Closed Bug 1945705 Opened 7 months ago Closed 5 months ago

Can still spoof via long runs of %0A in filename download (firefox android) (bypass of 1906024)

Categories

(Firefox for Android :: Downloads, defect)

Product:
Firefox for Android
Component:
Downloads
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
138 Branch
Tracking Flags:
Tracking Status
firefox137 --- wontfix
firefox138 --- fixed

People

(Reporter: sas.kunz, Assigned: titouan)

References

Details

(Keywords: csectype-spoof, reporter-external, sec-moderate, Whiteboard: [client-bounty-form] [adv-main138+])

Attachments

(5 files, 1 obsolete file)

spooffile.mp4
3.16 MB, video/mp4
Details
downloadspoofk1.html
569 bytes, text/html
Details
Bug 1945705 - Fix malformed download filename extracted from contentDisposition
48 bytes, text/x-phabricator-request
Details | Review
Bug 1945705 - Improve tests for Download filename extraction from contentDisposition
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
326 bytes, text/plain
Details
Attached file downloadspoofk1.html (obsolete) —

after fixed https://bugzilla.mozilla.org/show_bug.cgi?id=1906024 the special characters have been sanitized to be "" , but i try using %0A on filename, the %0A is not sanitized to be "" it lead to spoof

step to produce:

  1. open http://103.186.0.20/downloadspoofk1.html or downloadspoofk1.html
  2. click "open" button
    impact : victim can be spoofed will think that it is a document file and even though it is an apk file
Flags: sec-bounty?

Firefox Version : Nightly 136.0a1 (Build #2016071263)

Attached video spooffile.mp4
Attached file downloadspoofk1.html
Attachment #9463679 - Attachment is obsolete: true
Blocks: CVE-2024-9395
Group: firefox-core-security → mobile-core-security
Component: Security → Downloads
OS: Unspecified → Android
Product: Firefox → Fenix
Summary: bypass of https://bugzilla.mozilla.org/show_bug.cgi?id=1906024 → Can still spoof via long runs of %0A in filename download (firefox android) (bypass of 1906024)

How or where does the %0A get turned into \n? percent-encoding is for URLs, it shouldn't mean anything in the download name attribute! And if we are turning it into a newline, why didn't the \s in the regexp catch it? My first reaction was to worry that we weren't doing a multi-line regexp, but we have a testcase that handles "new\u000Aline" correctly.

For comparison, on Desktop the '%' gets dropped somewhere and "0A" are left a literal characters in the name.

Flags: needinfo?(rsainani)
Keywords: csectype-spoof, sec-moderate

Sorry for the delay, I was OOO and only now have I caught up to this and investigated this.

[:dveditz] We are not decoding before (or as part of) sanitizing the file name. The usage that causes this sanitizes the file name and then decodes this. https://searchfox.org/mozilla-central/source/mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt#1262

I think we should decode before sanitizing, that will enable regex to sanitize the file name as intended, it's not perf intensive and will solve this issue. Let me know your thoughts on this when you can.

Flags: needinfo?(rsainani)

The severity field is not set for this bug.
:007, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(nbond)
Severity: -- → S3
Flags: needinfo?(nbond)
Assignee: nobody → tthibaud
Attachment #9471152 - Attachment description: WIP: Bug 1945705 - Fix malformed download filename extracted from contentDisposition → Bug 1945705 - Fix malformed download filename extracted from contentDisposition
Attachment #9471434 - Attachment description: WIP: Bug 1945705 - Improve tests for Download filename extraction from contentDisposition → Bug 1945705 - Improve tests for Download filename extraction from contentDisposition
Pushed by tthibaud@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9f2903340566 Fix malformed download filename extracted from contentDisposition r=android-reviewers,rsainani
Backout by csabou@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/463b21eac2e8 Backed out changeset 9f2903340566 for causing lint failures on GeckoEngineSession.kt. CLOSED TREE

linting failure(AC task also reports unused import)
TEST-UNEXPECTED-ERROR | /builds/worker/checkouts/gecko/mobile/android/android-components/components/browser/engine-gecko/src/main/java/mozilla/components/browser/engine/gecko/GeckoEngineSession.kt:56:1 | Unused import (standard:no-unused-imports)

Flags: needinfo?(tthibaud)
Pushed by tthibaud@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fe35a25cb754 Fix malformed download filename extracted from contentDisposition r=android-reviewers,rsainani

https://hg.mozilla.org/mozilla-central/rev/fe35a25cb754

Group: mobile-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 months ago
status-firefox138: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 138 Branch
Flags: needinfo?(tthibaud)
Flags: sec-bounty? → sec-bounty+
status-firefox137: --- → wontfix
Whiteboard: [client-bounty-form] → [client-bounty-form][reminder-test 2025-05-28]
Whiteboard: [client-bounty-form][reminder-test 2025-05-28] → [client-bounty-form][reminder-test 2025-05-28] [adv-main138+]
Attached file advisory.txt

a month ago, RyanVM placed a reminder on the bug using the whiteboard tag [reminder-test 2025-05-28] .

titouan, please refer to the original comment to better understand the reason for the reminder.

Flags: needinfo?(tthibaud)
Whiteboard: [client-bounty-form][reminder-test 2025-05-28] [adv-main138+] → [client-bounty-form] [adv-main138+]
Pushed by tthibaud@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/97a92129cf8c Improve tests for Download filename extraction from contentDisposition r=android-reviewers,rsainani
Flags: needinfo?(tthibaud)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: