Closed Bug 1809122 (CVE-2023-28164) Opened 2 years ago Closed 2 years ago

Drag-and-drop of a URL from inside a cross-origin iframe should not be allowed to drop in the same tab if the iframe get removed during dragging (cross-origin attacks and spoofs)

Categories

(Core :: DOM: Copy & Paste and Drag & Drop, defect)

Product:
Core
Component:
DOM: Copy & Paste and Drag & Drop
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox-esr102 111+ verified
firefox110 --- wontfix
firefox111 + verified
firefox112 + verified

People

(Reporter: edgar, Assigned: edgar)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main111+][adv-esr102.9+])

Attachments

(4 files, 1 obsolete file)

index.html
866 bytes, text/html
Details
Bug 1809122 - Track top-level window context in DragSession; r?smaug
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
dmeehan
: approval-mozilla-esr102+
Details | Review
[ESR102] Bug 1809122 - Track top-level window context in DragSession; r=smaug
15.79 KB, patch
Details | Diff | Splinter Review
advisory.txt
248 bytes, text/plain
Details

+++ This bug was initially created as a clone of Bug #1794268 +++

The patch in bug #1794268 does fix the issue of dragging a link from cross-origin iframe and dropping it outside of the iframe, but if the iframe get removed during dragging, we still trigger a navigation.

Assignee: nobody → echen
Severity: S3 → S2
Group: core-security-release → dom-core-security

Hmm, I could reproduce the issue (i.e. page navigates) on Mac, but not Linux. I guess that is why I did not aware this in bug 1794268.
Hi Virgil, do you remember which platform did you use to verify in bug 1794268 comment #18? If you were not using the Linux, would you mind trying Linux? Thanks!

Flags: needinfo?(vsangerean)

The used platform from which the videos were made was on a Ubuntu 20.4. Do you need any more information about it?

Flags: needinfo?(vsangerean) → needinfo?(echen)

On Linux, I found it is easier to reproduce on release bug, but not every time. Mostly happens when first time load the test page, if I reload the test page, I can not reproduce it. And I could not reproduce on debug build. It seems like it depends on timing, to reproduce the issue, it requires the source windowContext being discarded before IPC exchanges for DnD.

Flags: needinfo?(echen)
Attachment #9316425 - Attachment description: WIP: Bug 1809122; → Bug 1809122 - Track top-level window context in DragSession; r?smaug

Track top-level window context in DragSession; r=smaug
https://hg.mozilla.org/integration/autoland/rev/28f3bd70dc506b2cdbf847b981b76431fff00ad3
https://hg.mozilla.org/mozilla-central/rev/28f3bd70dc50

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox112: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch

The patch landed in nightly and beta is affected.
:edgar, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox111 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(echen)

Hi Virgil, mind verifying when you get a chance as I am not able to reproduce the issue on Linux in my environment? Thanks!

Flags: needinfo?(echen) → needinfo?(vsangerean)

(In reply to Release mgmt bot [:suhaib / :marco/ :calixte] from comment #7)

:edgar, is this bug important enough to require an uplift?

Yeah, probably worth uplifting, but I would like to verify it on nightly first.

:edgar could you submit a beta uplift approval request when ready?
Next week is the final beta week for Fx111

Flags: needinfo?(echen)

Comment on attachment 9316425 [details]
Bug 1809122 - Track top-level window context in DragSession; r?smaug

Beta/Release Uplift Approval Request

  • User impact if declined: Allowing drags link from across origins within the same top-level window makes it easy to fool users that that's what they're doing.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: Load the test page and try to scroll the page down by dragging the scroll bar and then drop it.
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Low risk as the changes are straightforward.
  • String changes made/needed: None
  • Is Android affected?: Yes
Flags: needinfo?(echen)
Attachment #9316425 - Flags: approval-mozilla-beta?
Flags: qe-verify+
QA Whiteboard: [qa-triaged]

Comment on attachment 9316425 [details]
Bug 1809122 - Track top-level window context in DragSession; r?smaug

Approved for 111.0b6

Attachment #9316425 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Reproduced with 110.b8 Firefox while using the initial index.html file from bug 1794268.

Issue is verified fixed in 111.0b6 Firefox and the latest 112.a1 version of Firefox Nightly.

Status: RESOLVED → VERIFIED
status-firefox111: fixedverified
Flags: needinfo?(vsangerean)

:edgar could you add an esr uplift request when ready?
There are conflicts with esr102, so it will need a rebased patch

Flags: needinfo?(echen)

Comment on attachment 9316425 [details]
Bug 1809122 - Track top-level window context in DragSession; r?smaug

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Allowing drags link from across origins within the same top-level window makes it easy to fool users that that's what they're doing.
  • User impact if declined: Allowing drags link from across origins within the same top-level window makes it easy to fool users that that's what they're doing.
  • Fix Landed on Version: 112
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Low risk as the changes are straightforward.
Flags: needinfo?(echen)
Attachment #9316425 - Flags: approval-mozilla-esr102?

:edgar this patch has conflicts with esr102, could you attach a patch that grafts cleanly to esr102?

Flags: needinfo?(echen)

This patch should work.

Flags: needinfo?(echen)
Attachment #9316425 - Flags: approval-mozilla-esr102?

Comment on attachment 9320101 [details]
[ESR102] Bug 1809122 - Track top-level window context in DragSession; r=smaug

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Allowing drags link from across origins within the same top-level window makes it easy to fool users that that's what they're doing.
  • User impact if declined: Allowing drags link from across origins within the same top-level window makes it easy to fool users that that's what they're doing.
  • Fix Landed on Version: 112
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Low risk as the changes are straightforward.
Attachment #9320101 - Flags: approval-mozilla-esr102?
Attachment #9316425 - Flags: approval-mozilla-esr102?

Sorry, wrong patch.

Attachment #9320101 - Attachment is obsolete: true
Attachment #9320101 - Flags: approval-mozilla-esr102?

Comment on attachment 9316425 [details]
Bug 1809122 - Track top-level window context in DragSession; r?smaug

Approved for 102.9esr.

Attachment #9316425 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+

Issue was reproduced on 102.8esr.

Issue is no longer reproducible on 102.9esr.

status-firefox-esr102: fixedverified
Flags: qe-verify+
QA Whiteboard: [qa-triaged]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main111+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main111+] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main111+][adv-esr102.9+]
Attached file advisory.txt
Alias: CVE-2023-28164
Group: core-security-release
Regressions: 1881257
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: