Closed Bug 1771774 (CVE-2022-36318) Opened 2 years ago Closed 2 years ago

Directory indices plaintext serialization (nsDirectoryIndexStream) shouldn't just echo all URL input

Categories

(Core :: Networking, defect, P2)

Product:
Core
Component:
Networking
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
104 Branch
Tracking Flags:
Tracking Status
firefox-esr91 103+ verified
firefox-esr102 103+ verified
firefox102 --- wontfix
firefox103 + verified
firefox104 + verified

People

(Reporter: Gijs, Assigned: Gijs)

Details

(Keywords: sec-moderate, Whiteboard: [necko-priority-review][necko-triaged][adv-main103+][adv-esr91.12+][adv-esr102.1+])

Attachments

(2 files)

Bug 1771774, r?kershaw
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
dmeehan
: approval-mozilla-esr102+
dmeehan
: approval-mozilla-esr91+
Details | Review
advisory.txt
190 bytes, text/plain
Details

Like bug 1488061 but for the plaintext serialization code in nsDirectoryIndexStream.cpp. Quoting myself from elsewhere:

As noted in my last comments in bug 1460538, the change in bug 1488061 then also didn't work because it changes the HTML output but not the indexed stream - to fix things that way we need to change https://searchfox.org/mozilla-central/rev/8f42809e51cb07aa4f5739932a06d14581e9dd4a/netwerk/base/nsDirectoryIndexStream.cpp#100,102-103 to strip query params for file and/or jar and/or chrome (or rather, only include it for... well, for what, exactly?)

Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-priority-queue][necko-triaged]
Attached file Bug 1771774, r?kershaw
Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED
Whiteboard: [necko-priority-queue][necko-triaged] → [necko-priority-review][necko-triaged]

r=kershaw
https://hg.mozilla.org/integration/autoland/rev/c86aadc5909ca5fbf081cd53ca7f5c3ddeb29568
https://hg.mozilla.org/mozilla-central/rev/c86aadc5909c

Group: network-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox104: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 104 Branch

The patch landed in nightly and beta is affected.
:Gijs, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox103 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(gijskruitbosch+bugs)

Comment on attachment 9283180 [details]
Bug 1771774, r?kershaw

Beta/Release Uplift Approval Request

  • User impact if declined: Potential for further security impact
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: 1. open chrome://browser/content/places/?foo
  1. hit view source (ctrl/cmd-u)
  2. check the first line. It should not include the "?foo" part

(Note: unsure if you can easily test this on android as you can't 'view source'... you can try sticking view-source: in front of the URL in the address bar to accomplish that part but if that doesn't work I would just not bother verifying on android - this code is x-platform so verifying on desktop should be sufficient.)

  • List of other uplifts needed: n/a
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Pretty small changes to non-critical bits of code
  • String changes made/needed: N/A
  • Is Android affected?: Yes
Flags: needinfo?(gijskruitbosch+bugs)
Attachment #9283180 - Flags: approval-mozilla-beta?
Flags: qe-verify+

Comment on attachment 9283180 [details]
Bug 1771774, r?kershaw

Approved for 103.0b8, thanks.

Attachment #9283180 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

This grafts cleanly to ESR102/ESR91. Did you want to nominate for uplift to those as well?

status-firefox102: --- → wontfix
status-firefox-esr102: --- → affected
status-firefox-esr91: --- → affected
tracking-firefox103: --- → +
tracking-firefox104: --- → +
tracking-firefox-esr102: --- → 103+
tracking-firefox-esr91: --- → 103+
Flags: needinfo?(gijskruitbosch+bugs)
QA Whiteboard: [qa-triaged]

(In reply to Ryan VanderMeulen [:RyanVM] from comment #7)

This grafts cleanly to ESR102/ESR91. Did you want to nominate for uplift to those as well?

Suuuuureeee..

Flags: needinfo?(gijskruitbosch+bugs)

Comment on attachment 9283180 [details]
Bug 1771774, r?kershaw

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-moderate / vector
  • User impact if declined: Potential for injection attacks in various places
  • Fix Landed on Version: 104
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Pretty small changes to non-critical bits of code
Attachment #9283180 - Flags: approval-mozilla-esr91?
Attachment #9283180 - Flags: approval-mozilla-esr102?

I have reproduced the original issue in Nightly from 2022-06-15 ("?foo" appears in the first row of the page source page) and confirmed the fix in Nightly 104.0a1 from 2022-07-13 and Beta v103.0b8 on Windows 10, Ubuntu 22 (wayland and xwayland) and Mac OS 11 (the "?foo" is no longer displayed in the page source).

Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
status-firefox103: fixedverified
status-firefox104: fixedverified
Flags: qe-verify+

Comment on attachment 9283180 [details]
Bug 1771774, r?kershaw

Approved for ESR91.12 and ESR102.1, thanks.

Attachment #9283180 - Flags: approval-mozilla-esr91?
Attachment #9283180 - Flags: approval-mozilla-esr91+
Attachment #9283180 - Flags: approval-mozilla-esr102?
Attachment #9283180 - Flags: approval-mozilla-esr102+
Whiteboard: [necko-priority-review][necko-triaged] → [necko-priority-review][necko-triaged][adv-main103+]
Whiteboard: [necko-priority-review][necko-triaged][adv-main103+] → [necko-priority-review][necko-triaged][adv-main103+][adv-esr91.12+]

Fix also verified in ESR91 unreleased build v91.10.0esr with ID 20220714125707 and ESR102 unreleased build v102.1.0esr with ID 20220714135928 on Windows 10 and Ubuntu 22.

status-firefox-esr102: fixedverified
status-firefox-esr91: fixedverified
Attached file advisory.txt
Alias: CVE-2022-36318
Whiteboard: [necko-priority-review][necko-triaged][adv-main103+][adv-esr91.12+] → [necko-priority-review][necko-triaged][adv-main103+][adv-esr91.12+][adv-main102.1+]
Whiteboard: [necko-priority-review][necko-triaged][adv-main103+][adv-esr91.12+][adv-main102.1+] → [necko-priority-review][necko-triaged][adv-main103+][adv-esr91.12+][adv-esr102.1+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: