Open
Bug 278176
Opened 20 years ago
Updated 2 years ago
Remote server hits reading mail possible using news: (gopher no longer a problem)
Categories
(Thunderbird :: Security, defect)
Thunderbird
Security
Tracking
(Not tracked)
NEW
Thunderbird2.0
People
(Reporter: dveditz, Unassigned)
References
Details
(4 keywords, Whiteboard: [sg:nse][privacy][needs retest][thunderbird only])
Attachments
(1 file)
|
4.15 KB,
patch
|
Bienvenu
:
superreview+
|
Details | Diff | Splinter Review |
Spun off to address bug 28327 comment 307 (307!!). Sub-document loads are finally blocked, but the code in nsMsgContentPolicy.cpp kicks in only for http, https and ftp loads. Server hits are still possible using other protocols like gopher: (found in the wild) and news:. In practice external protocol handlers like gopher: will now bring up a confirmation dialog so for the most part those will be safe since a user could cancel them (the dialog might be turned off, per protocol, by a few users). news:, however, is internally supported so that could still be used. The code should be turned around to whitelist only the expected and safe mail protocols, check settings for http/https, and everything else should be blocked as ftp is. News:, ftp: and other protocols should still be allowed for explicit link clicks. I think that's not a problem, but since news: is an exposed protocol I'm not sure if the same content-limiting logic will kick in.
|
Reporter | |
Updated•20 years ago
|
Flags: blocking-aviary1.1?
|
|
Reporter | |
Updated•20 years ago
|
Whiteboard: [sg:fix]
|
|
Reporter | |
Updated•20 years ago
|
|
||
Updated•20 years ago
|
Flags: blocking-aviary1.1? → blocking-aviary1.1+
|
|
Reporter | |
Updated•20 years ago
|
Flags: blocking-aviary1.0.1?
|
||
Updated•20 years ago
|
Flags: blocking-aviary1.0.1? → blocking-aviary1.0.1+
|
|
||
Comment 1•20 years ago
|
||
darin, do we need a new and more broadly applicable solution or can we do something similar for more protocols.
|
||
Comment 2•20 years ago
|
||
Dan, when we tested this a while ago, all that happened was an external url dialog came up if you tried to do: <img src="gopher://....> when you read the message so there still wasn't a privacy issue unless you clicked ok on that dialog. Its unclear to me if this privacy issue (which I claim isn't a full privacy issue because that dialog comes up even though that's not intended) should be part of the security respin of 1.0? I'd like to make this a 1.1 blocker if possible....
|
|
Reporter | |
Comment 3•20 years ago
|
||
The gopher dialog *is* intended, to get the user's permission before running external protocol handlers. Some small fraction of users who actually use gopher may turn off the dialog, but most people would be immune as noted in comment 0. My main concern is the news: protocol. That's internal to Thunderbird and would not trigger the confirmation dialog.
|
||
Updated•20 years ago
|
Whiteboard: [sg:fix] → [sg:fix] thunderbird only
|
|
||
Comment 4•20 years ago
|
||
This doesn't fix the news URL case yet, but it fixes problems with non exposed url schemes like gopher, ftp, etc. Here's the new policy: 1) If the requestion location is chrome, resource or about allow all loads For everything else: 2) If the content location being loaded is an exposed protocol (imap, news, pop3, addrbook, mailbox, etc.) OR if content location is a chrome URL (like messageBody.css), then allow the load. For everything else: 3) If the content location is http or https, then fall into the exiting show remote content policy code to determine what to do. Otherwise, it gets denied. Now when I view a message that has something like: <img src="gopher://foobar.com">, I don't get the "Launch External Protocol" dialog when I view the message. Still haven't figured out how to modify the new policy to handle news yet. Hopefully this won't break too much for odd things like imap parts on demand, downloading the rest of a pop3 message, etc. :)
|
|
||
Updated•20 years ago
|
Attachment #175596 -
Flags: superreview?(bienvenu)
|
||
Updated•20 years ago
|
Attachment #175596 -
Flags: superreview?(bienvenu) → superreview+
|
|
||
Comment 5•20 years ago
|
||
ok this patch has been checked into the trunk for testing before we talk about it for 1.0.1. I will leave this bug open since this doesn't address the news case yet. I'm still not sure what to do for that case yet.
|
|
||
Comment 6•20 years ago
|
||
so far this patch has tested out ok on the trunk so I just checked it into the 1.0.1 branch. That leaves ust deciding what to do about the news issue before putting a fork in this bug.
|
|
||
Comment 7•20 years ago
|
||
I tested this by creating a new message and inserting an image src like: <img src="http://mozilla.org/mozilla.gif"> Then storing this file in a local folder. Find that folder in your profile and edit the file for the folder. Now change the src url to something like: <img src="gopher://foo.com"> Save the file and run thunderbird 1.0. click on the message. You should see a dialog about launching a gopher URL. Run it again using 1.0.1. You should not see the dialog anymore. We completely ignore the gopher url. Note: you have to fix the URL by hand in the mail folder because we won't allow a user to send a message that uses an external protocol like gopher as an img src URL.
|
|
||
Updated•20 years ago
|
Keywords: fixed1.0.1 → fixed-aviary1.0.1
|
||
Comment 8•20 years ago
|
||
this works as described in comment 7. verified fixed using 2005030802-1.0.1 tbird bits on mac os x 10.3.8.
|
||
Comment 9•20 years ago
|
||
looks good on windows 2005-03-09-09-aviary1.0.1
|
|
Reporter | |
Updated•20 years ago
|
Keywords: fixed-aviary1.0.1 → fixed-aviary1.0.2
|
|
||
Comment 10•20 years ago
|
||
this has been ported to the AVIARY_1_0_20040515_BRANCH. This does not mean that it was actually fixed in the 1.0 release of course.
Keywords: fixed-aviary1.0
|
|
||
Comment 11•20 years ago
|
||
Is this still a problem on the trunk? If not, can you unset the blocking1.1+ flag? Thanks.
|
||
Updated•19 years ago
|
Flags: blocking-aviary1.5+
|
|
||
Comment 12•19 years ago
|
||
moving the remaining issue for this to 2.0
Target Milestone: Thunderbird1.1 → Thunderbird2.0
|
|
Reporter | |
Updated•19 years ago
|
Summary: Remote server hits reading mail possible using news:, gopher:, etc → Remote server hits reading mail possible using news: (gopher no longer a problem)
Whiteboard: [sg:fix] thunderbird only → [sg:nse] privacy, thunderbird only
|
||
Comment 13•19 years ago
|
||
Comment on attachment 175596 [details] [diff] [review] improved content policy manager for loads >+ // if aContentLocation is a protocol we handle (imap, pop3, mailbox, etc) or is a chrome url, then allowe the load please spell 'allow' correctly...
|
||
Comment 14•16 years ago
|
||
I'm not sure if I'm the best person to ask nor if this is a good question to ask, but is this bug still an issue with Shredder trunk nightlies?
|
||
Comment 15•16 years ago
|
||
Unless some other bug has changed that code, I assume it would be. The way to test would be to post an HTML news message with an <img> tag that points to something on a webserver, and then try and read that message and see if the image shows up without any sort of prompting.
|
|
||
Comment 16•13 years ago
|
||
Mark, do you think this is still an issue?
|
||
Comment 17•13 years ago
|
||
I've just done some testing with this url in the src of an img: news://news.bu.edu:119/SAb5r.107247%242a.73043%40en-nntp-14.dc1.easynews.com?group=alt.binaries.birds&key=36067&part=1.2&type=image/jpeg&filename=tern.JPG The image loaded for local email, and for saved email, so I believe this is still an issue.
|
|
Reporter | |
Updated•11 years ago
|
Group: core-security
|
||
Updated•6 years ago
|
Component: General → Security
Keywords: qawanted
Whiteboard: [sg:nse] privacy, thunderbird only → [sg:nse][privacy][needs retest][thunderbird only]
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•