Closed
Bug 292589
Opened 20 years ago
Closed 20 years ago
[FIX]XBL load missing content policy check (Thunderbird not blocking remote content)
Categories
(Core :: XBL, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.8beta2
People
(Reporter: moz_bug_r_a4, Assigned: bzbarsky)
References
Details
(Keywords: fixed-aviary1.0.5, fixed1.7.9, privacy, Whiteboard: [sg:fix] have patch)
Attachments
(3 files)
2.11 KB,
patch
|
jst
:
superreview+
shaver
:
approval-aviary1.0.5+
dbaron
:
approval-aviary1.1a1+
shaver
:
approval1.7.8+
|
Details | Diff | Splinter Review |
1.60 KB,
patch
|
Details | Diff | Splinter Review | |
2.13 KB,
patch
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Thunderbird/1.0.2
Thunderbird doesn't block remote XBL, even though "Block loading of remote
images" setting is true.
Reproducible: Always
Steps to Reproduce:
create the following HTML mail, and receive it, and open it.
<body>
<p>If the remote XBL is loaded, a red box appears below.</p>
<p
style="-moz-binding:url(http://members.tripod.com/cv6y-mlr8-9hh/ixdc-5tn2/test.xml#x);"></p>
</body>
-----
http://members.tripod.com/cv6y-mlr8-9hh/ixdc-5tn2/test.xml is:
<?xml version="1.0"?>
<bindings xmlns="http://www.mozilla.org/xbl"
xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<binding id="x">
<content>
<xul:label value="This is the remote XBL content."
style="background-color: #f00;"/>
</content>
</binding>
</bindings>
Actual Results:
The remote XBL is loaded.
Expected Results:
The remote XBL is blocked.
Comment 1•20 years ago
|
||
This means XBL loads aren't being checked with any content policies, more of a
core issue (e.g. Adblock wouldn't work against these either). In addition to the
scripting exploit covered in your other bug this lets XBL function as a web-bug
or return-receipt.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Keywords: privacy
Whiteboard: [sg:fix]
Assignee | ||
Comment 2•20 years ago
|
||
So I can add a content-policy check in XBL. Probably should. But thunderbird
allows RSS to load anything it feels like, so that wouldn't help that much here;
just have to use the RSS feed as an attack vector instead of using an email.
Assignee | ||
Comment 3•20 years ago
|
||
This is compiled; not really tested, because I'm not sure how to test it...
(In reply to comment #2)
> So I can add a content-policy check in XBL. Probably should. But thunderbird
> allows RSS to load anything it feels like, so that wouldn't help that much here;
> just have to use the RSS feed as an attack vector instead of using an email.
Not if the attack is determination of valid email addresses by sending email and
waiting for "confirmation".
Assignee | ||
Comment 5•20 years ago
|
||
True. ;) The posted patch should help with that, I think.
Comment 6•20 years ago
|
||
I've been able to verify that Boris's patch does work for Thunderbird.
Thunderbird's cotent policy manager is now getting invoked and we are blocking
the remote xbl. I now get a warning at the top of the message saying that
thunderbird has blocked the remote content.
Assignee | ||
Comment 7•20 years ago
|
||
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL
Note that I used the element we're trying to bound to as the context for the
content policy check. I think that makes more sense than anything else I could
use here...
Attachment #183171 -
Flags: superreview?(jst)
Attachment #183171 -
Flags: review?(jst)
Comment 8•20 years ago
|
||
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL
r+sr=jst
Attachment #183171 -
Flags: superreview?(jst)
Attachment #183171 -
Flags: superreview+
Attachment #183171 -
Flags: review?(jst)
Attachment #183171 -
Flags: review+
Assignee | ||
Comment 9•20 years ago
|
||
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL
Requesting 1.0.4 approval, 1.8b2 approval, 1.7.x approval... which I can't,
since this isn't in Core. :(
Attachment #183171 -
Flags: approval-aviary1.0.4?
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL
Approving for trunk; please try to keep the checkin comment somewhat cryptic
(e.g., don't mention thunderbird).
Attachment #183171 -
Flags: approval-aviary1.1a1+
Comment 11•20 years ago
|
||
-->Core
Assignee: dveditz → bzbarsky
Component: Security → XBL
Flags: review+
Product: Thunderbird → Core
Summary: Thunderbird doesn't block remote XBL, even though "Block loading of remote images" setting is true. → XBL load missing content policy check (Thunderbird not blocking remote content)
Version: unspecified → 1.7 Branch
Assignee | ||
Comment 12•20 years ago
|
||
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL
Requesting 1.7 approval too. I've landed this on trunk.
Attachment #183171 -
Flags: approval1.7.8?
Assignee | ||
Updated•20 years ago
|
Priority: -- → P1
Summary: XBL load missing content policy check (Thunderbird not blocking remote content) → [FIX]XBL load missing content policy check (Thunderbird not blocking remote content)
Target Milestone: --- → mozilla1.8beta2
Assignee | ||
Comment 13•20 years ago
|
||
That change may break builds with adblock installed... see bug 293778. Need to
sort out whether it does, and if so why. Does anyone have an adblock-mangled
debug build?
Depends on: 293778
Assignee | ||
Comment 14•20 years ago
|
||
So for branch we'll also want to take the one-liner for bug 293778 (it's a
one-line modification to this patch, basically).
Marking this fixed, since it's fixed on trunk....
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•20 years ago
|
Attachment #183171 -
Flags: approval-aviary1.0.4? → approval-aviary1.0.5?
Comment 15•20 years ago
|
||
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL
Approving for stable branches. a=shaver.
Attachment #183171 -
Flags: approval1.7.8?
Attachment #183171 -
Flags: approval1.7.8+
Attachment #183171 -
Flags: approval-aviary1.0.5?
Attachment #183171 -
Flags: approval-aviary1.0.5+
Comment 16•20 years ago
|
||
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL
This should probably get the aContent -> document fix from that other bug too,
before landing on the branches, right?
Assignee | ||
Comment 17•20 years ago
|
||
Yes. That still needs reviews and stuff, though, so I'll hold off on landing on
branches till it gets that.
Assignee | ||
Comment 18•20 years ago
|
||
Assignee | ||
Comment 19•20 years ago
|
||
Yeah, I'm glad you caught that the content policy API is completely different
between the two branches (PRBool vs nsresult). I've hit that a number of times...
Assignee | ||
Comment 21•20 years ago
|
||
Fixed on both branches.
Code inspection makes me think that this should work fine for Seamonkey 1.7.9
mailnews, but we should test to make sure once we spin the builds of course.
Keywords: fixed-aviary1.0.5,
fixed1.7.9
Assignee | ||
Comment 22•20 years ago
|
||
I filed bug 294307 on the issues in the 1.7 mailnews content policy that make
this fix not helpful in 1.7 mailnews.
Updated•20 years ago
|
Whiteboard: [sg:fix] → [sg:fix] have patch
Comment 23•19 years ago
|
||
v.fixed on aviary with version 1.0.5 (20050706) using the testcase in comment #0.
Comment 24•19 years ago
|
||
Adding distributors
Updated•19 years ago
|
Flags: testcase+
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•