Closed Bug 301069 Opened 19 years ago Closed 19 years ago

Bug 298934 (Dialog Origin Spoofing) not fixed on Mac

Categories

(Core :: Security, defect, P2)

Product:
Core
Component:
Security
Platform:
PowerPC
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta4

People

(Reporter: tkh212+bugzilla, Assigned: asaf)

References

(
URL
)

Details

(Whiteboard: [sg:spoof])

Attachments

(2 files)

Screenshot of dialog
91.56 KB, image/png
Details
Expose dialog titles - v1
4.60 KB, patch
jaas
: review+
mconnor
: review+
dveditz
: approval-aviary1.0.8+
mconnor
: approval1.8b4+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050716 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050716 Firefox/1.0+

Bug 298934 addresses SA15489, Dialog Origin Spoofing.  However, the fix from
that bug doesn't apply to Mac OS X, because sheets don't have a visible title or
title bar on that platform (so it doesn't display the source URL anywhere).  I
will attach a screenshot.

One possible way to fix this would be to include the URL after the dialog text,
in brackets, or some other formatting to make it distinct from the dialog text.

I verified this in Firefox 1.0.5 and the 2005-07-16 trunk build.  If possible,
this should probably be fixed in the upcoming 1.0.6, since it's already been
fixed on all other platforms...

Reproducible: Always
Attached image Screenshot of dialog β€” 
Here is a screenshot showing the problem (lack of the originating URL in the
dialog).
Since the spoofing vulnerability was announced as fixed in Firefox 1.0.5, but
wasn't on the Mac, this should probably be fixed in 1.0.6.  Nominating.
Flags: blocking-aviary1.0.6?
There is a visual difference, though perhaps not one a user would consciously
notice. In a real prompt from the target page the sheet would show at the top.
In the spoof the sheet is attached to a tiny titlebar floating mid-page.

No need for the security flag since the original secunia announcement is public.
Assignee: dveditz → joshmoz
Group: security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:fix]
I think that FF should be changed to not use sheets for these dialogs. The
window title should be visible.
I disagree. I think that we *should* be using sheets (tab-modal sheets, but
that's another bug), but we should put the site name in the content of the sheet
itself.
Per 1.0.6 meeting, minusing for aviary1.0.6, nominating for aviary1.0.7.
Flags: blocking-aviary1.0.7?
Flags: blocking-aviary1.0.6?
Flags: blocking-aviary1.0.6-
Assignee: joshmoz → bugs.mano
Flags: blocking1.8b4?
Priority: -- → P2
Target Milestone: --- → mozilla1.8beta4
(In reply to comment #5)
> I disagree. I think that we *should* be using sheets (tab-modal sheets, but
> that's another bug), but we should put the site name in the content of the sheet
> itself.

Indeed, mac ordinary dialogs expose the dialog header inside the dialog and keep
the titlebar empty. see: http://tinyurl.com/bdozq
Status: NEW → ASSIGNED
Attached patch Expose dialog titles - v1 β€” β€” Splinter Review 

  

  



        Attachment #190312 -
        Flags: review?(joshmoz)

    
    

    
  
Comment on attachment 190312 [details] [diff] [review]
Expose dialog titles - v1

-+  content/global/commonDialog.js	       (commonDialog.js)
-+  content/global/commonDialog.xul	       (commonDialog.xul)
+*+  content/global/commonDialog.js		(commonDialog.js)
+*+  content/global/commonDialog.xul		(commonDialog.xul)

Fix the spacing issue you introducted there, r=josh

  

  



        Attachment #190312 -
        Flags: review?(joshmoz) → review+

    
  

        Attachment #190312 -
        Flags: superreview?(mconnor)

        Attachment #190312 -
        Flags: approval1.8b4?

        Attachment #190312 -
        Flags: approval-aviary1.0.7?

    
  

        Attachment #190312 -
        Flags: superreview?(mconnor) → review?(mconnor)

    
  
Blocks: deermac

    
  
Flags: blocking1.8b4? → blocking1.8b4+

        Attachment #190312 -
        Flags: review?(mconnor)

        Attachment #190312 -
        Flags: review+

        Attachment #190312 -
        Flags: approval1.8b4?

        Attachment #190312 -
        Flags: approval1.8b4+

    
    

    
  
Please file a separate bug for the suite, thanks.

Checking in toolkit/content/commonDialog.js;
/cvsroot/mozilla/toolkit/content/commonDialog.js,v  <--  commonDialog.js
new revision: 1.9; previous revision: 1.8
done
Checking in toolkit/content/commonDialog.xul;
/cvsroot/mozilla/toolkit/content/commonDialog.xul,v  <--  commonDialog.xul
new revision: 1.6; previous revision: 1.5
done
Checking in toolkit/content/jar.mn;
/cvsroot/mozilla/toolkit/content/jar.mn,v  <--  jar.mn
new revision: 1.17; previous revision: 1.16
done
Checking in toolkit/themes/pinstripe/global/formatting.css;
/cvsroot/mozilla/toolkit/themes/pinstripe/global/formatting.css,v  <-- 
formatting.css
new revision: 1.5; previous revision: 1.4
done


  

  


Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
I think the way it looks with this fix is somewhat ugly...the body text doesn't
look right in it's non-bold form, and the URL may as well be in a title bar!  I
still think it would look better at the bottom instead of the top...the actual
message text should be bold, as before, and the URL/dialog title should be the
plain text, at the bottom instead of the top.  IMO, this would be more visually
appealing...

  

  



    
  
Flags: blocking-aviary1.0.7?

    
  

        Attachment #190312 -
        Flags: approval-aviary1.0.7?

    
  
Flags: blocking-aviary1.0.7?
Flags: blocking-aviary1.0.6-

    
  

        Attachment #190312 -
        Flags: approval-aviary1.0.7?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
Whiteboard: [sg:fix] → [sg:spoof]

    
    

    
  
Comment on attachment 190312 [details] [diff] [review]
Expose dialog titles - v1

a=dveditz for drivers

  

  



        Attachment #190312 -
        Flags: approval-aviary1.0.8? → approval-aviary1.0.8+

        Attachment #190312 -
        Flags: approval1.7.13+

    
    

    
  
Daniel, this patch does not affect the mozilla suite portion, see cooment 10.

  

  



    
    

    
  
fixed-aviary1.0.8:
Checking in toolkit/content/commonDialog.js;
/cvsroot/mozilla/toolkit/content/commonDialog.js,v  <--  commonDialog.js
new revision: 1.1.28.1.2.3; previous revision: 1.1.28.1.2.2
done
Checking in toolkit/content/commonDialog.xul;
/cvsroot/mozilla/toolkit/content/commonDialog.xul,v  <--  commonDialog.xul
new revision: 1.1.42.1; previous revision: 1.1
done
Checking in toolkit/content/jar.mn;
/cvsroot/mozilla/toolkit/content/jar.mn,v  <--  jar.mn
new revision: 1.6.8.5.2.1; previous revision: 1.6.8.5
done
Checking in toolkit/themes/pinstripe/global/formatting.css;
/cvsroot/mozilla/toolkit/themes/pinstripe/global/formatting.css,v  <--  formatting.css
new revision: 1.1.2.1.2.1; previous revision: 1.1.2.1
done

  

  


Keywords: fixed-aviary1.0.8
Flags: blocking1.7.13+

        Attachment #190312 -
        Flags: approval1.7.13+

    
    

    
  
verified using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060215 Firefox/1.0.8. Using the test case on the secunia site, the dialog titles look fine. adding keyword.

  

  


Keywords: fixed-aviary1.0.8verified-aviary1.0.8
Depends on: sa15489
Blocks: 334893

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: