Closed Bug 182176 Opened 19 years ago Closed 12 years ago
".." exploit in chrome registry using '%' escaping
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3a) Gecko/20021120 Build Identifier: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3a) Gecko/20021120 The chrome registry in mozilla/rdf/chrome/src/nsChromeRegistry.cpp offers a function called "splitURL()", which is responsible for splitting a "chrome:" URL into its package, provider and file parts. To avoid exploits, splitURL() checks for "..", which could be used to gain access to files outside the chrome directory. Currently, the code checks only for ".." and "%2E%2E". However, this does not catch combinations of the two, that is ".%2E" and "%2E.", which are semantically equivalent, only with a different representation form. Reproducible: Always Steps to Reproduce: 1. Read the source code of mozilla/rdf/chrome/src/nsChromeRegistry.cpp, lines 457 and following.
-> security group for the moment Normal pages can't load chrome, though - is there an exploit here, or is this just an additional security check? (Does resource have the same issue?)
This belongs in RDF.
Assignee: asa → rjc
Component: Browser-General → RDF
QA Contact: asa → tever
This is not much of a security hole since chrome can read any file anyways and non-trusted content can't use chrome URLs. It's worth fixing in case some future exploit allows untrusted content to use chrome urls, but I'm removing the security flag because there's no exploit here. I'm dubious RDF is the right component, but I'm sure rjc isn't the right guy. Hyatt can grab this if he wants.
Assignee: rjc → dveditz
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment on attachment 107635 [details] [diff] [review] Catch half-escaped forms What about the escaped form of '/'?
Yes, imho escaped slashes also need to be dealt with. And if UNICODE should be supported one day, the dance starts over again.
tever is not RDF QA anymore
QA Contact: tever → nobody
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 413250
You need to log in before you can comment on or make changes to this bug.