Closed Bug 191715 Opened 22 years ago Closed 22 years ago

PAC: did not work, after a external site is shown (fix Resolve)

Categories

(Core :: Networking: HTTP, defect, P1)

Product:
Core
Component:
Networking: HTTP
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.4beta

People

(Reporter: s.anders, Assigned: darin.moz)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 2 obsolete files)

v2.1 patch
1.63 KB, patch
bbaetz
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (compatible; Konqueror/3; Linux) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.2.1) Gecko/20021130 Hi, we have a automatic Porxy Configuration Script. It looks like this: function FindProxyForURL(url, host) { if ( isInNet(host, "172.16.0.0", "255.255.0.0") ) { return "DIRECT"; } if ( isInNet(host, "127.0.0.0", "255.255.0.0") ) { return "DIRECT"; } return "PROXY proxy.digitec:8080"; } I have a start page it is called http://apz.digitec/ (it's in our intranet, you can not reach it via proxy.) When I start the Browser the Page ist loaded okay. BUT when I connect to some server in the internet e.g. http://www.mozilla.org/ and return to http://apz.digitec/ . Mozilla connects to the Proxy, and get's an error from the Proxy. Reproducible: Always Steps to Reproduce: 1. Get a proxy Server e.g. Squid 2. Configure squid not to connect to one internal server. 3. Get a internal server. e.g. Apache 4. Put a Proxy Config File on the Apache, called proxy.pac: function FindProxyForURL(url, host) { if ( isInNet(host, "172.16.0.0", "255.255.0.0") ) { return "DIRECT"; } if ( isInNet(host, "127.0.0.0", "255.255.0.0") ) { return "DIRECT"; } return "PROXY proxy.digitec:8080"; } 5. Replace 172.16.0.0 and Netmask in the script above to your local ip adresses. Replace proxy.digitec:8080 to your squid adress. 6. Change Proxy Configuration to use http://<internal-server-adress>/proxy.pac 7. Change Homepage to http://<internal-server-adress> 8. Restart Mozilla. It shall now display your (internal) Homepage 9. Connect to www.mozilla.org, you should see the mozilla Homepage. 10. Ckick on Homepage. You see (after you wait a while) a error from squid. Actual Results: You see (after you wait a while) a error from squid. Expected Results: Connect to local page and NOT connect to the proxy. This is a securtiy problem: The Proxy could be used for a man in the middle atack (e.g it is from my Internet-Provider, and i do not trust them). "Automatic Proxy configuration" is a major feature for our company, so it is a (for Digitec) a Major bug.
yup, i'm able to reproduce the problem as well. investigating...
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P1
Target Milestone: --- → mozilla1.3beta
ok, this bug occurs because the DNS service is sometimes giving out IPv6 address literals as the result of nsIDNSService::Resolve. this happens when the IP address is found in the DNS service's cache. if not in the cache, then the DNS service just calls PR_GetHostByName, which happily returns an IPv4 address. iow, on initial load, PAC sees an IPv4 address, on subsequent load, PAC sees an IPv6 address, and PAC doesn't know how to deal with IPv6 address literals. in this case there is no need for the IPv4 address to be expressed as an IPv4-mapped-IPv6 address. i'm not sure if isInNet even works with IPv6 address literals.. i'll have to consult the code a bit more and probably take a peek at the PAC docs.
FWIW, nsIDNSService::Resolve is only called by PAC, and the PAC code has its own DNS cache (1-level deep).. so, i think it would be best (in the short term at least) to simply disable using the DNS service's cache to satisfy the Resolve method. patch coming up...
this patch solves the problem for sites with IPv4 addresses. i suspect we still have problems w/ IPv6 addresses. probably not security problems, since we should always be handing back an IPv6 address in that case. however, it seems that isInNet doesn't handle IPv6 addresses anyways, so sites using IPv6 would presumably be rolling their own somehow or would just be plain broken. hmm...
Darin, I'm not getting it. There shouldn't be any difference between what's in the DNS cache, and what it would hand out if there wasn't.
gordon: nsDNSService::Resolve calls PR_GetHostByName if the DNS cache is empty. nsDNSService::Lookup calls PR_GetIPNodeByName and converts IPv4 addresses to IPv4-mapped-IPv6 addresses before putting them in the cache. as a result, nsDNSService::Resolve will return IPv6 address if cached, and IPv4 if not cached.
No, you need the cache. Stuff is really really slow without it, because we do a synchronous lookup. On a page with lots of images, you have a sync dns lookup (on the UI thread, IIRC) for every image. See bug 97097. (PAC had a one element cache at one stage, as a workarround. Not sure if it still does) Can't we just have IsInNet use the ipv4 address when its a mapped ipv4->ipv6 address, and return false otherwise? (Theres also a pac function to lookup a dnsname; that should probablly return an ipv4 address where possible too) Then file another bug on an ipv6-aware isInNet function.
bbaetz: we still have the single element cache inside the PAC code :) at any rate, you're right... we should just add a conversion in the appropriate place.
darin: PR_GetHostByName vs. PR_GetIPNodeByName. Weird. I guess we updated one of the calls, but not the other. Almost time for spring cleaning again...
See bug 79242. Can I ask why this is marked as a security bug? If you don't trust your ISP proxy, then you should not use them for anything except HTTPS tunneled via CONNECT: Are you concerned about the ISP proxy receiving the URL of an internal resource? There are probably many situations where this happens in PAC and elsewhere, like bug 40082 #c27.
QA Contact: httpqa → benc
Summary: automatic proxy configuration did not work, after a external site is shown → PAC: did not work, after a external site is shown
> Can I ask why this is marked as a security bug? If you don't trust your ISP > proxy, then you should not use them for anything except HTTPS tunneled via > CONNECT: How do I do this, if mozilla do not take care about automatic proxy configuration? :-) > Are you concerned about the ISP proxy receiving the URL of an internal > resource? yes. e.g. a user use a programm which sends a session_id which can be also used from outside to get information from a server. The User use http, in the internal network (he trust the people there). a bad ISP can get this session id and make e.g a "man in the middle attack", or use ist later (if the user do not logout). > There are probably many situations where this happens in PAC and > elsewhere, like bug 40082 #c27. Yes. I know there are more "security-sensitive bugs" out there. Do you think it's no security bug, because it happen's all the time? Sven
Target Milestone: mozilla1.3beta → mozilla1.4alpha
Target Milestone: mozilla1.4alpha → mozilla1.3final
Flags: blocking1.3?
Flags: blocking1.3? → blocking1.3+
Comment on attachment 113670 [details] [diff] [review] patch: removes cache lookup on Resolve Can we get some reviews, if this patch is worth getting into 1.3final? If not, please say so and I'll clear the blocking1.3+ mark. /be
Attachment #113670 - Flags: superreview?(bzbarsky)
Attachment #113670 - Flags: review?(gordon)
Comment on attachment 113670 [details] [diff] [review] patch: removes cache lookup on Resolve brendan: no, per comment #7 and comment #8, we don't want this patch if we can help it.
Attachment #113670 - Attachment is obsolete: true
Attachment #113670 - Flags: superreview?(bzbarsky)
Attachment #113670 - Flags: review?(gordon)
What should we do for 1.3? If the answer is nothing, please retarget to 1.4a and I'll clear the blocking1.3+ flag. Separate issue: I don't see why this is a security-sensitive bug. Mitch, can you open it up or say why it's sensitive? Thanks. /be
I'm not sure what the security risk is here, but Darin saw one and marked this Sensitive. Darin, what's the security risk here?
mitch: no, the bug was reported with the "security-sensitive" flag set. IMO, the security risk is small here. i suppose if you are using a public proxy server (or one that you don't trust) on the internet for some purpose, and you have an intranet, it could be bad if URLs from your intranet leaked onto the internet. that said, i don't see how someone could really use this to exploit mozilla users. at most, this bug is a privacy leak. does that justify it being marked security- sensitive?
i'm not sure we absolutely need to fix this for 1.3 final. however, i wouldn't be surprised if a good number of those folks using proxy autoconfig hit this bug. IsInNet seems like a function that would show up in a lot of PAC files.
moving out.
Flags: blocking1.3+ → blocking1.3-
Group: security
Target Milestone: mozilla1.3final → mozilla1.4alpha
Flags: blocking1.4a?
Flags: blocking1.4a? → blocking1.4a-
Target Milestone: mozilla1.4alpha → mozilla1.4beta
Attached patch v2 patch (obsolete) — Splinter Review
this patch makes it so that Resolve will never return an IPv4 mapped IPv6 address literal. it will always return an IPv4 address as an IPv4 address literal.
Attached patch v2.1 patchSplinter Review
slightly better version
Attachment #119417 - Attachment is obsolete: true
Attachment #119418 - Flags: review?(bbaetz)
*** Bug 140309 has been marked as a duplicate of this bug. ***
Attachment #119418 - Flags: review?(bbaetz) → review+
Attachment #119418 - Flags: superreview?(bzbarsky)
Attachment #119418 - Flags: superreview?(bzbarsky) → superreview+
fixed-on-trunk
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Blocks: 79244
Summary: PAC: did not work, after a external site is shown → PAC: did not work, after a external site is shown (fix Resolve)
Blocks: 140309
Blocks: 79242
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: