Closed Bug 277564 Opened 20 years ago Closed 20 years ago

lock icon and certificates spoofable with "wyciwyg:"

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: u115577, Assigned: darin.moz)

References

Details

(Keywords: fixed-aviary1.0.1, fixed1.7.6, Whiteboard: [sg:fix]leave confidential until 278003 fixed)

Attachments

(5 files, 2 obsolete files)

Make sure the document is closed if it's stopped while document.writing
1.01 KB, patch
brendan
: review+
brendan
: superreview+
asa
: approval1.8a6+
Details | Diff | Splinter Review
Make document.open be sameOrigin to prevent another site from rewriting content
910 bytes, patch
Details | Diff | Splinter Review
Do the right thing for sub-requests that are wyciwyg requests
15.64 KB, patch
dveditz
: review+
brendan
: superreview+
dveditz
: approval-aviary1.0.1+
dveditz
: approval1.7.6+
asa
: approval1.8a6+
Details | Diff | Splinter Review
review comments delta
2.90 KB, patch
jst
: review+
dveditz
: superreview+
dveditz
: approval-aviary1.0.1+
dveditz
: approval1.7.6+
dveditz
: approval1.8b+
Details | Diff | Splinter Review
odd screenshot of test2-3.html
68.84 KB, image/jpeg
Details
(Related to Bug 262689) See the testcase 2 in Bug 277554. http://beta51.minutedesign.com/test2.html Steps to Reproduce: 1. Load test2.html 2. Click the link 3. Notice that the content appears to be secure, and the certificate from https://login.yahoo.com/ is shown See the source of testcase. Content is written by function rewrite(). Succeed: window.opener.document.open(); window.opener.stop(); window.opener.document.write(spoofing); Failed: window.opener.document.open(); window.opener.document.write(spoofing); window.opener.document.close(); To insure spoofing, you have to use "stop()" instead of "document.close()".
To verify the real URI, click on location bar and push Escape key. This should be "wyciwyg://*/http://beta51.minutedesign.com/test2.html".
This sounds similar to some Johnny recently fixed (but this is still in ff1.0 and moz1.7.5): bug 253121 and bug 262689 Also similar lock icon issues, Darin fixed bug 257308 and bug 268483.
Blocks: lockicon
Flags: blocking1.8b?
Flags: blocking1.8a6?
Flags: blocking-aviary1.1?
Whiteboard: [sg:fix]
Setting as a 1.8a6 blocker. Time is very short. Who can tackle this? Johnny?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8a6? → blocking1.8a6+
Better testcase http://beta51.minutedesign.com/test2-2.html In function rewrite(), "window.opener.document.URL" - Error: uncaught exception: Permission denied to get property HTMLDocument.URL "window.opener.document.open()" - No error. This should be denied.
(In reply to comment #4) > In function rewrite(), > "window.opener.document.URL" > - Error: uncaught exception: Permission denied to get property HTMLDocument.URL > "window.opener.document.open()" > - No error. This should be denied. Sorry, this comment may have nothing to do with this bug. This is for Bug 277554.
What happened here is that the document.open() call from the new temporary window that's opened here informed the secure browser UI about the new URI (wyciwyg:), but the following window.stop() call confused the secure browser UI code so that it never updated the security UI, so we're left showing the lock icon from the Yahoo page. One way to fix this might be to change the secure browser UI code to deal with this situation, but it made more sense to me to make the DOM code close() the document if we're stopped while we're writing into a document.
Attachment #170873 - Flags: superreview?(brendan)
Attachment #170873 - Flags: review?(dveditz)
Comment on attachment 170873 [details] [diff] [review] Make sure the document is closed if it's stopped while document.writing r+sr=brendan@mozilla.org, don't need dveditz on this one (but he's welcome to 2nd the patch). /be
Attachment #170873 - Flags: superreview?(brendan)
Attachment #170873 - Flags: superreview+
Attachment #170873 - Flags: review?(dveditz)
Attachment #170873 - Flags: review+
Comment on attachment 170873 [details] [diff] [review] Make sure the document is closed if it's stopped while document.writing a=asa (on behalf of drivers) for checkin to 1.8a6.
Attachment #170873 - Flags: approval1.8a6+
(In reply to comment #0) > Succeed: > window.opener.document.open(); > window.opener.stop(); > window.opener.document.write(spoofing); > > Failed: > window.opener.document.open(); > window.opener.document.write(spoofing); > window.opener.document.close(); > > To insure spoofing, you have to use "stop()" instead of "document.close()". If "stop()" doesn't exist, loading of document cannot stop. But certificate spoofing seems successful :-( http://beta51.minutedesign.com/test2-3.html
Argh, we need more than my initial fix. I've been looking at it, but no clean diff yet. More tomorrow.
Sorry for the trouble... (Learn from Bug 91403) Make document.open be sameOrigin to prevent another site from rewriting content. http://lxr.mozilla.org/mozilla/source/modules/libpref/src/init/all.js#260 - pref("capability.policy.default.HTMLDocument.close.get", "allAccess"); - pref("capability.policy.default.HTMLDocument.open.get", "allAccess"); ... can be solved the problem?
Oops. See Bug 91043.
correct diff option
Attachment #170951 - Attachment is obsolete: true
It amazes me that this is needed, but I can't see how this code would work w/o a change like this. The secure browser UI code depends on nsIWebProgressListener notifications to keep the security state in sync with reality, but there's nothing that fires those events when we do document.write() since we never get any data off the network, and that's what drives the nsIWebProgressListener notifications. This patch fixes this problem by making sure that we update the security state in the one nsIWebProgressListener notification that we do get (OnLocationChange()) when we do document.open() etc, and I had to tweak some code in nsDocShell to make sure the request is passed to OnLocationChange() when we do document.open() etc.
Comment on attachment 170955 [details] [diff] [review] Make sure we update the security state when doing document.open()/write()... r/sr=me for 1.8a6, but i think we should find a better solution to this bug in the long-term. i'd rather leverage the existing onStateChange-based mechanism for passing info to the SecureBrowserUI. i believe we should be able to solve this bug alternatively by simulating a onStateChange(STATE_TRANSFERRING) event somehow.
Attachment #170955 - Flags: review+
Looks good to me too, ?=dveditz We should get this for 1.7.6 and any ff1.0.x
Flags: blocking1.7.6?
> this bug alternatively by simulating a onStateChange(STATE_TRANSFERRING) > event somehow. OK, I did some more investigation, and it seems to me that it would require a STATE_STOP event in addition to the STATE_TRANSFERRING event. The SecureBrowserUI unfortunately waits for STATE_STOP before updating the lock icon. That seems a little bit troubling to me. Instead, it should update the lock icon on the first STATE_TRANSFERRING event. Otherwise, I fear that other mechanisms besides wyciwyg could be used to trigger the same spoof. Investigating that possibility now.
It probably waits for STATE_STOP so it doesn't show a lock icon on a page and then switch to broken lock if near the end some random insecure content is loaded...
This fixes a problem caught by sicking where loading a secure wyciwyg request into a subframe would mark the whole window secure even if it isn't. This adds more of the existing logic in OnStateChange() into OnLocationChange() to take care of that.
Attachment #170973 - Flags: superreview?(brendan)
Attachment #170973 - Flags: review?(bugmail)
Attachment #170955 - Attachment is obsolete: true
Attachment #170955 - Flags: review+
Comment on attachment 170973 [details] [diff] [review] Do the right thing for sub-requests that are wyciwyg requests sr=me if sicking likes it. One nit: the big then clause with one-line else clause for "if (channel) {" in nsSecureBrowserUIImpl::EvaluateAndUpdateSecurityState would be clearer if you inverted the sense, testing 'if (!channel)' -- that shows the + mNewToplevelSecurityState = nsIWebProgressListener::STATE_IS_INSECURE; path taken in the absence of a channel more clearly. /be
Attachment #170973 - Flags: superreview?(brendan) → superreview+
Comment on attachment 170973 [details] [diff] [review] Do the right thing for sub-requests that are wyciwyg requests r=dveditz
Attachment #170973 - Flags: review?(bugmail) → review+
Comment on attachment 170973 [details] [diff] [review] Do the right thing for sub-requests that are wyciwyg requests a=asa
Attachment #170973 - Flags: approval1.8a6+
Comment on attachment 170973 [details] [diff] [review] Do the right thing for sub-requests that are wyciwyg requests In nsSecureBrowserUIImpl::OnLocationChange >+ if (isWyciwyg) { >+ nsCOMPtr<nsIDOMWindow> windowForProgress; >+ aWebProgress->GetDOMWindow(getter_AddRefs(windowForProgress)); >+ >+ if (windowForProgress.get() == mWindow.get()) { >+ // For toplevel wyciwyg channels, upate the security state right >+ // away. >+ return EvaluateAndUpdateSecurityState(aRequest); >+ } >+ >+ // For wyciwyg channels in subdocuments we only update our >+ // subrequest state members. >+ UpdateSecurityState(aRequest); This call should be to UpdateSubrequestMembers. Other then that r=me And I agree with brendans comment, no biggie though.
Oh, and I think darins suggestion sounds like a better solution, though the word 'simulating' sounds a bit scary to me. The codepath in OnStateChange should have gotten it's fair share of testing so the more we can rely on it rather then writing new code, the better.
as for that STATE_STOP, bug 258048 is about changing that, it seems
OK, so as I feared, this bug can be reproduced without using document.open (i.e., it is not particular to wyciwyg). See bug 278003 for details.
Whiteboard: [sg:fix] → [sg:fix]leave confidential until 278003 fixed
Please keep this bug confidential until bug 278003 is fixed at least. Thanks!
Blocks: sg-ff101
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b) Gecko/20050114 Firefox/1.0+ The patch (attachment 170973 [details] [diff] [review]) seems to cause a crash of browser when you try testcases.
Flags: blocking1.8b?
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.1?
+ for 1.0.1
Flags: blocking-aviary1.0.1? → blocking-aviary1.0.1+
Need this for 1.7.6 too. Plussing.
Flags: blocking1.7.6? → blocking1.7.6+
Darin, should this fix be ported to the branches, or does a fix for bug 278003 supersede it?
Assignee: dveditz → darin
Comment on attachment 170973 [details] [diff] [review] Do the right thing for sub-requests that are wyciwyg requests I think we want this patch on the aviary 1.0.1 and moz 1.7 branches. The patch for bug 258048 applies on top of this patch, and should be taken for those branches as well.
Attachment #170973 - Flags: approval1.7.6?
Attachment #170973 - Flags: approval-aviary1.0.1?
Comment on attachment 170973 [details] [diff] [review] Do the right thing for sub-requests that are wyciwyg requests a=dveditz for the 1.0.1 and 1.7 branches
Attachment #170973 - Flags: approval1.7.6?
Attachment #170973 - Flags: approval1.7.6+
Attachment #170973 - Flags: approval-aviary1.0.1?
Attachment #170973 - Flags: approval-aviary1.0.1+
fixed1.7.6, fixed-aviary1.0.1 marking this bug FIXED
Status: NEW → RESOLVED
Closed: 20 years ago
Keywords: fixed-aviary1.0.1, fixed1.7.6
Resolution: --- → FIXED
jst: please verify that these are the correct deltas based on brendan and sicking's review comments. I applied these to attachment 170973 [details] [diff] [review].
Attachment #174112 - Flags: review?(jst)
Comment on attachment 174112 [details] [diff] [review] review comments delta Looks right to me.
Attachment #174112 - Flags: review?(jst) → review+
Comment on attachment 174112 [details] [diff] [review] review comments delta sr=dveditz a=dveditz for branches, required to go with the other patch
Attachment #174112 - Flags: superreview+
Attachment #174112 - Flags: approval1.8b+
Attachment #174112 - Flags: approval1.7.6+
Attachment #174112 - Flags: approval-aviary1.0.1+
Verified Fixed. Aviary 1.0.1 Branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20050217 Firefox/1.0 M18b1/Trunk: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050217 M176 Branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050217
Status: RESOLVED → VERIFIED
Group: security
I'm using Mozilla 1.7.6 on Windows. I tried http://beta51.minutedesign.com/test2-3.html. After I clicked the link, "Welcome to Yahoo" showed, and finally I got the screenshot. The url showed http://beta51.minutedesign.com/test2-3.html, but bottom-right lock icon appeared, any way the page info showed the connection was not encrypted.
WFM on 1.7.7 windows. Have any extensions or customized settings?
(In reply to comment #41) > WFM on 1.7.7 windows. Have any extensions or customized settings? No, it happens on fresh install Mozilla 1.7.7 windows, too. Maybe it depends on network, proxy and cpu speed. Sometimes WFM on Solaris. Here's the steps 1. go to test2-3.html. Click "Sign In - Yahoo!" 2. A dialog warns you're requesting an encrypted page. Click OK. 3. Lock icon appears. A dialog warns you're leaving an encrypted page. Click OK. 4. Unlock icon appears. Yahoo loads in the window. A dialog warns you're requesting an encrypted page. Click OK. 5. Lock icon appears. Click the lock icon, it says "Conntection Not Encrypted" like the screenshot. (BUG) 6. Enter "http"//www.google.com". A dialog warns you're leaving an encrypted page. (BUG)
not secure content in 1.4. so no patch needed for 1.4
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: