handler.external.cid", false); Also add mid:?
Attachment #9230786 - Flags: feedback?(mkmelin+mozilla) → feedback+
Flags: needinfo?(neil)

FYI, Neil is sick at the moment.

Attached patch Fix, v4Splinter Review

I'm updateing the patch for Neil, because he cannot.

Adding mid as requested.

Attachment #9230786 - Attachment is obsolete: true
Attachment #9233102 - Flags: review?(mkmelin+mozilla)
Attachment #9233102 - Flags: review+
Attachment #9233102 - Flags: review?(mkmelin+mozilla) → review+
status-thunderbird91: --- → affected
Keywords: checkin-needed-tb
Target Milestone: --- → 92 Branch

Pushed by geoff@darktrojan.net:
https://hg.mozilla.org/comm-central/rev/f4e363bebf69
Prevent registerProtocolHandler crashing for mailnews protocols r=mkmelin

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

Comment on attachment 9233102 [details] [diff] [review]
Fix, v4

[Approval Request Comment]
Regression caused by (bug #):
User impact if declined:
Thunderbird crashes
Testing completed (on c-c, etc.):
Landed on CC
Risk to taking this patch (and alternatives if risky):
Only changes prefs to tell Gecko that we implement these protocols

Attachment #9233102 - Flags: approval-comm-beta?

Comment on attachment 9233102 [details] [diff] [review]
Fix, v4

[Triage Comment]
Approved for beta

Attachment #9233102 - Flags: approval-comm-beta? → approval-comm-beta+

Comment on attachment 9233102 [details] [diff] [review]
Fix, v4

[Approval Request Comment]
Regression caused by (bug #): 1499092
User impact if declined: Crash
Testing completed (on c-c, etc.): Trunk, beta
Risk to taking this patch (and alternatives if risky):

Attachment #9233102 - Flags: approval-comm-esr78?

Note that to fully fix Thunderbird 78 bug 1717833 will also need to be backported to Firefox ESR78.

Flags: needinfo?(neil)
Regressions: 1724292

The crash rate spikes starting August 10 https://crash-stats.mozilla.org/signature/?product=Thunderbird&signature=mozilla%3A%3Adom%3A%3ANavigator%3A%3ACheckProtocolHandlerAllowed&date=%3E%3D2021-07-15T15%3A18%3A00.000Z&date=%3C2021-08-15T15%3A18%3A00.000Z#graphs

(In reply to neil@parkwaycc.co.uk from comment #23)

Note that to fully fix Thunderbird 78 bug 1717833 will also need to be backported to Firefox ESR78.

So this is only/primarily users of OWL, correct?

Note, bug 1717833 has been set as WONTFIX for Firefox ESR78. So is the most suitable solution for those users to move to version 91?

Flags: needinfo?(ben.bucksch)
Keywords: topcrash-thunderbird
Summary: `navigator.registerProtocolHandler()` can crash Thunderbird → `navigator.registerProtocolHandler()` can crash Thunderbird @ mozilla::dom::Navigator::CheckProtocolHandlerAllowed

(In reply to Wayne Mery (:wsmwk) from comment #24)

...
So this is only/primarily users of OWL, correct?

Spot checking half dozen crashes indicates it is so.

And FWIW there are no beta or nightly crashes in the past month, only release crashes.

Here's what Neil wrote on the internal bug tracker, about 2 months ago:
~~
It's actually quite easy to crash Thunderbird by calling registerProtocolHandler. The problem is that this API is designed for browsers, which means that it assumes that various protocols such as nntp aren't in use. If a web page tries to call registerProtocolHandler passing in nntp as a parameter then it will immediately crash. The crash dumps don't have enough information to tell me what code is calling registerProtocolHandler but it's certainly not Owl. In particular, none of the protocol handlers that Owl registers are allowed by registerProtocolHandler, so it can't even contribute to the crash that way either.

The crash is not in code provided by Owl or even executed by Owl, since there are over 120 crashes where Owl wasn't even installed.
~~

Most of the crashes are right after startup. I suspect that some of the Office365 or Duo (or other third party MFA providers) or Exchange login pages of the server contains a JavaScript call to registerProtocolHandler() in the HTML login page. Owl just happens to open that login page, which is where the correlation comes from, but we cannot avoid the login page. But aside from that, it seems that Owl is in no way triggering this nor causing this. For the same reason, I have no idea how we could possibly work around this.

The only way out that I see is to change RyanVM's mind and to backport bug 1717833 to 78 ESR.

Other ideas?

(I have yet to confirm the above thoery and to find a minimal test case that triggers the crash at will.)

Flags: needinfo?(ben.bucksch)

RyanVM approved bug 1717833 for backport for 78 ESR. Yay!

Flags: needinfo?(vseerror)

So, what are the chances of a fix being introduced for TB 91.0 ?

Comment on attachment 9233102 [details] [diff] [review]
Fix, v4

[Triage Comment]
Approved for esr78

(In reply to aliledudiable from comment #28)

So, what are the chances of a fix being introduced for TB 91.0 ?

100% - it was already in version 91.0. Comment 21 put it in beta 91.

Flags: needinfo?(vseerror)
Attachment #9233102 - Flags: approval-comm-esr78? → approval-comm-esr78+

Well, my TB 91.0.3 crashes with Owl... unless I quickly close the tab it opens on startup (for authentication I guess).

Maybe it's another issue.

Pretty impossible to act on your issue without a crash report ID. https://support.mozilla.org/en-US/kb/mozilla-crash-reporter-tb#w_viewing-crash-reports

@aliledudiable: That sounds like a different bug, indeed. Can you please file a new bug (and mention the bug number here)? Thanks!

Signature for this crash no longer appears for 78.14.0

status-thunderbird_esr78: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: