Closed Bug 182176 Opened 21 years ago Closed 15 years ago

".." exploit in chrome registry using '%' escaping


(Core Graveyard :: RDF, defect)

Not set


(Not tracked)



(Reporter: harald.albrecht, Assigned: dveditz)



(1 obsolete file)

User-Agent:       Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3a) Gecko/20021120
Build Identifier: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3a) Gecko/20021120

The chrome registry in mozilla/rdf/chrome/src/nsChromeRegistry.cpp offers a
function called "splitURL()", which is responsible for splitting a "chrome:" URL
into its package, provider and file parts. To avoid exploits, splitURL() checks
for "..", which could be used to gain access to files outside the chrome
directory. Currently, the code checks only for ".." and "%2E%2E". However, this
does not catch combinations of the two, that is ".%2E" and "%2E.", which are
semantically equivalent, only with a different representation form.

Reproducible: Always

Steps to Reproduce:
1. Read the source code of mozilla/rdf/chrome/src/nsChromeRegistry.cpp, lines
457 and following.
-> security group for the moment

Normal pages can't load chrome, though - is there an exploit here, or is this
just an additional security check?

(Does resource have the same issue?)
Group: security
This belongs in RDF.
Assignee: asa → rjc
Component: Browser-General → RDF
QA Contact: asa → tever
This is not much of a security hole since chrome can read any file anyways and
non-trusted content can't use chrome URLs. It's worth fixing in case some future
exploit allows untrusted content to use chrome urls, but I'm removing the
security flag because there's no exploit here.

I'm dubious RDF is the right component, but I'm sure rjc isn't the right guy.
Hyatt can grab this if he wants.
Assignee: rjc → dveditz
Group: security
Ever confirmed: true
Attached patch Catch half-escaped forms (obsolete) — Splinter Review
Attachment #107635 - Flags: superreview?(hyatt)
Attachment #107635 - Flags: review?(jaggernaut)
Comment on attachment 107635 [details] [diff] [review]
Catch half-escaped forms

What about the escaped form of '/'?
Yes, imho escaped slashes also need to be dealt with. And if UNICODE should be
supported one day, the dance starts over again.
tever is not RDF QA anymore
QA Contact: tever → nobody
Attachment #107635 - Attachment is obsolete: true
Attachment #107635 - Flags: superreview?(hyatt)
Attachment #107635 - Flags: review?(jag)
Closed: 15 years ago
Resolution: --- → DUPLICATE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.