Closed Bug 1845752 Opened 2 years ago Closed 2 years ago

The System Principal is being used to load search engine images and OpenSearch descriptions

Categories

(Firefox :: Search, defect, P2)

Product:
Firefox
Component:
Search
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
119 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 --- wontfix
firefox117 --- wontfix
firefox118 --- wontfix
firefox119 + fixed

People

(Reporter: standard8, Assigned: standard8)

Details

(Keywords: sec-low, Whiteboard: [adv-main119-])

Attachments

(1 file)

Bug 1845752. r?freddyb!
48 bytes, text/x-phabricator-request
Details | Review

We have a helper function in SearchUtils that makes a channel using the system principal.

Although the triggeringPrincipal is not specified, it falls back to the loadingPrincipal.

The channel that is created can be used in two places in the code:

  1. When installing or updating OpenSearch engines. In the install case (the update case only has the last step):
    • The user has loaded a web page, and we've detected that there is an <link rel="search" type="application/opensearchdescription+xml" in the page with a href for the OpenSearch definition file (an xml).
    • The user then clicks on a button in the search bar or address bar to install the engine.
    • We then go and load the href from the definition and process the file.
  2. Loading images (icons) for search engines on installation. These will have been defined in the OpenSearch engine definition, or could also be loaded for Enterprise Policy engines.

Talking with :ckerschb, we should be using a null principal here, as these are cases that could be influenced by the web.

To get this working, we'll also need to correct/change the content type. I think for the first case we'll should use Ci.nsIContentPolicy.TYPE_DOCUMENT and the second case we should use Ci.nsIContentPolicy.TYPE_IMAGE.

In the images code, we can also remove the ftp reference, as Firefox no longer supports loading from ftp.

Keywords: sec-low
Assignee: nobody → standard8
Status: NEW → ASSIGNED
Attachment #9349916 - Attachment description: Bug 1845752 → WIP: Bug 1845752
Attachment #9349916 - Attachment description: WIP: Bug 1845752 → Bug 1845752. r?freddyb!

https://hg.mozilla.org/mozilla-central/rev/75e8c28bc499

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox119: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 119 Branch

I chatted with Christoph and Freddy, and we decided that as this is more of a security improvement rather than a vulnerability fix, we wouldn't backport to esr115.

Likewise, I don't think we need to do an uplift to beta in this case. I'm fine either way though if someone thinks we should uplift to beta.

status-firefox118: affectedwontfix
status-firefox-esr115: affectedwontfix
Flags: qe-verify+
QA Whiteboard: [post-critsmash-triage]

Covered by automated tests. Removing the qe+ flag.

Flags: qe-verify+
Whiteboard: [adv-main119-]

Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: