Closed Bug 182176 Opened 22 years ago Closed 15 years ago

".." exploit in chrome registry using '%' escaping

Categories

(Core Graveyard :: RDF, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 413250

People

(Reporter: harald.albrecht, Assigned: dveditz)

Details

Attachments

(1 obsolete file)

User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3a) Gecko/20021120 Build Identifier: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3a) Gecko/20021120 The chrome registry in mozilla/rdf/chrome/src/nsChromeRegistry.cpp offers a function called "splitURL()", which is responsible for splitting a "chrome:" URL into its package, provider and file parts. To avoid exploits, splitURL() checks for "..", which could be used to gain access to files outside the chrome directory. Currently, the code checks only for ".." and "%2E%2E". However, this does not catch combinations of the two, that is ".%2E" and "%2E.", which are semantically equivalent, only with a different representation form. Reproducible: Always Steps to Reproduce: 1. Read the source code of mozilla/rdf/chrome/src/nsChromeRegistry.cpp, lines 457 and following.
-> security group for the moment Normal pages can't load chrome, though - is there an exploit here, or is this just an additional security check? (Does resource have the same issue?)
Group: security
This belongs in RDF.
Assignee: asa → rjc
Component: Browser-General → RDF
QA Contact: asa → tever
This is not much of a security hole since chrome can read any file anyways and non-trusted content can't use chrome URLs. It's worth fixing in case some future exploit allows untrusted content to use chrome urls, but I'm removing the security flag because there's no exploit here. I'm dubious RDF is the right component, but I'm sure rjc isn't the right guy. Hyatt can grab this if he wants.
Assignee: rjc → dveditz
Group: security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached patch Catch half-escaped forms (obsolete) — Splinter Review
Attachment #107635 - Flags: superreview?(hyatt)
Attachment #107635 - Flags: review?(jaggernaut)
Comment on attachment 107635 [details] [diff] [review] Catch half-escaped forms What about the escaped form of '/'?
Yes, imho escaped slashes also need to be dealt with. And if UNICODE should be supported one day, the dance starts over again.
tever is not RDF QA anymore
QA Contact: tever → nobody
Attachment #107635 - Attachment is obsolete: true
Attachment #107635 - Flags: superreview?(hyatt)
Attachment #107635 - Flags: review?(jag)
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: