firefox crash on bad ssl https link in "HTTPS only" mode
Categories
(Core :: DOM: Security, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox113 | --- | verified |
| firefox114 | --- | verified |
| firefox115 | --- | verified |
People
(Reporter: matan.honig2, Assigned: valentin)
References
Details
(Keywords: crash, csectype-dos, topcrash, Whiteboard: [domsecurity-active])
Crash Data
Attachments
(4 files)
|
144.86 KB,
image/png
|
Details | |
|
153.87 KB,
image/png
|
Details | |
|
132.69 KB,
image/png
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-release+
|
Details | Review |
Network console if HOM enabled
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Firefox for Android
Steps to reproduce:
- enable https-only globally. (or enable it only on private and open private tab)
- click on this link http://kb.mozillazine.org/about:config while in https-only mode
3.click Continue to HTTP Site
I also create github repository to test this bug - https://github.com/matan-h/firefox_bug
This also happened in the Android version
Actual results:
firefox crashed
Expected results:
firefox should go to the http (after click Continue ) site as it wold if you enter the link manually to the address bar
|
||
Comment 1•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 2•2 years ago
|
||
The crash is an IPC error (exception) and takes down the parent process which is VERY annoying.
bp-aca848f2-3564-4d5b-a8d5-830e70221011
|
||
Comment 3•2 years ago
|
||
Reminds me of bug 1746844.
|
|
||
Comment 4•2 years ago
|
||
Tomer, this looks fun. Can you take a look? I'll be happy to help you narrow down the root cause.
|
|
||
Updated•2 years ago
|
|
|
||
Comment 5•2 years ago
|
||
I believe this takes us to https://searchfox.org/mozilla-central/rev/e94c6cb9649bfe4e6a3888460f41bcd4fe30a6ca/dom/ipc/WindowGlobalParent.cpp#1276 and I guess adding some ifs/printfs will help narrow this down.
|
||
Comment 6•2 years ago
|
||
|
|
||
Comment 7•2 years ago
|
||
|
|
||
Comment 8•2 years ago
|
||
|
|
||
Comment 9•2 years ago
|
||
My guess is that the website is redirecting not as expected. Instead of redirecting static to a URL it's using the scheme of the requested site.
For HTTP STR:
- Disable https-only mode.
- Visit http://kb.mozillazine.org/about:config
- Website redirects us to http://kb.mozillazine.org/About:config.
Result is as expected.
For HTTPS STR:
- Disable https-only mode.
- Visit https://kb.mozillazine.org/about:config
- Website tries to redirect us to https://kb.mozillazine.org:80/About:config
- Which leads to an error page (since the scheme is
https://but the port is80).
For illustration I attached screenshots of the network console for https-only mode enabled, HOM disabled requesting http page and HOM disabled requesting https page
|
|
||
Comment 10•2 years ago
•
|
||
So clicking on "continue to http" is not working since HOM never upgraded the navigation.
Tricky to solve. But seems to me like an edge case where it might be worth to change the websites behavior instead of https-only mode.
We could also thinking about changing the behavior of displaying error pages in HOM...
|
|
||
Comment 11•2 years ago
|
||
That's not what I had in mind. The description at the very top of this bug is a bit different and leads to a crash in the parent process that we need to address. I agree that the web page is not redirecting properly, but we still shouldn't take the whole browser down.
|
|
||
Comment 12•2 years ago
|
||
The severity field is not set for this bug.
:freddy, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
||
Comment 14•2 years ago
|
||
This is a similar issue to bug 1793521, but not the same.
Bug 1793521 crashed because the URL would changed when parsed again, leading to different principals. I assume we have a similar situation here, where the principal URL changes between http and https and doesn't match, leading to error being returned here and deserialization to fail.
|
|
||
Comment 15•2 years ago
|
||
I can easily reproduce this and catch the parent crash in gdb and rr. However, I have a hard time finding (and breaking) at the right kind of call from the child process which is where it will likely need to be fixed. Mhh.
|
||
Comment 16•2 years ago
|
||
pernosco link of this in a debug build: https://pernos.co/debug/39xkyeILZpWbVV7npfF9Jg/index.html
|
||
Updated•2 years ago
|
|
Assignee | |
Comment 17•2 years ago
|
||
When working on bug 1793521 which had a similar crash, I applied the following patch and moved the crash to the parent process.
We might consider making it permanent, since delaying this crash doesn't help that much.
diff --git a/ipc/glue/BackgroundUtils.cpp b/ipc/glue/BackgroundUtils.cpp
--- a/ipc/glue/BackgroundUtils.cpp
+++ b/ipc/glue/BackgroundUtils.cpp
@@ -309,6 +309,16 @@ nsresult PrincipalToPrincipalInfo(nsIPri
return rv;
}
+ nsCOMPtr<nsIURI> uri;
+ rv = NS_NewURI(getter_AddRefs(uri), spec);
+ nsAutoCString checkOriginNoSuffix;
+ rv =
+ ContentPrincipal::GenerateOriginNoSuffixFromURI(uri, checkOriginNoSuffix);
+ // Better to fail early.
+ if (originNoSuffix != checkOriginNoSuffix) {
+ return NS_ERROR_UNEXPECTED;
+ }
+
nsCOMPtr<nsIURI> domainUri;
rv = aPrincipal->GetDomain(getter_AddRefs(domainUri));
if (NS_WARN_IF(NS_FAILED(rv))) {
|
|
||
Comment 19•2 years ago
|
||
Copying crash signatures from duplicate bugs.
|
|
||
Comment 20•2 years ago
|
||
TIL: The fact that the parent is crashing on erroneous serialization is going to be solved within our IPC code.
https://bugzilla.mozilla.org/show_bug.cgi?id=1614764
https://bugzilla.mozilla.org/show_bug.cgi?id=1794828
This bug will only fix the client accidentally sending the wrong message.
|
|
||
Comment 21•2 years ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 content process crashes on release
:lyavor, could you consider increasing the severity of this top-crash bug?
For more information, please visit auto_nag documentation.
|
||
Comment 22•2 years ago
|
||
The page seems to have changed. The following link should reproduce it: (CRASH!) http://httpbun.org/redirect-to?url=https://httpbun.org:80 (CRASH!)
|
|
||
Comment 23•2 years ago
|
||
In the method WindowGlobalParent::RecvReloadWithHttpsOnlyException we change the https URI to http. However we just keep whatever port was specified for the https URL. In this specific case it happens to be default http port :80. Adding SetPort(-1) fixes the crash.
However I think there might still be some kind of roundtrip issue, where sometimes we strip the default port :80 for URIs when creating the origin and sometimes we don't?
|
|
||
Updated•2 years ago
|
|
|
||
Comment 24•2 years ago
|
||
So the actual crash is caused by the code in PrincipalInfoToPrincipal. were we create a new principal by parsing the URI spec. That operation doesn't roundtrip for the port 80, so parsing "http://example.org:80" will result in the origin "http://example.org". We also don't use the originNoSuffix for creating content principal with BasePrincipal::CreateContentPrincipal, but instead just use it for checking that we computed an equal origin.
I am not sure if we want to do a more general fix for this or just add the SetPort(-1) call. I think we might have similar issues in other https-only mode code. So changing the way the URI mutator works might have some credence. For reference URL::SetProtocol reparses the whole URL to prevent similar issues.
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 25•2 years ago
|
||
Ah, that's frustrating.
Given that we only have this issue for http&https, I wrote a quick fix for it nsStandardURL::SetScheme
https://phabricator.services.mozilla.com/D177048
Assuming this doesn't break anything else, it should be be good enough for now.
I agree with you that nsIMutator.setScheme should probably reparse the URL according to the new scheme's rules. But considering that the scheme change is pretty much only done for HTTPS only mode, and that reparsing for every scheme change would have a small perf impact, let's go with this targetted fix for now, and we can reconsider that in the future.
|
|
Assignee | |
Comment 26•2 years ago
|
||
|
|
||
Updated•2 years ago
|
|
|
||
Comment 27•2 years ago
|
||
Thank you Valentin for providing this patch.
|
||
Comment 28•2 years ago
|
||
|
||
Comment 29•2 years ago
|
||
| bugherder | ||
|
||
Updated•2 years ago
|
|
|
||
Comment 30•2 years ago
|
||
The patch landed in nightly and beta is affected.
:valentin, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox114towontfix.
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 31•2 years ago
|
||
Comment on attachment 9331393 [details]
Bug 1793597 - Also update the default port when changing the scheme of a URL r=#necko,tschuster
Beta/Release Uplift Approval Request
- User impact if declined: Crash with HTTPS only mode caused by mismatched principals because URL has wrong default port.
This can happen when upgrading URLs such as http://example.com:443 (note http and 443) - Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Fixes rather obvious obvious issue with changing the scheme of the URL.
The fix is limited to nsStandardURL changing the scheme to http/https/ws/wss when the current port equals the default port for that scheme. - String changes made/needed:
- Is Android affected?: Yes
|
||
Comment 32•2 years ago
|
||
Comment on attachment 9331393 [details]
Bug 1793597 - Also update the default port when changing the scheme of a URL r=#necko,tschuster
Approved for 114 beta 3, thanks.
|
|
||
Comment 33•2 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 34•2 years ago
|
||
Did you want to nominate this for Release approval for next week's dot release, Valentin?
|
|
Assignee | |
Comment 35•2 years ago
|
||
Comment on attachment 9331393 [details]
Bug 1793597 - Also update the default port when changing the scheme of a URL r=#necko,tschuster
(In reply to Valentin Gosu [:valentin] (he/him) from comment #31)
Comment on attachment 9331393 [details]
Bug 1793597 - Also update the default port when changing the scheme of a URL r=#necko,tschusterBeta/Release Uplift Approval Request
- User impact if declined: Crash with HTTPS only mode caused by mismatched principals because URL has wrong default port.
This can happen when upgrading URLs such as http://example.com:443 (note http and 443)- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Fixes rather obvious obvious issue with changing the scheme of the URL.
The fix is limited to nsStandardURL changing the scheme to http/https/ws/wss when the current port equals the default port for that scheme.- String changes made/needed:
- Is Android affected?: Yes
|
|
||
Comment 36•2 years ago
|
||
Comment on attachment 9331393 [details]
Bug 1793597 - Also update the default port when changing the scheme of a URL r=#necko,tschuster
Approved for 113.0.2.
|
|
||
Comment 37•2 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 38•2 years ago
|
||
Valentin, can you confirm that the remaining crashes showing up under this signature are unrelated?
|
|
Assignee | |
Comment 39•2 years ago
|
||
Yes, as far as I can tell, the remaining crashes have different failure reasons.
|
||
Updated•2 years ago
|
|
||
Comment 40•2 years ago
|
||
Hi @Valentin, is there a different test page we could use ? it seems that http://kb.mozillazine.org/about:config no longer redirects the user to the :80 page, I cannot reproduce this issue in older builds with the Test page from the description.
|
|
Assignee | |
Comment 41•2 years ago
|
||
Hi,
I don't know if there is such a page on the internet.
Here's a test server I made. I can run the server on linux. Hope it works for you.
# add `127.0.0.1 bla.test` to /etc/hosts
git clone https://github.com/valenting/bug1793597-repro.git
cd bug1793597-repro
sudo node index.js
load https://bla.test:443, accept certificate
# click on lock doorhanger and choose HTTPS-only mode ON
load https://bla.test:443/testytest # with old builds you should get a crash
|
|
||
Comment 42•2 years ago
|
||
I tried to reproduce this issue using the steps from comment 41, I started the server and accepted the certificate, but after I enable HTTPS only mode and reach https://bla.test:443/testytest I'm just getting the "aaaa" from the json file. No crashes occur, I get the same results in older builds as well as our latest.
Maybe @Valentin or the reporter can test this on their end and let us know if the crash still occurs in our latest builds ?
|
|
||
Comment 43•2 years ago
|
||
I think Tom reproduced this with http://httpbun.org/redirect-to?url=https://httpbun.org:80 (before it was fixed). Maybe that's easier than modifying the hosts file?
|
|
||
Comment 44•2 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #38)
Valentin, can you confirm that the remaining crashes showing up under this signature are unrelated?
These might be in https://bugzilla.mozilla.org/show_bug.cgi?id=1614764 and https://bugzilla.mozilla.org/show_bug.cgi?id=1794828 (which is really the better fix than this one). The parent process really shouldn't die when receiving bad messages from the child.
|
|
||
Comment 45•2 years ago
|
||
Thanks a lot for this link : http://httpbun.org/redirect-to?url=https://httpbun.org:80 @Frederik. I was able to reproduce the issue in older builds and Verify the Fix in our latest Release 113.0.2 , Beta 114.0b7 and our latest Nightly build 115.0a1 (2023-05-23).
Description
•