Closed Bug 1742421 (CVE-2022-26383) Opened 3 years ago Closed 3 years ago

Exit fullscreen after Window resizeBy() or resizeTo()

Categories

(Core :: DOM: Core & HTML, task)

Product:
Core
Component:
DOM: Core & HTML
Type:
task

Tracking

()

Status:
VERIFIED FIXED
Milestone:
98 Branch
Tracking Flags:
Tracking Status
firefox-esr91 98+ verified
firefox96 --- wontfix
firefox97 + wontfix
firefox98 + verified

People

(Reporter: edgar, Assigned: edgar)

References

Details

(4 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey][post-critsmash-triage][adv-main98+][adv-esr91.7+])

Attachments

(4 files, 1 obsolete file)

Bug 1742421 - Part 1: [widget/gtk] Exit fullscreen when changing sizemode;
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta-
RyanVM
: approval-mozilla-esr91+
tjr
: sec-approval+
Details | Review
Bug 1742421 - Part 2: [widget/cocoa] Exit fullscreen when changing sizemode;
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta-
RyanVM
: approval-mozilla-esr91+
tjr
: sec-approval+
Details | Review
Bug 1742421 - Part 3: [widget/windows] Exit fullscreen when changing sizemode;
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta-
RyanVM
: approval-mozilla-esr91+
tjr
: sec-approval+
Details | Review
advisory.txt
177 bytes, text/plain
Details
Assignee: nobody → echen

In each platform, if the popup window is in maximum sizemode and script tries to resize the window, the popup window would exit the maximum mode to resize, so I think it also makes sense that the fullscreen window exits fullscreen mode to resize for consistency.

Blocks: 1745915

Hmm, I am still working on a patch for Windows platform, Windows platform behaves a bit different than others.

Status update - patch under review, need to address some comments

Attachment #9255906 - Attachment is obsolete: true

Comment on attachment 9255216 [details]
Bug 1742421 - Part 1: [widget/gtk] Exit fullscreen when changing sizemode;

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Might be easy to know there are bugs around fullscreen and size mode change, but need to resize the window before the notification is shown and also need to resize the window to very wide to hide the fullscreen notification
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Should be easy to create
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely, the changes are straightforward and have been tested manually, we have a lot of fullscreen tests and will also add one in bug 1745915 for this change
Attachment #9255216 - Flags: sec-approval?
Attachment #9255217 - Flags: sec-approval?
Attachment #9258481 - Flags: sec-approval?

Comment on attachment 9255216 [details]
Bug 1742421 - Part 1: [widget/gtk] Exit fullscreen when changing sizemode;

Approved to land and request uplift

Attachment #9255216 - Flags: sec-approval? → sec-approval+

Comment on attachment 9255217 [details]
Bug 1742421 - Part 2: [widget/cocoa] Exit fullscreen when changing sizemode;

Approved to land and request uplift

Attachment #9255217 - Flags: sec-approval? → sec-approval+

Comment on attachment 9258481 [details]
Bug 1742421 - Part 3: [widget/windows] Exit fullscreen when changing sizemode;

Approved to land and request uplift

Attachment #9258481 - Flags: sec-approval? → sec-approval+

Part 1: [widget/gtk] Exit fullscreen when changing sizemode; r=stransky
https://hg.mozilla.org/integration/autoland/rev/8131fb235ef4f52bec8f5fadc0f8f62d147ffd0c
https://hg.mozilla.org/mozilla-central/rev/8131fb235ef4

Part 2: [widget/cocoa] Exit fullscreen when changing sizemode; r=mac-reviewers,mstange
https://hg.mozilla.org/integration/autoland/rev/945f4f4097e41d287193b607b53f60e13b98f575
https://hg.mozilla.org/mozilla-central/rev/945f4f4097e4

Part 3: [widget/windows] Exit fullscreen when changing sizemode; r=mhowell,edgar
https://hg.mozilla.org/integration/autoland/rev/75ac5875c5e3d12ebb414650ccf53f48d8ee01a6
https://hg.mozilla.org/mozilla-central/rev/75ac5875c5e3

fix lint failures. r=fix
https://hg.mozilla.org/integration/autoland/rev/9dc5214f65960a5f0cf24d490c3fe90330ceb25f
https://hg.mozilla.org/mozilla-central/rev/9dc5214f6596

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox98: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 98 Branch

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(echen)
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][sec-survey]

Please nominate this for Beta & ESR approval when you get a chance.

Comment on attachment 9255216 [details]
Bug 1742421 - Part 1: [widget/gtk] Exit fullscreen when changing sizemode;

Beta/Release Uplift Approval Request

  • User impact if declined: Fullscreen notification could be hidden if a page tries to resize the window during the fullscreen transition.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: 1. Visit test attached in https://bugzilla.mozilla.org/show_bug.cgi?id=1740389#c4
  1. Click "Launch" button
  2. Tap anywhere on the popup page
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The risk should be low, the changes are straightforward and only affect when the sizemode changes during fullscreen.
    There are some refactoring on Windows platform but the changes are unlikely to cause regressions.
  • String changes made/needed: None

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is a sec-high bug.
  • User impact if declined: Fullscreen notification could be hidden if a page tries to resize the window during the fullscreen transition.
  • Fix Landed on Version: 97
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The risk should be low, the changes are straightforward and only affect when the sizemode changes during fullscreen.
    There are some refactoring on Windows platform but the changes are unlikely to cause regressions.
Flags: needinfo?(echen)
Attachment #9255216 - Flags: approval-mozilla-esr91?
Attachment #9255216 - Flags: approval-mozilla-beta?
Attachment #9255217 - Flags: approval-mozilla-beta?
Attachment #9258481 - Flags: approval-mozilla-beta?

Comment on attachment 9255217 [details]
Bug 1742421 - Part 2: [widget/cocoa] Exit fullscreen when changing sizemode;

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is a sec-high bug.
  • User impact if declined: Fullscreen notification could be hidden if a page tries to resize the window during the fullscreen transition.
  • Fix Landed on Version: 97
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The risk should be low, the changes are straightforward and only affect when the sizemode changes during fullscreen. There are some refactoring on Windows platform but the changes are unlikely to cause regressions.
Attachment #9255217 - Flags: approval-mozilla-esr91?
Attachment #9258481 - Flags: approval-mozilla-esr91?
Regressions: 1751351
Regressions: 1751360

Per Slack discussion with Chris and Tom, this needs to bake another cycle before we uplift.

status-firefox97: affectedwontfix
tracking-firefox-esr91: 97+98+
Attachment #9255216 - Flags: approval-mozilla-beta? → approval-mozilla-beta-
Attachment #9255217 - Flags: approval-mozilla-beta? → approval-mozilla-beta-
Attachment #9258481 - Flags: approval-mozilla-beta? → approval-mozilla-beta-
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey] → [reporter-external] [client-bounty-form] [verif?][sec-survey][post-critsmash-triage]
QA Whiteboard: [qa-triaged]

(In reply to Edgar Chen [:edgar] (away ~ 02/25) from comment #15)

  1. Click "Launch" button
  2. Tap anywhere on the popup page

I reproduced the issue using old Nightly build from 2021-11-22, verified using latest Nightly across platforms (Windows 10, macOS 11.6 and Ubuntu 18.04) that the window enters full screen and exits right away.
One thing I noticed is that the pop-up window does not resize to its original size, it covers all the screen and on Windows it it wider then the screen. Noticed that on other browsers that particular window resizes to its original size. Is this something we can be concerned about?

Flags: needinfo?(echen)

Edgar is still away for a while.
Chris, you reviewed the patch on Windows widget side
Can you follow up with comment 18 please?

Flags: needinfo?(cmartin)

From my perspective, there isn't any exploit based on the behavior mentioned in Comment 18, which means that maybe we want to fix it, but it would be a lower-priority UX enhancement and not a sec bug.

But I don't think I'm qualified to really say that there aren't some security implications to it. Maybe I can rope Daniel Veditz in here and he might be able to say with some confidence whether or not this is a potential security issue?

Flags: needinfo?(cmartin) → needinfo?(dveditz)

That sure seems like a bug, but I also see that behavior in Firefox Release after I manually press ESC to leave fullscreen on this testcase. Doesn't seem to be a side-effect of this particular fix. We should file a spec-compliance/compatibility bug on it if there isn't one already, but I can't think of any benefit this would give an attacker. They could already resizeTo() themselves into this state without going through fullscreen.

Flags: needinfo?(dveditz)

Thanks, in that case I'll mark this as verified on 98.

status-firefox98: fixedverified
Flags: needinfo?(echen)

Comment on attachment 9255216 [details]
Bug 1742421 - Part 1: [widget/gtk] Exit fullscreen when changing sizemode;

Approved for 91.7esr.

Attachment #9255216 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
Attachment #9255217 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
Attachment #9258481 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+

Also verified fixed on esr91 across platforms (Windows 10, Ubuntu 18.04 and macOS 11.6) using build https://treeherder.mozilla.org/jobs?repo=mozilla-esr91&revision=6214d2494910e47c3836379b9538f1b8cffc09ca from treeherder.

Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
status-firefox-esr91: fixedverified
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][sec-survey][post-critsmash-triage][adv-main98+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey][post-critsmash-triage][adv-main98+] → [reporter-external] [client-bounty-form] [verif?][sec-survey][post-critsmash-triage][adv-main98+][adv-esr91.7+]
Alias: CVE-2022-26383
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: