Location API rate limit code does not cover location.reload
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
People
(Reporter: pbz, Assigned: pbz)
References
Details
(Keywords: csectype-dos, hang, sec-low, Whiteboard: [post-critsmash-triage][adv-main95+][adv-ESR91.4.0+])
Attachments
(2 files)
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-esr91+
|
Details | Review |
|
152 bytes,
text/plain
|
Details |
Calls to location.reload() are not rate limited and thus can be used to DoS the parent process.
While testing on Ubuntu this also caused Firefox to exhaust my RAM and caused the desktop environment to get slower, freeze and finally crash.
while(true) location.reload();
Marking this a sec-bug for now, because Bug 1314912 was.
|
||
Updated•3 years ago
|
|
||
Comment 1•3 years ago
|
||
Hey, Paul, will you be able to help add rate limits for this API?
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 2•3 years ago
|
||
|
||
Comment 3•3 years ago
|
||
Landed: https://hg.mozilla.org/integration/autoland/rev/21276955f659026ff55e579d9ca37a284552e7b3
Backed out for causing hybrid (= non-unified) bustages on nsIPrincipal.
https://hg.mozilla.org/integration/autoland/rev/ee8efced380b871deac4fba285955953a4a89ef5
Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&resultStatus=usercancel%2Ctestfailed%2Cbusted%2Cexception%2Cretry&revision=21276955f659026ff55e579d9ca37a284552e7b3
Failure log: https://treeherder.mozilla.org/logviewer?job_id=355149278&repo=autoland
[task 2021-10-18T12:48:01.196Z] 12:48:01 INFO - In file included from /builds/worker/workspace/obj-build/dist/include/nsIScriptSecurityManager.h:14:
[task 2021-10-18T12:48:01.196Z] 12:48:01 INFO - /builds/worker/workspace/obj-build/dist/include/nsIPrincipal.h(338,20): error: inline function 'nsIPrincipal::IsSystemPrincipal' is not defined [-Werror,-Wundefined-inline]
[task 2021-10-18T12:48:01.196Z] 12:48:01 INFO - inline bool IsSystemPrincipal() const;
[task 2021-10-18T12:48:01.196Z] 12:48:01 INFO - ^
[task 2021-10-18T12:48:01.196Z] 12:48:01 INFO - /builds/worker/checkouts/gecko/dom/base/nsHistory.cpp(167,45): note: used here
[task 2021-10-18T12:48:01.196Z] 12:48:01 INFO - CallerType callerType = aSubjectPrincipal.IsSystemPrincipal()
[task 2021-10-18T12:48:01.196Z] 12:48:01 INFO - ^
|
|
Assignee | |
Updated•3 years ago
|
|
|
||
Comment 4•3 years ago
|
||
Rate limit calls to location.reload. r=smaug
https://hg.mozilla.org/integration/autoland/rev/4fdbdd93041201a41afc9590f4232267d9ecac7e
https://hg.mozilla.org/mozilla-central/rev/4fdbdd930412
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 5•3 years ago
|
||
Please nominate this for ESR91 approval when you get a chance.
|
|
Assignee | |
Comment 6•3 years ago
|
||
Comment on attachment 9246207 [details]
Bug 1720926 - Rate limit calls to location.reload. r=smaug!
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: Sites can make repeated calls to
location.reload()slowing down or freezing the browser, potentially causing OS stability issues. due to memory exhaustion. These DoS attacks are often used to trick users into calling scam hotlines. - Fix Landed on Version: 95
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small code change with automated test coverage which had bake time in Nightly and Beta. The underlying rate limiting mechanism has been deployed in Firefox for a long time and is well understood.
- String or UUID changes made by this patch:
|
|
||
Comment 7•3 years ago
|
||
Comment on attachment 9246207 [details]
Bug 1720926 - Rate limit calls to location.reload. r=smaug!
Approved for 91.4esr.
|
|
||
Comment 8•3 years ago
|
||
| uplift | ||
|
||
Updated•2 years ago
|
|
|
||
Comment 9•2 years ago
|
||
|
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
Description
•