[FIX]XBL load missing content policy check (Thunderbird not blocking remote content)

RESOLVED FIXED in mozilla1.8beta2

Status

()

Core
XBL
P1
normal
RESOLVED FIXED
12 years ago
10 years ago

People

(Reporter: moz_bug_r_a4, Assigned: bz)

Tracking

({fixed-aviary1.0.5, fixed1.7.9, privacy})

1.7 Branch
mozilla1.8beta2
x86
Windows XP
fixed-aviary1.0.5, fixed1.7.9, privacy
Points:
---
Bug Flags:
blocking-aviary1.0.5 +
blocking-aviary1.5 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix] have patch)

Attachments

(3 attachments)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Thunderbird/1.0.2

Thunderbird doesn't block remote XBL, even though "Block loading of remote
images" setting is true.


Reproducible: Always

Steps to Reproduce:
create the following HTML mail, and receive it, and open it.

<body>
<p>If the remote XBL is loaded, a red box appears below.</p>
<p
style="-moz-binding:url(http://members.tripod.com/cv6y-mlr8-9hh/ixdc-5tn2/test.xml#x);"></p>
</body>


-----
http://members.tripod.com/cv6y-mlr8-9hh/ixdc-5tn2/test.xml is:

<?xml version="1.0"?>

<bindings xmlns="http://www.mozilla.org/xbl"
          xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">

  <binding id="x">
    <content>
      <xul:label value="This is the remote XBL content."
style="background-color: #f00;"/>
    </content>
  </binding>

</bindings>

Actual Results:  
The remote XBL is loaded.


Expected Results:  
The remote XBL is blocked.
This means XBL loads aren't being checked with any content policies, more of a
core issue (e.g. Adblock wouldn't work against these either). In addition to the
scripting exploit covered in your other bug this lets XBL function as a web-bug
or return-receipt.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4+
Keywords: privacy
Whiteboard: [sg:fix]
So I can add a content-policy check in XBL.  Probably should.  But thunderbird
allows RSS to load anything it feels like, so that wouldn't help that much here;
just have to use the RSS feed as an attack vector instead of using an email.
Created attachment 183171 [details] [diff] [review]
Add content policy check to XBL

This is compiled; not really tested, because I'm not sure how to test it...
(In reply to comment #2)
> So I can add a content-policy check in XBL.  Probably should.  But thunderbird
> allows RSS to load anything it feels like, so that wouldn't help that much here;
> just have to use the RSS feed as an attack vector instead of using an email.

Not if the attack is determination of valid email addresses by sending email and
waiting for "confirmation".
True.  ;)  The posted patch should help with that, I think.

Comment 6

12 years ago
I've been able to verify that Boris's patch does work for Thunderbird.
Thunderbird's cotent policy manager is now getting invoked and we are blocking
the remote xbl. I now get a warning at the top of the message saying that
thunderbird has blocked the remote content. 
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL

Note that I used the element we're trying to bound to as the context for the
content policy check.  I think that makes more sense than anything else I could
use here...
Attachment #183171 - Flags: superreview?(jst)
Attachment #183171 - Flags: review?(jst)
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL

r+sr=jst
Attachment #183171 - Flags: superreview?(jst)
Attachment #183171 - Flags: superreview+
Attachment #183171 - Flags: review?(jst)
Attachment #183171 - Flags: review+
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL

Requesting 1.0.4 approval, 1.8b2 approval, 1.7.x approval... which I can't,
since this isn't in Core.  :(
Attachment #183171 - Flags: approval-aviary1.0.4?
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL

Approving for trunk; please try to keep the checkin comment somewhat cryptic
(e.g., don't mention thunderbird).
Attachment #183171 - Flags: approval-aviary1.1a1+
-->Core
Assignee: dveditz → bzbarsky
Component: Security → XBL
Flags: review+
Product: Thunderbird → Core
Summary: Thunderbird doesn't block remote XBL, even though "Block loading of remote images" setting is true. → XBL load missing content policy check (Thunderbird not blocking remote content)
Version: unspecified → 1.7 Branch
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL

Requesting 1.7 approval too.  I've landed this on trunk.
Attachment #183171 - Flags: approval1.7.8?
Priority: -- → P1
Summary: XBL load missing content policy check (Thunderbird not blocking remote content) → [FIX]XBL load missing content policy check (Thunderbird not blocking remote content)
Target Milestone: --- → mozilla1.8beta2
That change may break builds with adblock installed... see bug 293778.  Need to
sort out whether it does, and if so why.  Does anyone have an adblock-mangled
debug build?
Depends on: 293778
So for branch we'll also want to take the one-liner for bug 293778 (it's a
one-line modification to this patch, basically).

Marking this fixed, since it's fixed on trunk....
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Attachment #183171 - Flags: approval-aviary1.0.4? → approval-aviary1.0.5?
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL

Approving for stable branches. a=shaver.
Attachment #183171 - Flags: approval1.7.8?
Attachment #183171 - Flags: approval1.7.8+
Attachment #183171 - Flags: approval-aviary1.0.5?
Attachment #183171 - Flags: approval-aviary1.0.5+
Comment on attachment 183171 [details] [diff] [review]
Add content policy check to XBL

This should probably get the aContent -> document fix from that other bug too,
before landing on the branches, right?
Yes.  That still needs reviews and stuff, though, so I'll hold off on landing on
branches till it gets that.
Created attachment 183556 [details] [diff] [review]
1.7 branch fix
Created attachment 183558 [details] [diff] [review]
Aviary branch fix... Gotta love forkage
Yeah, I'm glad you caught that the content policy API is completely different
between the two branches (PRBool vs nsresult).  I've hit that a number of times...
Fixed on both branches.

Code inspection makes me think that this should work fine for Seamonkey 1.7.9
mailnews, but we should test to make sure once we spin the builds of course.
Keywords: fixed-aviary1.0.5, fixed1.7.9
I filed bug 294307 on the issues in the 1.7 mailnews content policy that make
this fix not helpful in 1.7 mailnews.

Updated

12 years ago
Whiteboard: [sg:fix] → [sg:fix] have patch

Comment 23

12 years ago
v.fixed on aviary with version 1.0.5 (20050706) using the testcase in comment #0.
Adding distributors
Security advisories published
Group: security

Updated

11 years ago
Flags: testcase+

Updated

10 years ago
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.