Closed Bug 303181 Opened 19 years ago Closed 19 years ago

urlSecurityCheck and getReferrer incorrectly use focusedWindow

Categories

(Toolkit Graveyard :: Security, defect)

Product:
Toolkit Graveyard
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: jruderman)

References

(
URL
)

Details

(Keywords: csectype-spoof, fixed1.8, sec-low)

Attachments

(2 files, 5 obsolete files)

Testcase: Cmd+click the link in this demo to see a spoofed referrer. (Load from a local server because Bugzilla is https, and make sure "Allow scripts to raise and lower windows" is checked.)
268 bytes, text/html
Details
patch 6
35.63 KB, patch
Details | Diff | Splinter Review 
http://lxr.mozilla.org/mozilla/source/toolkit/content/contentAreaUtils.js#131

The focused window could easily be different than the one trying to load the
URL.  Perhaps urlSecurityCheck should take as a parameter the document trying to
do the load, or the URL / URI of that document.  Why does it take as a parameter
a XUL document?
Whiteboard: [sg:fix]
Product: Toolkit → Firefox
Group: security
Group: security
Product: Firefox → Toolkit
Product: Toolkit → Firefox
Group: security
Group: security
Product: Firefox → Toolkit
This is a Toolkit bug, but I'm putting it in the Firefox product for now due to
bug 303183.
Product: Toolkit → Firefox
Group: security
Product: Firefox → Toolkit
Back in the Toolkit product thanks to justdave in bug 303183 comment 1.
Searching contentAreaUtils for "focusedWindow" reveals that the focused window
(or frame?) is used for many other things, including figuring out what referrer
to send.  Scary.
URL: http://lxr.mozilla.org/mozilla/source...
Summary: Checking focusedWindow in urlSecurityCheck is sketchy → urlSecurityCheck and getReferrer incorrectly use focusedWindow
I'm thinking of changing openNewTabWith and openNewWindowWith to take a new
parameter, either |content.document| or a URL/URI to use for the referrer and
security checks.  I could use some help figuring out what this parameter should
be.  Requirements:

* The URL used for the referrer and security checks should be a "real URL".  If
a page has a javascript: URL, |content.document.location.href| is not a "real
URL", so doc.location.href isn't the right way to do this.

* Whatever I use as a parameter should survive navigating away from the page. 
If |content.document| evaporates when I navigate away from the page, that means
I have to extract the "real URL" early and pass that around instead of passing
|content.document| around.

Hopefully I'm not duplicating work happening in bug 293363.
Blocks: 284868
Blocks: 249747
Attached patch patch (obsolete) — Splinter Review 
This patch fixes bug 284868 and makes the testcase in this bug behave properly.
 I'd need answers to my questions in comment 5 to be sure that this patch fixes
the security hole completely.
Attached patch patch 2 (obsolete) — Splinter Review 
Addresses some comments Gavin made on IRC.
Attachment #191779 - Attachment is obsolete: true
It would be nice to have a fix for this bug in before beta because the fix might
break extensions.
Flags: blocking1.8b4?
Attachment #191538 - Attachment description: Testcase: Cmd+click the link in this demo to see a spoofed referrer → Testcase: Cmd+click the link in this demo to see a spoofed referrer. (Load from a local server because Bugzilla is https.)
Jesse is this patch ready to go?  If so let's set the review flags. 
the XPFE version has the same pattern. Need mconnor and neil looking at this. Is
this change going to break extensions? or is openNewTabWith() a purely internal
function?
(In reply to comment #10)
> the XPFE version has the same pattern. Need mconnor and neil looking at this. Is
> this change going to break extensions? or is openNewTabWith() a purely internal
> function?

openNewTabWith is used at the very least by ChatZilla, and I'd imagine by many
other extensions wanting to open tabs in the browser, so I'd guess that the risk
of breaking extensions is rather high.
I think that because we've changed URLs, extensions from 1.0.x that are using
this are already broken, and I don't really care about extensions being
backwards compat with the alphas.  We just need to announce this widely before beta.
Changing the package for contentAreaUtils.js may have broken extensions that are
explicitly including it, but has no affect on extensions overlayed into the
browser context.

If we have to back-port this to the aviary/1.7 branches then we care a lot more
about breaking extensions. A spoofed referrer isn't worth a branch re-spin, but
what bad things could you do by spoofing the urlSecurityCheck?
Attached patch patch 3 (obsolete) — Splinter Review 
Changes from previous patch:
* Pass document URLs around instead of documents.
* Resolve merge conflicts with bug 78510.
* Several small changes.
Attachment #191782 - Attachment is obsolete: true
Attachment #192358 - Flags: first-review?(mconnor)
Attached patch patch 4 (obsolete) — Splinter Review 

  

  



        Attachment #192358 -
        Attachment is obsolete: true

        Attachment #192359 -
        Flags: first-review?(mconnor)

    
  

        Attachment #192358 -
        Flags: first-review?(mconnor)

    
    

    
  
In order to bypass the security check a page would have to bypass the existing
security checking on frame focussing - for instance they can't focus about:

  

  



    
    

    
  
So the attacker would have to convince the user to tab into or click in the frame?

  

  



    
    

    
  
This attack only appears to affect context menus, as they introduce a delay in
between the click and the action in which the script can shift the focus.

  

  



    
  

        Attachment #191538 -
        Attachment description: Testcase: Cmd+click the link in this demo to see a spoofed referrer. (Load from a local server because Bugzilla is https.) → Testcase: Cmd+click the link in this demo to see a spoofed referrer. (Load from a local server because Bugzilla is https, and make sure "Allow scripts to raise and lower windows" is checked.)

    
    

    
  
The demo in comment 4 works for me with Cmd+clicking, so it's not just context
menus.  That demo uses the time between mousedown and mouseup to move focus.

  

  



    
    

    
  
I see it now; I'm just not used to clicking that slowly!

  

  



    
    

    
  
Blocking beta.  mconnor: your review goodness is craved.

  

  


Flags: blocking1.8b4? → blocking1.8b4+

    
    

    
  
Can someone file a version for xpfe as well?

  

  



    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch 5 (obsolete)
        — Splinter Review
      

    


  
Changes since last patch:
* Fix urlSecurityCheck calls for "View Image" so they don't break the feature.
* Add urlSecurityCheck calls to Save Link and Save Image.
* Add a few checks to setDesktopBackground (part of bug 302022).

  

  



        Attachment #192359 -
        Attachment is obsolete: true

        Attachment #192451 -
        Flags: first-review?(mconnor)

    
  

        Attachment #192359 -
        Flags: first-review?(mconnor)

    
  
Blocks: 302022

        Attachment #192451 -
        Flags: first-review?(mconnor)

        Attachment #192451 -
        Flags: first-review+

        Attachment #192451 -
        Flags: approval1.8b4+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch 6Splinter Review
      

    


  
Update to trunk, detab, and fix some of mconnor's nits.

  

  



        Attachment #192451 -
        Attachment is obsolete: true

    
    

    
  
cvs -d :ext:jruderman%hmc.edu@cvs.mozilla.org:/cvsroot commit
browser/base/content/browser.js toolkit/content/contentAreaUtils.js 

Checking in browser/base/content/browser.js;
/cvsroot/mozilla/browser/base/content/browser.js,v  <--  browser.js
new revision: 1.478; previous revision: 1.477
done

Checking in toolkit/content/contentAreaUtils.js;
/cvsroot/mozilla/toolkit/content/contentAreaUtils.js,v  <--  contentAreaUtils.js
new revision: 1.77; previous revision: 1.76
done

  

  


Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
  
Blocks: 226548

    
  
Depends on: 304418

    
    

    
  
This patch broke the "linky" extension by removing the getReferrer() function it
was using.

  

  



    
    

    
  
getReferrer() returned bogus results and could not be fixed given its API, so I
don't mind forcing extensions to change.

  

  


Flags: blocking-aviary1.0.8?
Flags: testcase+

    
    

    
  
Jesse, neil: do we need a Suite version of this patch as well?

  

  


Flags: blocking-aviary1.0.8? → blocking-aviary1.0.8+

    
    

    
  
(In reply to comment #28)
>do we need a Suite version of this patch as well?
It looks as if all versions of the Suite have this bug too, yes.

  

  


Flags: blocking-aviary1.0.8+ → blocking-aviary1.0.8-
Whiteboard: [sg:fix] → [sg:low spoof]
Group: security
Flags: in-testsuite+ → in-testsuite?
Keywords: fixed1.8

    
  
Keywords: csec-spoof, 
          
            sec-low
Whiteboard: [sg:low spoof]
Product: Toolkit → Toolkit Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: