Closed Bug 1972282 Opened 11 months ago Closed 10 months ago

xsl:sort appears not to honor spoof_english

Categories

(Core :: XSLT, defect)

Product:
Core
Component:
XSLT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
142 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox-esr140 142+ verified
firefox140 --- wontfix
firefox141 --- wontfix
firefox142 + verified

People

(Reporter: hsivonen, Assigned: pierov)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: csectype-disclosure, privacy, sec-other, Whiteboard: [fingerprinting][tor 43912][adv-main142-][adv-esr140.2-])

Attachments

(3 files)

(secure)
48 bytes, text/x-phabricator-request
Details | Review
(secure)
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr140+
Details | Review
Screenshot by trying the STR from comment 2 in 141.0a1 from 2025-06-16
109.41 KB, image/png
Details

Disclaimer: This is from code inspection, and I haven't actually tested if there is a bug. Still, I'm filing this so that it's not forgotten in case there is a bug.

From code inspection, it appears that if an XSLT transform from the Web uses xsl:sort and doesn't specify a language, the unspoofed Firefox UI language is used for sorting. https://searchfox.org/mozilla-central/rev/b4412cedce6e2900f5553cbdc43c3fa49c4b9adb/dom/xslt/xslt/txXPathResultComparator.cpp#31

When a language isn't specified, xsl:sort should use the same spoof_english-honoring manner of deciding the language as the JS Intl API uses for undefined as the language.

If this bug isn't fixed ahead of bug 1937541, I'd like to do the right thing in bug 1937541 instead of deliberately repeating the bug. thorin, is that a problem in terms of attention drawn?

Flags: needinfo?(thorin)
Flags: needinfo?(thorin)

collation when undefined can be telling - https://arkenfox.github.io/TZP/tests/collation.html uses a refined set of characters/strings and can currently get 97 results (84 unique) from 124 supported locales

Will come back to this with some testing - not an expert on XSLT - to see if it leaks app language (with spoof english), unless someone beats me to it

Group: core-security → dom-core-security

STR:

  1. Install Swedish (sv-SE)
  2. Go to https://www.w3schools.com/Xml/tryxslt.asp?xmlfile=cdcatalog&xsltfile=cdcatalog_sort
  3. Use this XML code:
<?xml version="1.0" encoding="UTF-8"?>
<catalog>
  <cd>
    <title>z</title>
    <artist>z</artist>
    <country>USA</country>
    <company>Columbia</company>
    <price>10.90</price>
    <year>1985</year>
  </cd>
  <cd>
    <title>a</title>
    <artist>a</artist>
    <country>USA</country>
    <company>Columbia</company>
    <price>10.90</price>
    <year>1985</year>
  </cd>
  <cd>
    <title>å</title>
    <artist>å</artist>
    <country>USA</country>
    <company>Columbia</company>
    <price>10.90</price>
    <year>1985</year>
  </cd>
</catalog>
  1. Result will be a/z/å, both with and without spoof English.

If you test it in another language (including en-US), the order will be a/å/z.

Keywords: csectype-disclosure, privacy, sec-low
Whiteboard: [fingerprinting]
Attached file (secure)
Assignee: nobody → pierov
Status: NEW → ASSIGNED
Severity: -- → S3
Whiteboard: [fingerprinting] → [fingerprinting][tor 43912]
Attachment #9496443 - Attachment description: Bug 1972282 - Check for spoof English in xsl:sort. r?#anti-tracking,#dom-core → (secure)
Pushed by abutkovits@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/0ae7bd3f5be4 https://hg.mozilla.org/integration/autoland/rev/270d2c511f59 Revert "Bug 1972282 - Check for spoof English in xsl:sort. r=smaug" for causing bustages at txNodeSorter.cpp.

Backed out for causing build bustages

Backout link

Push with failures

Failure log

Flags: needinfo?(pierov)

It seems unified builds somehow introduced a using namespace mozilla; and included nsRFPService.h.
I sent an updated revision that fixes the problems.

Flags: needinfo?(pierov)

https://hg.mozilla.org/mozilla-central/rev/1be113fbb5f9

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
status-firefox142: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 142 Branch

Please nominate this for ESR140 approval when you get a chance.

Flags: needinfo?(pierov)
QA Whiteboard: [sec] [qa-triage-done-c143/b142]
Flags: qe-verify+

Do we have a guarantee that if aLangExpr is not null, it will evaluate to a non-empty string?

(In reply to Henri Sivonen (:hsivonen) from comment #11)

Do we have a guarantee that if aLangExpr is not null, it will evaluate to a non-empty string?

Good catch, lang="" indeed bypasses the patch.

Attached file (secure)

Original Revision: https://phabricator.services.mozilla.com/D254784

Attachment #9503236 - Flags: approval-mozilla-esr140?

firefox-esr140 Uplift Approval Request

  • User impact if declined: The patch fixes a spoof English bypass.
  • Code covered by automated testing: no
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: STR in comment 2 of the Bug
  • Risk associated with taking this patch: Low
  • Explanation of risk level: Unsupported Firefox configuration (RFP/FFP)
  • String changes made/needed: None
  • Is Android affected?: yes
Blocks: 1979608
Flags: needinfo?(pierov)
QA Whiteboard: [sec] [qa-triage-done-c143/b142] → [sec][qa-triage-done-c143/b142][uplift][qa-ver-needed-c143/b142]
Attachment #9503236 - Flags: approval-mozilla-esr140? → approval-mozilla-esr140+
QA Contact: cgeorgiu

Hi Pier! When following the steps from comment 2 to reproduce this issue on an affected Nightly build (2025-06-16) with Windows 11, I’m getting a, å, z after changing the language to Swedish (sv-SE). However, I see the same results on a fixed build, Beta 142.0b5.

I’m wondering if I might be doing something wrong while verifying this issue, or if the issue is not properly fixed. Could you please take a look?

Flags: needinfo?(pierov)

Hi!
I've just tried with 2025-06-16, and I get a, z, å, both on Windows 11 and on Linux.

I've realized that "install/change the language to sv-SE" might be ambiguous: the bug is triggered when the app language is sv-SE.
Is it possible you set accepted languages ("Choose your preferred language for displaying pages") instead?
Or, in other words, if the UI is displayed in Swedish, I'd expect the bug to show, if it's still in English, it shouldn't.

Please notice that the controls to change language might are disabled by default in nightly (i.e., intl.multilingual.enabled is false).
You can either flip that pref and install a langpack compatible with that version, or you can install a build that is already localized.
More information are available at https://firefox-source-docs.mozilla.org/l10n/fluent/tutorial.html#testing-other-locales.

Flags: needinfo?(pierov)

(In reply to Pier Angelo Vendrame from comment #17)

Hi!
I've just tried with 2025-06-16, and I get a, z, å, both on Windows 11 and on Linux.

I've realized that "install/change the language to sv-SE" might be ambiguous: the bug is triggered when the app language is sv-SE.
Is it possible you set accepted languages ("Choose your preferred language for displaying pages") instead?

Yes, that’s what I did.

Thanks for explaining! I can confirm the fix as verified on Beta 142.0b5 and ESR 140.2.0 (treeherder build) on macOS 15, Ubuntu 24, and Windows 11.

Status: RESOLVED → VERIFIED
QA Whiteboard: [sec][qa-triage-done-c143/b142][uplift][qa-ver-needed-c143/b142] → [sec][qa-triage-done-c143/b142][uplift][qa-ver-done-c143/b142]
status-firefox142: fixedverified
status-firefox-esr140: fixedverified
Flags: qe-verify+
Keywords: sec-lowsec-other
Whiteboard: [fingerprinting][tor 43912] → [fingerprinting][tor 43912][adv-main142-][adv-esr140.2-]
See Also: → 1979608
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: