Closed
Bug 304690
Opened 19 years ago
Closed 18 years ago
Stand-alone applications can do cross-domain scripting through Firefox
Categories
(Core :: DOM: Navigation, defect)
Core
DOM: Navigation
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha5
People
(Reporter: mikx, Assigned: bzbarsky)
Details
(Keywords: fixed1.8.0.12, verified1.8.1.4, Whiteboard: [sg:fix])
Attachments
(3 files, 4 obsolete files)
|
19.76 KB,
application/octet-stream
|
Details | |
|
1.28 KB,
patch
|
dveditz
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
|
1.21 KB,
patch
|
dveditz
:
review+
jst
:
superreview+
dveditz
:
approval1.8.1.4+
dveditz
:
approval1.8.0.12+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6 As far as i understand the fix for bug #298255 it was intendet to stop the ability to load chrome urls from external applications and to clear the context of javascript calls to about:blank. Tested with Firefox 1.0.6 and it works as expected: can not load chrome and javascript urls don't have access to document.cookie (although a javascript:alert(document.cookie) gives the current domain as title of the alert dialog instead of "javascript application" or "about:blank"). But by calling a data: url it is still possible to do cross-domain scripting. Is this expected behavior in 1.0.6 or was this overlooked? Reproducible: Always
|
Reporter | |
Comment 1•19 years ago
|
||
|
|
Reporter | |
Comment 2•19 years ago
|
||
|
||
Updated•19 years ago
|
Flags: blocking1.8b4?
Whiteboard: [sg:fix]
|
||
Updated•19 years ago
|
Assignee: nobody → mconnor
|
|
||
Updated•19 years ago
|
Flags: blocking1.8b4? → blocking1.8b4+
|
|
||
Comment 3•19 years ago
|
||
Mac OS X 10.4.2 QuickTime Version 7.0.1, Player Version 7.0.1 (7.0.1) Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050816 Firefox/1.0+ Clicking the "Clicking here" in the .mov file doesn't seem to have any effect on Firefox. I'm guessing this testcase was made for Windows, so I'll test on Windows later.
|
||
Comment 4•19 years ago
|
||
XP SP2 and QT 6.5.2 here, and I get nothing. I do get the alert(1) in the first testcase, but that's just an onclick for the element. What combination of OS/QT is vulnerable to this?
|
|
Reporter | |
Comment 5•19 years ago
|
||
Sorry, the first testcase was missing a file. Uploaded a new one as a complete zip (should contain three files). This is proven to work with QT 6.5.1 on Windows XP pro SP2 with latest patches and Firefox 1.0.6 as default browser. It uses a documented QT feature - so it should also work on OSX.
Attachment #192723 -
Attachment is obsolete: true
Attachment #192724 -
Attachment is obsolete: true
|
|
||
Comment 6•19 years ago
|
||
I tried the new testcase on Windows XP. QuickTime tried to open the data: URL in IE7 even though Firefox is my default browser, so I wasn't really able to test the exploit. I have QuickTime 7.0.2a63.
|
|
Reporter | |
Comment 7•19 years ago
|
||
Tested with latest production release of QT (6.5.2) and Firefox 1.0.6 on WinXP SP1 with IE6, WinXP SP2 with IE7 and on Vista Beta 1 (IE7). All working. The upgrade to the QT 7 preview failed on Vista (probably because of 64bit) and i can't upgrade the XP machines right now. Jesse, can you try to downgrade to QT 6.5.2?
|
|
||
Comment 9•19 years ago
|
||
I figured out how to reproduce this bug using Start->Run. I think that for this exploit to work, the option for "Open links from other applications in" must be "the most recent tab/window". "C:\moz\firefox 0818 branch\firefox.exe" "chrome://browser/content/browser.xul" * Does nothing if Firefox is already loaded. * If Firefox is not already loaded, incorrectly loads browser.xul into the content area. (#1) Navigate to http://www.google.com/ and then: "C:\moz\firefox 0818 branch\firefox.exe" "javascript:alert(document.cookie)" * Does not show the cookie. * The title bar is blank when the dialog appears. * Shows above content from www.google.com. (#2) * Incorrectly shows "www.google.com" in the title of the dialog. (#3) * The back button doesn't do what I'd expect. (#4) Navigate to http://www.google.com/ and then: "C:\moz\firefox 0818 branch\firefox.exe" "data:text/html,<script>alert(document.cookie)</script>" * Shows the cookie. (#5 - this bug)
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 10•19 years ago
|
||
I filed bug 305269 for #1. Of the remaining issues, I don't know how many of them are the same bug.
|
|
||
Comment 11•19 years ago
|
||
I can reproduce on Mac using the following AppleScript script: tell application "DeerPark" activate Get URL "data:text/html,<script>alert(document.cookie)</script>" end tell
|
|
||
Comment 13•19 years ago
|
||
Why is the CreateAboutBlankContentViewer() call at http://lxr.mozilla.org/mozilla/source/docshell/base/nsDocShell.cpp#6203 not preventing data: URLs from looking at the previous page's cookies? (jst/caillon?)
|
|
||
Comment 14•19 years ago
|
||
-> dveditz, since he's probably the best person to answer comment 13 here, and to fix this.
Assignee: mconnor → dveditz
|
||
Comment 15•19 years ago
|
||
we'd like to get a fix before the rc.
Flags: blocking1.8b5+ → blocking1.8b5-
|
||
Comment 16•18 years ago
|
||
This is slightly less of a problem now that we've removed the Firefox UI for "in the same tab/window" option, but it would be good to answer the question in comment 13 - I've verified that we are reaching that block of code, but the external data: URI load is still able to get at the previously loaded page's cookies. Is CreateAboutBlankContentViewer(nsnull) not meant to prevent that?
|
Assignee | |
Comment 17•18 years ago
|
||
The problem is that this block:
// Get an owner from the current document if necessary. Note that we only
// do this for URIs that inherit a security context; in particular we do
...
comes way before we create the blank content viewer.
Is there ever a case when LOAD_NORMAL_EXTERNAL is the load type _and_ we have a window target? If not, I would say we should do the LOAD_NORMAL_EXTERNAL check a lot earlier: before we do the window retargeting.
Alternately, we could reset the owner in the LOAD_NORMAL_EXTERNAL block if we inherited it.... that might be easiest.|
|
Assignee | |
Comment 18•18 years ago
|
||
Does this work? If so, I'll request module owner reviews etc....
Attachment #261998 -
Flags: review?(gavin.sharp)
|
|
||
Comment 19•18 years ago
|
||
Comment on attachment 261998 [details] [diff] [review] Trunk fix Yeah, this fixes it for me.
Attachment #261998 -
Flags: review?(gavin.sharp) → review+
|
|
Assignee | |
Updated•18 years ago
|
Assignee: dveditz → nobody
Component: General → Embedding: Docshell
Product: Firefox → Core
QA Contact: general → docshell
Target Milestone: --- → mozilla1.9alpha4
Version: unspecified → Trunk
|
|
Assignee | |
Comment 20•18 years ago
|
||
Assignee: nobody → bzbarsky
Attachment #261998 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #262305 -
Flags: superreview?(jst)
Attachment #262305 -
Flags: review?(dveditz)
|
|
Assignee | |
Comment 21•18 years ago
|
||
Attachment #262312 -
Flags: superreview?(jst)
Attachment #262312 -
Flags: review?(dveditz)
|
||
Comment 22•18 years ago
|
||
Comment on attachment 262305 [details] [diff] [review] Better trunk fix r=dveditz
Attachment #262305 -
Flags: review?(dveditz) → review+
|
|
||
Comment 23•18 years ago
|
||
Comment on attachment 262312 [details] [diff] [review] Branch fix >+ if (aLoadType == LOAD_NORMAL_EXTERNAL [...] Shouldn't this be != like the trunk patch and comment?
|
|
Assignee | |
Comment 24•18 years ago
|
||
> Shouldn't this be != like the trunk patch and comment?
Yes, it should...
Attachment #262312 -
Attachment is obsolete: true
Attachment #262601 -
Flags: superreview?(jst)
Attachment #262601 -
Flags: review?(dveditz)
Attachment #262312 -
Flags: superreview?(jst)
Attachment #262312 -
Flags: review?(dveditz)
|
|
||
Comment 25•18 years ago
|
||
Comment on attachment 262601 [details] [diff] [review] Correct branch fix r=dveditz
Attachment #262601 -
Flags: review?(dveditz) → review+
|
||
Updated•18 years ago
|
Attachment #262305 -
Flags: superreview?(jst) → superreview+
|
|
||
Updated•18 years ago
|
Attachment #262601 -
Flags: superreview?(jst) → superreview+
|
|
Assignee | |
Comment 26•18 years ago
|
||
Fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: mozilla1.9alpha4 → mozilla1.9alpha5
|
|
Assignee | |
Comment 27•18 years ago
|
||
Comment on attachment 262601 [details] [diff] [review] Correct branch fix If it's not too late, we might want this for the next branch releases. I'm pretty confident that this is a safe patch... If we're worried that it'll break something odd, then let's do it in 1.8.0.13/1.8.1.5
Attachment #262601 -
Flags: approval1.8.1.4?
Attachment #262601 -
Flags: approval1.8.0.12?
|
|
||
Comment 28•18 years ago
|
||
Comment on attachment 262601 [details] [diff] [review] Correct branch fix approved for 1.8.0.12 and 1.8.1.4, a=dveditz Would love to have this safe fix.
Attachment #262601 -
Flags: approval1.8.1.4?
Attachment #262601 -
Flags: approval1.8.1.4+
Attachment #262601 -
Flags: approval1.8.0.12?
Attachment #262601 -
Flags: approval1.8.0.12+
|
|
||
Updated•18 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
|
||
Comment 30•18 years ago
|
||
v.fixed on 1.8 branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4 (Jesse's AppleScript testcase passes for me, I just see the JavaScript Application alert)
Keywords: fixed1.8.1.4 → verified1.8.1.4
|
|
||
Updated•18 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•