Closed
Bug 182176
Opened 22 years ago
Closed 15 years ago
".." exploit in chrome registry using '%' escaping
Categories
(Core Graveyard :: RDF, defect)
Core Graveyard
RDF
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 413250
People
(Reporter: harald.albrecht, Assigned: dveditz)
Details
Attachments
(1 obsolete file)
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3a) Gecko/20021120
Build Identifier: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.3a) Gecko/20021120
The chrome registry in mozilla/rdf/chrome/src/nsChromeRegistry.cpp offers a
function called "splitURL()", which is responsible for splitting a "chrome:" URL
into its package, provider and file parts. To avoid exploits, splitURL() checks
for "..", which could be used to gain access to files outside the chrome
directory. Currently, the code checks only for ".." and "%2E%2E". However, this
does not catch combinations of the two, that is ".%2E" and "%2E.", which are
semantically equivalent, only with a different representation form.
Reproducible: Always
Steps to Reproduce:
1. Read the source code of mozilla/rdf/chrome/src/nsChromeRegistry.cpp, lines
457 and following.
Comment 1•22 years ago
|
||
-> security group for the moment
Normal pages can't load chrome, though - is there an exploit here, or is this
just an additional security check?
(Does resource have the same issue?)
Group: security
Comment 2•22 years ago
|
||
This belongs in RDF.
Assignee: asa → rjc
Component: Browser-General → RDF
QA Contact: asa → tever
Assignee | ||
Comment 3•22 years ago
|
||
This is not much of a security hole since chrome can read any file anyways and
non-trusted content can't use chrome URLs. It's worth fixing in case some future
exploit allows untrusted content to use chrome urls, but I'm removing the
security flag because there's no exploit here.
I'm dubious RDF is the right component, but I'm sure rjc isn't the right guy.
Hyatt can grab this if he wants.
Assignee: rjc → dveditz
Group: security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 4•22 years ago
|
||
Assignee | ||
Updated•22 years ago
|
Attachment #107635 -
Flags: superreview?(hyatt)
Attachment #107635 -
Flags: review?(jaggernaut)
Comment 5•22 years ago
|
||
Comment on attachment 107635 [details] [diff] [review]
Catch half-escaped forms
What about the escaped form of '/'?
Reporter | ||
Comment 6•22 years ago
|
||
Yes, imho escaped slashes also need to be dealt with. And if UNICODE should be
supported one day, the dance starts over again.
Assignee | ||
Updated•15 years ago
|
Attachment #107635 -
Attachment is obsolete: true
Attachment #107635 -
Flags: superreview?(hyatt)
Attachment #107635 -
Flags: review?(jag)
Assignee | ||
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Updated•6 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•