Closed Bug 1746720 (CVE-2021-4140) Opened 1 year ago Closed 1 year ago

Meta refresh via XSLT stylesheet bypasses <iframe sandbox> attribute restrictions

Categories

(Core :: XSLT, defect)

defect

Tracking

()

RESOLVED FIXED
97 Branch
Tracking Status
firefox-esr91 96+ fixed
firefox95 --- wontfix
firefox96 + fixed
firefox97 + fixed

People

(Reporter: peterv, Assigned: peterv)

References

Details

(Keywords: sec-high, Whiteboard: [sec-survey][adv-main96+][adv-ESR91.5+][post-critsmash-triage])

Attachments

(5 files, 1 obsolete file)

No description provided.

Calling this sec-high, because we called bug 1729517 a sec-high.

Keywords: sec-high

Btw, good catch peter. Thanks!

Comment on attachment 9256030 [details]
Bug 1746720 - Don't special-case <meta> refresh for XSLT. r?ckerschb!

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: I don't think it's very obvious, since I'm just removing some code. It is obvious that it has to do with XSLT and meta refresh, but nothing points to a problem with sandboxing.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Patch should just apply.
  • How likely is this patch to cause regressions; how much testing does it need?: Pretty sure it won't cause regressions, we just make meta refresh with XSLT have the same behaviour as for non-XSLT loads.
Attachment #9256030 - Flags: sec-approval?
Attachment #9256031 - Flags: sec-approval?

Comment on attachment 9256030 [details]
Bug 1746720 - Don't special-case <meta> refresh for XSLT. r?ckerschb!

approved to land and request uplift

Attachment #9256030 - Flags: sec-approval? → sec-approval+

Comment on attachment 9256031 [details]
Bug 1746720 - Don't special-case <meta> refresh for XSLT - test. r?ckerschb!

We can land this after Jan 24

Attachment #9256031 - Flags: sec-approval?
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch

This needs rebased patches for both Beta and ESR91. Please attach those and request approval ASAP as we're down to our final of the beta of the cycle.

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(peterv)
Whiteboard: [sec-survey]

Approval Request Comment
[Feature/Bug causing the regression]: XSLT
[User impact if declined]: security bug, allows to circumvent a iframe sandbox restriction
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: just removes some code for XSLT, falling back to more secure code that was already used for the non-XSLT case.
[String changes made/needed]: none

Flags: needinfo?(peterv)
Attachment #9256694 - Flags: approval-mozilla-beta?

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: allows to circumvent a iframe sandbox restriction
Fix Landed on Version: 97
Risk to taking this patch (and alternatives if risky): low risk, just removes some code for XSLT, falling back to more secure code that was already used for the non-XSLT case.

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

Attachment #9256696 - Flags: approval-mozilla-esr91?

Approval Request Comment
[Feature/Bug causing the regression]: XSLT
[User impact if declined]: security bug, allows to circumvent a iframe sandbox restriction
[Is this code covered by automated tests?]: yes
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: just removes some code for XSLT, falling back to more secure code that was already used for the non-XSLT case.
[String changes made/needed]: none

Attachment #9256694 - Attachment is obsolete: true
Attachment #9256694 - Flags: approval-mozilla-beta?
Attachment #9257170 - Flags: approval-mozilla-beta?

Comment on attachment 9257170 [details] [diff] [review]
beta - Bug 1746720 - Don't special-case <meta> refresh for XSLT. r=ckerschb,freddyb

Approved for 96.0rc1

Attachment #9257170 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9256696 [details] [diff] [review]
esr91 - - Bug 1746720 - Don't special-case <meta> refresh for XSLT. r=ckerschb,freddyb

Approved for 91.5esr.

Attachment #9256696 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
Whiteboard: [sec-survey] → [sec-survey][adv-main96+][adv-ESR91.5+]
Attached file advisory.txt
Alias: CVE-2021-4140
Flags: qe-verify-
Whiteboard: [sec-survey][adv-main96+][adv-ESR91.5+] → [sec-survey][adv-main96+][adv-ESR91.5+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.