1750221 - Blocked about pages in policy can be bypassed by modifying the URL with mixed case

Status: VERIFIED FIXED

(Firefox :: Enterprise Policies, defect, P1)

Description

[Mike Kaply [:mkaply]]

If you block about:config via policy, then go to the URL and explicitly change the c in config to C, you can view about:config.

This bypasses the autocomplete which forces it to about:config.

Comment 1

[Mike Kaply [:mkaply]]

I'm going to make sure about:reader does the right thing as well even though doing about:READER?url=https://www.yahoo.com doesn't work - see bug 1750220

Comment 2

[Mike Kaply [:mkaply]]

Attachment: Bug 1750221 - Block mixed case about URLs in policy. r?mstriemer,mtigley

Comment 3

[Pascal Chevrel:pascalc]

Is that a regression? Does it affect ESR?

Comment 4

[Mike Kaply [:mkaply]]

Is that a regression?

Yes, but it happened a long time ago (Firefox 84)

Does it affect ESR?

Yes.

Comment 5

[Pulsebot]

Pushed by mozilla@kaply.com:
https://hg.mozilla.org/integration/autoland/rev/bca9eb24bb0f
Block mixed case about URLs in policy. r=Gijs

Comment 6

[Cristina Cozmuta (:CrissCozmuta)]

https://hg.mozilla.org/mozilla-central/rev/bca9eb24bb0f

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1559181

Comment 8

[Mike Kaply [:mkaply]]

Comment on attachment 9259123 [details]
Bug 1750221 - Block mixed case about URLs in policy. r?mstriemer,mtigley

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration: Policy only
• User impact if declined: User can bypass blocked about pages
• Fix Landed on Version: 98
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Policy, lots of automated tests

Beta/Release Uplift Approval Request

• User impact if declined: User can bypass blocked about pages
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: No
• Needs manual test from QE?: Yes
• If yes, steps to reproduce: Steps in bug
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Policy only, lots of automated tests
• String changes made/needed:

Comment 9

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9259123 [details]
Bug 1750221 - Block mixed case about URLs in policy. r?mstriemer,mtigley

Approved for 97.0b6.

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/1ec75d992971

Comment 11

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9259123 [details]
Bug 1750221 - Block mixed case about URLs in policy. r?mstriemer,mtigley

Approved for 91.6esr.

Comment 12

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr91/rev/df513e267297

Comment 13

[Emil Ghitta, QA [:emilghitta]]

This is verified fixed using Firefox 98.0a1 (BuildID:20220127213627), 97.0b9 (BuildId:20220127193706) and Firefox 91.6.0esr (provided in comment 12) on Windows 10 64bit, macOS 11 & Ubuntu 18.04.

Verified that about pages like about:addons, about:config and about:profiles can no longer be bypassed via mixed cases on Windows 10 64bit (using both policies.json & GPO), Ubuntu 18.04 (via json) & macOS 11 (via json).