Closed Bug 292589 Opened 20 years ago Closed 20 years ago

[FIX]XBL load missing content policy check (Thunderbird not blocking remote content)

Categories

(Core :: XBL, defect, P1)

1.7 Branch
x86
Windows XP
defect

Tracking

()

RESOLVED FIXED
mozilla1.8beta2

People

(Reporter: moz_bug_r_a4, Assigned: bzbarsky)

References

Details

(Keywords: fixed-aviary1.0.5, fixed1.7.9, privacy, Whiteboard: [sg:fix] have patch)

Attachments

(3 files)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Thunderbird/1.0.2 Thunderbird doesn't block remote XBL, even though "Block loading of remote images" setting is true. Reproducible: Always Steps to Reproduce: create the following HTML mail, and receive it, and open it. <body> <p>If the remote XBL is loaded, a red box appears below.</p> <p style="-moz-binding:url(http://members.tripod.com/cv6y-mlr8-9hh/ixdc-5tn2/test.xml#x);"></p> </body> ----- http://members.tripod.com/cv6y-mlr8-9hh/ixdc-5tn2/test.xml is: <?xml version="1.0"?> <bindings xmlns="http://www.mozilla.org/xbl" xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"> <binding id="x"> <content> <xul:label value="This is the remote XBL content." style="background-color: #f00;"/> </content> </binding> </bindings> Actual Results: The remote XBL is loaded. Expected Results: The remote XBL is blocked.
This means XBL loads aren't being checked with any content policies, more of a core issue (e.g. Adblock wouldn't work against these either). In addition to the scripting exploit covered in your other bug this lets XBL function as a web-bug or return-receipt.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Keywords: privacy
Whiteboard: [sg:fix]
So I can add a content-policy check in XBL. Probably should. But thunderbird allows RSS to load anything it feels like, so that wouldn't help that much here; just have to use the RSS feed as an attack vector instead of using an email.
This is compiled; not really tested, because I'm not sure how to test it...
(In reply to comment #2) > So I can add a content-policy check in XBL. Probably should. But thunderbird > allows RSS to load anything it feels like, so that wouldn't help that much here; > just have to use the RSS feed as an attack vector instead of using an email. Not if the attack is determination of valid email addresses by sending email and waiting for "confirmation".
True. ;) The posted patch should help with that, I think.
I've been able to verify that Boris's patch does work for Thunderbird. Thunderbird's cotent policy manager is now getting invoked and we are blocking the remote xbl. I now get a warning at the top of the message saying that thunderbird has blocked the remote content.
Comment on attachment 183171 [details] [diff] [review] Add content policy check to XBL Note that I used the element we're trying to bound to as the context for the content policy check. I think that makes more sense than anything else I could use here...
Attachment #183171 - Flags: superreview?(jst)
Attachment #183171 - Flags: review?(jst)
Comment on attachment 183171 [details] [diff] [review] Add content policy check to XBL r+sr=jst
Attachment #183171 - Flags: superreview?(jst)
Attachment #183171 - Flags: superreview+
Attachment #183171 - Flags: review?(jst)
Attachment #183171 - Flags: review+
Comment on attachment 183171 [details] [diff] [review] Add content policy check to XBL Requesting 1.0.4 approval, 1.8b2 approval, 1.7.x approval... which I can't, since this isn't in Core. :(
Attachment #183171 - Flags: approval-aviary1.0.4?
Comment on attachment 183171 [details] [diff] [review] Add content policy check to XBL Approving for trunk; please try to keep the checkin comment somewhat cryptic (e.g., don't mention thunderbird).
Attachment #183171 - Flags: approval-aviary1.1a1+
-->Core
Assignee: dveditz → bzbarsky
Component: Security → XBL
Flags: review+
Product: Thunderbird → Core
Summary: Thunderbird doesn't block remote XBL, even though "Block loading of remote images" setting is true. → XBL load missing content policy check (Thunderbird not blocking remote content)
Version: unspecified → 1.7 Branch
Comment on attachment 183171 [details] [diff] [review] Add content policy check to XBL Requesting 1.7 approval too. I've landed this on trunk.
Attachment #183171 - Flags: approval1.7.8?
Priority: -- → P1
Summary: XBL load missing content policy check (Thunderbird not blocking remote content) → [FIX]XBL load missing content policy check (Thunderbird not blocking remote content)
Target Milestone: --- → mozilla1.8beta2
That change may break builds with adblock installed... see bug 293778. Need to sort out whether it does, and if so why. Does anyone have an adblock-mangled debug build?
Depends on: 293778
So for branch we'll also want to take the one-liner for bug 293778 (it's a one-line modification to this patch, basically). Marking this fixed, since it's fixed on trunk....
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Attachment #183171 - Flags: approval-aviary1.0.4? → approval-aviary1.0.5?
Comment on attachment 183171 [details] [diff] [review] Add content policy check to XBL Approving for stable branches. a=shaver.
Attachment #183171 - Flags: approval1.7.8?
Attachment #183171 - Flags: approval1.7.8+
Attachment #183171 - Flags: approval-aviary1.0.5?
Attachment #183171 - Flags: approval-aviary1.0.5+
Comment on attachment 183171 [details] [diff] [review] Add content policy check to XBL This should probably get the aContent -> document fix from that other bug too, before landing on the branches, right?
Yes. That still needs reviews and stuff, though, so I'll hold off on landing on branches till it gets that.
Attached patch 1.7 branch fixSplinter Review
Yeah, I'm glad you caught that the content policy API is completely different between the two branches (PRBool vs nsresult). I've hit that a number of times...
Fixed on both branches. Code inspection makes me think that this should work fine for Seamonkey 1.7.9 mailnews, but we should test to make sure once we spin the builds of course.
I filed bug 294307 on the issues in the 1.7 mailnews content policy that make this fix not helpful in 1.7 mailnews.
Whiteboard: [sg:fix] → [sg:fix] have patch
v.fixed on aviary with version 1.0.5 (20050706) using the testcase in comment #0.
Adding distributors
Security advisories published
Group: security
Flags: testcase+
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: