Closed Bug 303181 Opened 20 years ago Closed 20 years ago

urlSecurityCheck and getReferrer incorrectly use focusedWindow

Categories

(Toolkit Graveyard :: Security, defect)

Product:
Toolkit Graveyard
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: jruderman)

References

(
URL
)

Details

(Keywords: csectype-spoof, fixed1.8, sec-low)

Attachments

(2 files, 5 obsolete files)

Testcase: Cmd+click the link in this demo to see a spoofed referrer. (Load from a local server because Bugzilla is https, and make sure "Allow scripts to raise and lower windows" is checked.)
268 bytes, text/html
Details
patch 6
35.63 KB, patch
Details | Diff | Splinter Review
http://lxr.mozilla.org/mozilla/source/toolkit/content/contentAreaUtils.js#131 The focused window could easily be different than the one trying to load the URL. Perhaps urlSecurityCheck should take as a parameter the document trying to do the load, or the URL / URI of that document. Why does it take as a parameter a XUL document?
Whiteboard: [sg:fix]
Product: Toolkit → Firefox
Group: security
Group: security
Product: Firefox → Toolkit
Product: Toolkit → Firefox
Group: security
Group: security
Product: Firefox → Toolkit
This is a Toolkit bug, but I'm putting it in the Firefox product for now due to bug 303183.
Product: Toolkit → Firefox
Group: security
Product: Firefox → Toolkit
Back in the Toolkit product thanks to justdave in bug 303183 comment 1.
Searching contentAreaUtils for "focusedWindow" reveals that the focused window (or frame?) is used for many other things, including figuring out what referrer to send. Scary.
URL: http://lxr.mozilla.org/mozilla/source...
Summary: Checking focusedWindow in urlSecurityCheck is sketchy → urlSecurityCheck and getReferrer incorrectly use focusedWindow
I'm thinking of changing openNewTabWith and openNewWindowWith to take a new parameter, either |content.document| or a URL/URI to use for the referrer and security checks. I could use some help figuring out what this parameter should be. Requirements: * The URL used for the referrer and security checks should be a "real URL". If a page has a javascript: URL, |content.document.location.href| is not a "real URL", so doc.location.href isn't the right way to do this. * Whatever I use as a parameter should survive navigating away from the page. If |content.document| evaporates when I navigate away from the page, that means I have to extract the "real URL" early and pass that around instead of passing |content.document| around. Hopefully I'm not duplicating work happening in bug 293363.
Blocks: 284868
Blocks: 249747
Attached patch patch (obsolete) — Splinter Review
This patch fixes bug 284868 and makes the testcase in this bug behave properly. I'd need answers to my questions in comment 5 to be sure that this patch fixes the security hole completely.
Attached patch patch 2 (obsolete) — Splinter Review
Addresses some comments Gavin made on IRC.
Attachment #191779 - Attachment is obsolete: true
It would be nice to have a fix for this bug in before beta because the fix might break extensions.
Flags: blocking1.8b4?
Attachment #191538 - Attachment description: Testcase: Cmd+click the link in this demo to see a spoofed referrer → Testcase: Cmd+click the link in this demo to see a spoofed referrer. (Load from a local server because Bugzilla is https.)
Jesse is this patch ready to go? If so let's set the review flags.
the XPFE version has the same pattern. Need mconnor and neil looking at this. Is this change going to break extensions? or is openNewTabWith() a purely internal function?
(In reply to comment #10) > the XPFE version has the same pattern. Need mconnor and neil looking at this. Is > this change going to break extensions? or is openNewTabWith() a purely internal > function? openNewTabWith is used at the very least by ChatZilla, and I'd imagine by many other extensions wanting to open tabs in the browser, so I'd guess that the risk of breaking extensions is rather high.
I think that because we've changed URLs, extensions from 1.0.x that are using this are already broken, and I don't really care about extensions being backwards compat with the alphas. We just need to announce this widely before beta.
Changing the package for contentAreaUtils.js may have broken extensions that are explicitly including it, but has no affect on extensions overlayed into the browser context. If we have to back-port this to the aviary/1.7 branches then we care a lot more about breaking extensions. A spoofed referrer isn't worth a branch re-spin, but what bad things could you do by spoofing the urlSecurityCheck?
Attached patch patch 3 (obsolete) — Splinter Review
Changes from previous patch: * Pass document URLs around instead of documents. * Resolve merge conflicts with bug 78510. * Several small changes.
Attachment #191782 - Attachment is obsolete: true
Attachment #192358 - Flags: first-review?(mconnor)
Attached patch patch 4 (obsolete) — Splinter Review
Attachment #192358 - Attachment is obsolete: true
Attachment #192359 - Flags: first-review?(mconnor)
Attachment #192358 - Flags: first-review?(mconnor)
In order to bypass the security check a page would have to bypass the existing security checking on frame focussing - for instance they can't focus about:
So the attacker would have to convince the user to tab into or click in the frame?
This attack only appears to affect context menus, as they introduce a delay in between the click and the action in which the script can shift the focus.
Attachment #191538 - Attachment description: Testcase: Cmd+click the link in this demo to see a spoofed referrer. (Load from a local server because Bugzilla is https.) → Testcase: Cmd+click the link in this demo to see a spoofed referrer. (Load from a local server because Bugzilla is https, and make sure "Allow scripts to raise and lower windows" is checked.)
The demo in comment 4 works for me with Cmd+clicking, so it's not just context menus. That demo uses the time between mousedown and mouseup to move focus.
I see it now; I'm just not used to clicking that slowly!
Blocking beta. mconnor: your review goodness is craved.
Flags: blocking1.8b4? → blocking1.8b4+
Can someone file a version for xpfe as well?
Attached patch patch 5 (obsolete) — Splinter Review
Changes since last patch: * Fix urlSecurityCheck calls for "View Image" so they don't break the feature. * Add urlSecurityCheck calls to Save Link and Save Image. * Add a few checks to setDesktopBackground (part of bug 302022).
Attachment #192359 - Attachment is obsolete: true
Attachment #192451 - Flags: first-review?(mconnor)
Attachment #192359 - Flags: first-review?(mconnor)
Blocks: 302022
Attachment #192451 - Flags: first-review?(mconnor)
Attachment #192451 - Flags: first-review+
Attachment #192451 - Flags: approval1.8b4+
Attached patch patch 6Splinter Review
Update to trunk, detab, and fix some of mconnor's nits.
Attachment #192451 - Attachment is obsolete: true
cvs -d :ext:jruderman%hmc.edu@cvs.mozilla.org:/cvsroot commit browser/base/content/browser.js toolkit/content/contentAreaUtils.js Checking in browser/base/content/browser.js; /cvsroot/mozilla/browser/base/content/browser.js,v <-- browser.js new revision: 1.478; previous revision: 1.477 done Checking in toolkit/content/contentAreaUtils.js; /cvsroot/mozilla/toolkit/content/contentAreaUtils.js,v <-- contentAreaUtils.js new revision: 1.77; previous revision: 1.76 done
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Blocks: 226548
Depends on: 304418
This patch broke the "linky" extension by removing the getReferrer() function it was using.
getReferrer() returned bogus results and could not be fixed given its API, so I don't mind forcing extensions to change.
Flags: blocking-aviary1.0.8?
Flags: testcase+
Jesse, neil: do we need a Suite version of this patch as well?
Flags: blocking-aviary1.0.8? → blocking-aviary1.0.8+
(In reply to comment #28) >do we need a Suite version of this patch as well? It looks as if all versions of the Suite have this bug too, yes.
Flags: blocking-aviary1.0.8+ → blocking-aviary1.0.8-
Whiteboard: [sg:fix] → [sg:low spoof]
Group: security
Flags: in-testsuite+ → in-testsuite?
Keywords: fixed1.8
Keywords: csec-spoof, sec-low
Whiteboard: [sg:low spoof]
Product: Toolkit → Toolkit Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: