Closed Bug 1891690 Opened 1 year ago Closed 1 year ago

EXSLT leaks timezones also when RFP is enabled

Categories

(Core :: XSLT, defect)

Product:
Core
Component:
XSLT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
131 Branch
Tracking Flags:
Tracking Status
firefox-esr128 --- fixed
firefox129 --- wontfix
firefox130 --- wontfix
firefox131 --- fixed

People

(Reporter: pierov, Assigned: fkilic)

References

(Blocks 2 open bugs)

Details

Attachments

(5 files)

Example on how to get the XSLT datetime with JS
759 bytes, text/html
Details
Tor Browser's patch
989 bytes, patch
Details | Diff | Splinter Review
xslt.png
35.27 KB, image/png
Details
Bug 1891690: Return GMT when RFPTarget::JSDateTimeUTC is enabled. r?timhuang
48 bytes, text/x-phabricator-request
Details | Review
Bug 1891690: Return GMT when RFPTarget::JSDateTimeUTC is enabled. r?timhuang
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr128+
Details | Review

SLT has a function to write the current date and time (date:date-time()) in the local timezone.
However, when RFP is enabled, it should report it in UTC.
I'm attaching a PoC on how to get its value from JS.

Downstream we adopted an easy patch for Tor Browser, but we had to use the coarse check on ShouldResistFingerprinting because the XSLT function is evaluated with a txEarlyEvalContext, which doesn't allow to access the document.
I'm attaching it here as a patch file, since I'd expect it not to be accepted, since it uses the coarse check.

Attached patch Tor Browser's patch β€” β€” Splinter Review

S4 because of not an issue for Firefox in the default settings.

Severity: -- → S4
Attached image xslt.png β€”

this leak undermines a lot of current RFP timezone protection. Whilst timezone name is still protected (350+ timezone names exist), at any given time there are 40-50 (I think, varies depending on the date) current timezone offsets in effect, which is still high entropy

I appreciate this is not front facing or an official FF setting, but we rely on FF users to help develop, test and refine RFP (and an uplift will reduce patches downstream). Thanks :)

If the patch with the coarse RFP check is fine I'd be happy to open a Phab request.
Otherwise, with some mentoring I think I could try to expose the RFP check to EXSLT parsing.

Does aContext->getContextNode()->Document()->ShouldResistFingerprinting(...) work?

Feel free to leave this until you get a 128 rebase sorted out if that's easier workflow-wise for you.

Flags: needinfo?(pierov)

I think I had already tried that way, but Document() is private. Only ==, != and the destructor are public in txXPathNode.

Flags: needinfo?(pierov)
Assignee: nobody → fkilic
Status: NEW → ASSIGNED
Pushed by fkilic@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c20348dfb89d Return GMT when RFPTarget::JSDateTimeUTC is enabled. r=timhuang

https://hg.mozilla.org/mozilla-central/rev/c20348dfb89d

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox131: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 131 Branch

Would it be possible to uplift this to ESR 128?

Sure, we haven't caught any issues in XLST tests and the test I wrote, but I'm little hesitant to directly uplifting it. Is it okay if we uplift it after a while to see if we get any crashes in the wild?

Sure, works for me, thank you very much!
I asked because downstream we have another problem around the same code, so I was thinking of replacing my downstream patch with this one anyway, and then fix the other problem on top of it.
Basically, the precision of XLST is still very high when using RFP.
So, in addition to checking JSDateTimeUTC, we would like to add a second check on ReduceTimerPrecision and act accordingly (or we will wait for the patch to be added to Firefox, if you manage to get to this problem before πŸ™‚, I don't think I'll be able to get to it for a few days).

(In reply to Pier Angelo Vendrame from comment #12)

Sure, works for me, thank you very much!
I asked because downstream we have another problem around the same code, so I was thinking of replacing my downstream patch with this one anyway, and then fix the other problem on top of it.
Basically, the precision of XLST is still very high when using RFP.
So, in addition to checking JSDateTimeUTC, we would like to add a second check on ReduceTimerPrecision and act accordingly (or we will wait for the patch to be added to Firefox, if you manage to get to this problem before πŸ™‚, I don't think I'll be able to get to it for a few days).

Done!

verified fixed in nightly131 - https://arkenfox.github.io/TZP/tzp.html#region

Regressions: 1916109

Does this need an ESR128 approval request?

Flags: needinfo?(fkilic)
Flags: in-testsuite+

I mean I was going to ask for it but there's this bug 1916109. I wanted to wait for its fix before asking but I don't know honestly. It only happened once, and it can only happen during testing, so it is up to depending on the risks associated. I'll update if someone reviews it.

Flags: needinfo?(fkilic)

I pushed the fix for the intermittent issue. So I guess to uplift Bug 1912129, we first have apply patches in the order of Bug 1891690 then Bug 1916109, then Bug 1912129. If this is something I can do, I can do it.

If you want to do so, that works for me.

and how would I do it :/ I can think of two options,

  • Modifying D220905 to stack all three patches into a single patch
  • Creating uplift requests for this bug and Bug 1916109
  • or maybe some other option?

Just nominate each bug individually, yeah.

Attachment #9423931 - Flags: approval-mozilla-esr128?

esr128 Uplift Approval Request

  • User impact if declined: This patch improves the fingerprinting prevention/privacy of the users. We want to uplift this patch so that the privacy targeted browsers (e.g. Tor, Mullvad) can receive the updates. No big impact if declined.
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: Enable privacy.resistFingerprinting, visit https://arkenfox.github.io/TZP/tzp.html#region, verify that timezone is 0
  • Risk associated with taking this patch: There has been a data race issue but it is addressed in https://phabricator.services.mozilla.com/D221686, so it should land after this patch.
  • Explanation of risk level: Data race failures on CI if landed without https://phabricator.services.mozilla.com/D221686
  • String changes made/needed: No
  • Is Android affected?: yes
Attachment #9423931 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+

Very interesting. I have no idea. My personal ESR build succeeded (though I ran it with privacy.resistFingerprinting and not privacy.fingerprintingProtection + overrides) also we aren't getting any fails on other repos. I wonder if there's something wrong with the overrides in ESR. I'll investigate. I'm sorry for the disturbance.

Flags: needinfo?(fkilic)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: