Closed Bug 219029 Opened 21 years ago Closed 21 years ago

Attempting to open link to file:// can open link in new tab under certain circumstances

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: iannbugzilla, Assigned: iannbugzilla)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: fixed1.4.2, fixed1.5, regression)

Attachments

(3 files, 4 obsolete files)

Patch with revised comment
8.97 KB, patch
caillon
: review-
Details | Diff | Splinter Review
Output from Venkman for stops on error/exception
2.54 KB, text/plain
Details
Patch v0.4c patch for 1.5 branch
1.34 KB, patch
caillon
: review+
jst
: superreview+
mkaply
: approval1.4.2+
asa
: approval1.5+
Details | Diff | Splinter Review 
Tested on BuildID 2003090204, BuildID 2003091104-trunk and BuildID
2003091022-1.5 branch on Windows XP SP1.
Steps to reproduce:
1. Get sent an email with link to a file://
2. Click on link
3. Open JS console

Expected result:
1. Following message in JS console:
Security Error: Content at imap://ian@mail1:143/fetch%3EUID%3E/INBOX%3E44166 may
not load or link to file:///H|/Management/GUIDANCE%20NOTES.doc.

Actual result:
1. Following message in JS console:
Security Error: Content at imap://ian@mail1:143/fetch%3EUID%3E/INBOX%3E44166 may
not load or link to file:///H|/Management/GUIDANCE%20NOTES.doc.
Error: [Exception... "'Load of file:///H|/Management/GUIDANCE%20NOTES.doc
denied.' when calling method: [nsIDOMEventListener::handleEvent]"  nsresult:
"0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)"  location: "<unknown>"  data: no]
Security Error: Content at imap://ian@mail1:143/fetch%3EUID%3E/INBOX%3E44166 may
not load or link to file:///H|/Management/GUIDANCE%20NOTES.doc.
Error: uncaught exception: Load of file:///H|/Management/GUIDANCE%20NOTES.doc
denied.
Regression appears to happen between BuildID 2003060108 and BuildID 2003061108,
looks like from checkin to bug 204902 which didn't have the subsequent bug spun
off from what I can see. CCing relevant people from that bug.
Depends on: 204902
yes, but that's expected !
checkloaduri was broken for left click bot not for opening in a new tab/window
and I filed that bug 204902 to correct that.
(Either remove the check for new Tab/new wndow or add it again for the left click
and they added the broken check again for the left click.
sorry, I should read your bug better.

You mean exception and not that Mailnews blocks the link...
Attached patch Patch v0.2 (obsolete) — Splinter Review 
This patch addresses several issues:
a) Security issue - previously if you only have non-browser windows open and
you select "Open Link in New Tab" we would open a new window no matter what the
link was. This patch adds a call urlSecurityCheck prior to opening a new
window.
b) Duplicating calls to urlSecurityCheck - previously we'd call
urlSecurityCheck on a click event and again (well in most circumstances - see
a) when opening a tab or window. This patch removes the call to
urlSecurityCheck from within the function handleLinkClick.
c) Throwing an exception as well as a security error - previously as well as
generating a security error we would throw an exception. This patch changes the
throw into a dump and makes the function urlSecurityCheck return a boolean
value, true if it's okay to load the url, false if it's not.

I'm pretty sure I've captured all ways mozilla opens links unless we let pages
alter the context menu, which I don't think we do.
Moving to Security: General because of issue a)
Component: DOM Events → Security: General
Tweaking summary to reflect issue a).
Assignee: events → bugzilla
Summary: Attempting to open link to file:// generates exceptions as well as expected message in JS console → Attempting to open link to file:// generates exceptions as well as expected secuity error message in JS console but can open link in new tab under certain circumstances
Accepting.
Status: NEW → ASSIGNED
Attachment #131390 - Flags: review?(neil.parkwaycc.co.uk)
Iain wanted this marked as securit-sensitive (on IRC).
Group: security
Flags: blocking1.5?
Flags: blocking1.4.2?
Adding Neil to cc as I've asked him to review it ;-)
Blocks: clu
Hmmm, added benefit Neil has just pointed out:
shift-left click's behaviour is now consistent with the behavior of right-click
and "Save Link Target As...". Previously the former would just fail and the
latter would bring up a "Save As" dialog box, with the patch they both bring up
a "Save As" dialog box.
Comment on attachment 131390 [details] [diff] [review]
Patch v0.2

>   try {
>     secMan.checkLoadURIStr(sourceURL, url, nsIScriptSecurityManager.STANDARD);
>   } catch (e) {
>-    throw "Load of " + url + " denied.";
>+    dump("Load of " + url + " denied.");
>+    return false;
>   }
>+  return true;
Nit: Since checkLoadURIStr already dumps the message to both the console and
the JS console I don't think you should dump anything yourself.
Attachment #131390 - Flags: review?(neil.parkwaycc.co.uk) → review+
Attached patch Revised Patch v0.2a (obsolete) — Splinter Review 
Tweaked patch, adding missing \n to dump which is still needed as
checkLoadURIStr only outputs to JS console in non-debug builds.
Attachment #131390 - Attachment is obsolete: true
Comment on attachment 131437 [details] [diff] [review]
Revised Patch v0.2a

Carrying forward r= from Neil
Attachment #131437 - Flags: review+
Adding jag to cc so I can ask him for sr
Attachment #131437 - Flags: superreview?(jag)
Um, why are you not throwing anymore from urlSecurityCheck?  That kind of scares
me and violates one of the basic premises of the caps model which is to throw
for security failures.  It opens up a huge can of worms for new callers to be
added which do not check the return value.  Additionally, and more to the point,
if there are any extensions out there which use this and (rightly) expect it to
throw, you will now potentially open them up to security holes.  I seem to
remember there are extensions which use this.  Did you get all the callers?
Attached patch Patch v0.3 (obsolete) — Splinter Review 
Revised patch that throws instead of just dumping just in case the previous
change breaks any extensions expecting a throw.
Attachment #131437 - Attachment is obsolete: true
Comment on attachment 131437 [details] [diff] [review]
Revised Patch v0.2a

Cancelling request on patch v0.2a
Attachment #131437 - Flags: superreview?(jag)
Resummarizing.

Question for someone: why do we catch and throw?
Summary: Attempting to open link to file:// generates exceptions as well as expected secuity error message in JS console but can open link in new tab under certain circumstances → Attempting to open link to file:// can open link in new tab under certain circumstances
Neil: because otherwise the error message in the JS Console will make it look
like a chrome error rather than a content error.

Error: uncaught exception: [Exception... "foo"  location: "JS frame ::
chrome://foo.js :: etc]

That would probably confuse users into thinking its a browser bug when it is a
problem with the site.
A user might still find the following exceptions confusing, the former more than
the latter I suspect.

From a left click on a link they'd get given: 
Error: [Exception... "'Load of file:///C:/MUD/NEWS.TXT denied.' when calling
method: [nsIDOMEventListener::handleEvent]"  nsresult: "0x8057001e
(NS_ERROR_XPC_JS_THREW_STRING)"  location: "<unknown>"  data: no]

and from a right click, open link in a new...:
Error: uncaught exception: Load of file:///C:/MUD/NEWS.TXT denied.

This is as well as for both:
Security Error: Content at imap://ian@mail1:143/fetch%3EUID%3E/INBOX%3E3334 may
not load or link to file:///C:/MUD/NEWS.TXT.

But at least with this latest patch, the user only gets the one pair of errors
in the JS console, rather than two pairs (or none at all).
URL: file://
Attached patch Patch v0.4 (obsolete) — Splinter Review 
This patch addresses the issue of an exception being thrown in a listener by
removing the listener and changing the function that onclick calls to be an
amended version of the listener's original function that in turn calls the
onclick's original function.
Attachment #131443 - Attachment is obsolete: true
Comment on attachment 131502 [details] [diff] [review]
Patch v0.4

Oh and many thanks to Neil for point out this solution to me on IRC.
Attachment #131502 - Flags: review?(timeless)
To keep "Save As" consistent (as per comment#10), we do not want to call
urlSecurityCheck prior to calling saveURL
Comment on attachment 131502 [details] [diff] [review]
Patch v0.4

ok, i think this looks right but it now has too much dom stuff for my taste :)
Attachment #131502 - Flags: review?(timeless) → review?(caillon)
Comment on attachment 131502 [details] [diff] [review]
Patch v0.4

So I'm wondering if it would be good to just keep a global variable
|canLoadURLChecked| or something.  This way we can leave the checks to happen
as early as they are, and avoid the double check.  Resetting it may be a pain
though, so maybe not....


>Index: xpfe/communicator/resources/content/contentAreaClick.js

>+    // Checking to make sure we are allowed to open
>+    // this URL (call to urlSecurityCheck) is now
>+    // done within openNew... functions

Lose the "now".  If someone cares about "before", they can check past
revisions.  Also, it sounds like you mean |openNew*|.  The comment is overly
long.  Just say

  // We ensure we can load |href| within the openNew* functions


The rest seems to look okay.  r=caillon, but get another reviewer as well if
you can.
Attachment #131502 - Flags: review?(caillon)

        Attachment #131502 -
        Attachment is obsolete: true

    
  

        Attachment #131999 -
        Flags: review?(bugmail)

    
    

    
  
need reviews and comment on this quickly if we are going to try and get it into
1.5..

    
    

    
  
Comment on attachment 131999 [details] [diff] [review]
Patch with revised comment

Sorry, I don't feel comfortable reviewing this code since it's a security issue
and I don't this code well enough.

        Attachment #131999 -
        Flags: review?(bugmail)

    
    

    
  
Comment on attachment 131999 [details] [diff] [review]
Patch with revised comment

Okay let's try jag

        Attachment #131999 -
        Flags: review?(jag)

    
  

        Attachment #131999 -
        Flags: review?(jag) → review?(hjtoi-bugzilla)

    
    

    
  
Comment on attachment 131999 [details] [diff] [review]
Patch with revised comment

r=heikki

My only concern is that handleLinkClick would change behavior in cases where
event.button is not 0 or 1. Previously it would throw, now it wouldn't. To be
safe, I would add a default: case with the security check. It seems unlikey
this would be a security problem either way, but adding the check would take
the more paranoid approach.

Another thing: it seems like text to thro from urlSecurityCheck() is hardcoded
to English. If we ever display this anywhere, it should be obtained from a
properties file so it could be translated. Please file a new bug for this.

        Attachment #131999 -
        Flags: review?(hjtoi-bugzilla) → review+

    
    

    
  
The question is do we want to throw on a right click as the throw doesn't
actually stop the context menu from being displayed it just adds two messages to
the JS console? Does handleLinkClick need it's 3rd argument anymore as it is now
only called from one place and that argument is null from there?

    
    

    
  
Why does it spit JS errors but not stop execution?  Is there something silently
catching an exception which should not be?  Venkman's stop for exceptions/errors
would be useful here....

    
    

    
  
right-clicks and context menus are separate events, throwing from one won't stop
the other; IIRC context menus are summoned differently on each platform anyway:
Linux - right mouse down; Windows - right mouse up; Mac - hold left mouse down.

    
    

    
  


  
As requested output from Venkman that shows stops 4 times for the exceptions
when right clicking, in Windows XP, on a file:// link.

    
    

    
  
Comment on attachment 131999 [details] [diff] [review]
Patch with revised comment


>-    // Make sure we are allowed to open this URL
>-    urlSecurityCheck(href, document);
>+    // We ensure we can load |href| within the openNew* functions
> 
>     switch (event.button) {                                   
>       case 0:                                                         // if left button clicked
>         if (event.metaKey || event.ctrlKey) {                         // and meta or ctrl are down
>           if (openNewTabOrWindow(event, href, true))
>             return true;
>         } 
...

I was just about to land this and decided to have another look at the patch,
and found this:

240	    if (saveModifier) { 					  // if
saveModifier is down
241	      saveURL(href, linkNode ? gatherTextUnder(linkNode) : "");
242	      return true;
243	    }

which used to have a security check but does not any longer.  This would be
extremely bad to forego a security check on since a webpage can synthesize a
click MouseEvent, with the right event flags and would be then able to load any
page including chrome.

So review- from me.

        Attachment #131999 -
        Flags: review+ → review-

    
    

    
  


  

    
    

    
  
Comment on attachment 132160 [details] [diff] [review]
Patch v0.4c patch for 1.5 branch

This patch just fixes the bare minimum for the 1.5 branch

        Attachment #132160 -
        Flags: review?(caillon)

    
    

    
  
Comment on attachment 132160 [details] [diff] [review]
Patch v0.4c patch for 1.5 branch

I feel much better taking this for the branch.	r=caillon.

        Attachment #132160 -
        Flags: review?(caillon) → review+

    
    

    
  
Comment on attachment 132160 [details] [diff] [review]
Patch v0.4c patch for 1.5 branch

This patch removes the extra cruft and is just the simple, one-line fix of the
main problem.

        Attachment #132160 -
        Flags: approval1.5?

    
    

    
  
Comment on attachment 132160 [details] [diff] [review]
Patch v0.4c patch for 1.5 branch

sr=jst

        Attachment #132160 -
        Flags: superreview+

    
    

    
  
Comment on attachment 132160 [details] [diff] [review]
Patch v0.4c patch for 1.5 branch

a=asa (on behalf of drivers) for checkin to the 1.5 branch.

        Attachment #132160 -
        Flags: approval1.5? → approval1.5+

    
    

    
  
I checked attachment 132160 [details] [diff] [review] into the 1.5 branch so leaf can respin builds.

/be
Keywords: fixed1.5
QA Contact: ian → nobody

    
    

    
  
Reworking of onclick/listener has been spun off into bug 220303 and of multiple
calls to urlSecurityCheck into bug 220711.
Patch v0.4c has been checked into trunk.

    
    

    
  
It is on the trunk, but not on 1.4 branch, is it needed for that branch?


    
  

        Attachment #132160 -
        Flags: approval1.4.2?

    
  
Flags: blocking1.5?

    
    

    
  
Does this problem exist on the 1.4 branch?

    
    

    
  
Yes it does, this regression was caused by the checkin for bug 180377 on 15th
Nov 2002. Checked on BuildID 2003060405 1.4 and that definitely has the problem.

    
    

    
  
Comment on attachment 132160 [details] [diff] [review]
Patch v0.4c patch for 1.5 branch

a=mkaply for 1.4.2

        Attachment #132160 -
        Flags: approval1.4.2? → approval1.4.2+

    
    

    
  
Fix checked in to the 1.4 branch.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Keywords: fixed1.4.2
Resolution: --- → FIXED

    
  
Flags: blocking1.4.2?
Group: security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: