Last Comment Bug 189799 - JavaScript Security policy for specific site can be circumvented
: JavaScript Security policy for specific site can be circumvented
Status: RESOLVED FIXED
patch
:
Product: Core
Classification: Components
Component: Security: CAPS (show other bugs)
: Trunk
: x86 Linux
: -- normal (vote)
: ---
Assigned To: Mitchell Stoltz (not reading bugmail)
: bsharma
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-01-20 09:09 PST by Martin Treusch von Buttlar
Modified: 2004-07-20 04:47 PDT (History)
1 user (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Patch - ignore user:pass in host comparisons (1.26 KB, patch)
2003-01-21 18:01 PST, Mitchell Stoltz (not reading bugmail)
hjtoi-bugzilla: review+
dveditz: superreview+
asa: approval1.3b+
Details | Diff | Splinter Review

Description Martin Treusch von Buttlar 2003-01-20 09:09:53 PST
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2; MultiZilla v1.1.32 final) Gecko/20021126
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2; MultiZilla v1.1.32 final) Gecko/20021126

When using a RFC1737 encoded URL with username and password prepended with an @
to the hostname (i.e http://alice:secret@mozilla.org/ ), the sites configuration
entry is not correctly applied.

Reproducible: Always

Steps to Reproduce:
1. restrict js-capabilities to a specific URL and check it is correctly enforced
as described in 
http://www.mozilla.org/projects/security/components/ConfigPolicy.html

2. Now, type in exactly the same URL but prepend a:b@

Actual Results:  
the formerly restricted capability is now accessible.

Expected Results:  
Mozilla should have blocked the capability regardless of the prepended @-string
Comment 1 Mitchell Stoltz (not reading bugmail) 2003-01-21 18:00:14 PST
Good catch! I'm making this Security-Sensitive. Martin, if you disagree, you can
uncheck the box above. Turns out the problem is the use of GetPrePath in
nsCodebasePrincipal::GetOrigin, since PrePath includes the username/password. I
think we should exclude those from security comparisons, so that foo.com and
a:b@foo.com are treated as the same origin. Patch to follow.
Comment 2 Mitchell Stoltz (not reading bugmail) 2003-01-21 18:01:02 PST
Created attachment 112228 [details] [diff] [review]
Patch - ignore user:pass in host comparisons
Comment 3 Daniel Veditz [:dveditz] 2003-01-22 13:55:11 PST
I don't think this bug needs to be security sensitive since by default we
provide a secure configuration that doesn't depend on site lists. Sure, not good
that an extra feature we provide (unavailable in other browsers) can so easily
be defeated, but that's just a bug and isn't necessarily sensitive.
Comment 4 Daniel Veditz [:dveditz] 2003-01-22 13:56:21 PST
Comment on attachment 112228 [details] [diff] [review]
Patch - ignore user:pass in host comparisons

sr=dveditz
Comment 5 Asa Dotzler [:asa] 2003-01-24 00:01:21 PST
To request approval from drivers to land a reviewed patch use the "approval1.3b
?" flag in the patch manager rather than the blocking1.3b? flag in the bug. 
Comment 6 Asa Dotzler [:asa] 2003-01-24 00:02:18 PST
Comment on attachment 112228 [details] [diff] [review]
Patch - ignore user:pass in host comparisons

a=asa (on behalf of drivers) for checkin to 1.3beta.
Comment 7 Mitchell Stoltz (not reading bugmail) 2003-01-24 18:18:26 PST
Fix checked in. Should I patch the 1.0.x branch too?
Comment 8 Daniel Veditz [:dveditz] 2004-07-20 04:47:08 PDT
Bugs published on the Known-vulnerabilities page long ago, removing confidential
flag.

Note You need to log in before you can comment on or make changes to this bug.