Closed Bug 305565 Opened 19 years ago Closed 19 years ago

<object> can be used to determine whether some types of local files exist

Categories

(Core Graveyard :: Plug-ins, defect, P1)

Product:
Core Graveyard
Component:
Plug-ins
Version:
1.8 Branch
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta4

People

(Reporter: jruderman, Assigned: Biesinger)

References

Details

(Keywords: csectype-disclosure, fixed1.8, sec-low)

Attachments

(4 files, 2 obsolete files)

testcase (uses /tmp/f[1-3].rtf)
252 bytes, text/html
Details
patch v3
4.21 KB, patch
jst
: review+
bzbarsky
: superreview+
mtschrep
: approval1.8b4+
Details | Diff | Splinter Review
branch patch attempt (about to test on my windows box)
4.65 KB, patch
Details | Diff | Splinter Review
additional patch per comment 16 / comment 17
1.37 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
asa
: approval1.8b5+
Details | Diff | Splinter Review 
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050822
Firefox/1.0+

1. Create a file named f2.rtf on your desktop.

2. Load the following HTML file from an http(s) URL:
<p>f1.rtf - <object data="file:///Users/admin/Desktop/f1.rtf">f1</object></p>
<p>f2.rtf - <object data="file:///Users/admin/Desktop/f2.rtf">f2</object></p>
<p>f3.rtf - <object data="file:///Users/admin/Desktop/f3.rtf">f3</object></p>

Result: "Click here to download plugin" appears only for f2.rtf; the rest show
alternate content.  This demonstrates that a web page can determine whether the
file exists.  (It also means some types of DoS might be possible on some OSes.)

Note: there are some filetypes for which this does not work (.txt and .gif are two).
Flags: blocking1.8b4?
Whiteboard: [sg:fix]
so er, is there a checkLoadURI call missing somewhere?
Yes, or in the wrong place.  CheckLoadURI seems to be called if the extension is
.txt or .gif, regardless of whether the file exists.
nsObjectFrame never calls CheckLoadURI.  If the plugin code never does either
(and I bet it doesn't), then yes.
For known image or document types the call happens in nsImageLoadingContent and
nsFrameLoader respectively.

On trunk we should just fix this with biesi's changes, but on branch we need
more work.  :(
Flags: blocking1.8b4? → blocking1.8b4+
Biesi, can you own this?
Assignee: nobody → cbiesinger
OS: MacOS X → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.8beta4

  

  



    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch (obsolete)
        — Splinter Review
      

    


  

  

  



        Attachment #194041 -
        Flags: superreview?(bzbarsky)

        Attachment #194041 -
        Flags: review?(jst)
Status: NEW → ASSIGNED

    
    

    
  
hmm, the calling code in nsObjectFrame already does a content policy check... I
should probably remove one, probably the one in ObjectFrame, any opinions?

  

  



    
    

    
  
> hmm, the calling code in nsObjectFrame already does a content policy check...

Should we just put the CheckLoadURI() call up there too?  Or are there other
ways to get into the plugin code than through nsObjectFrame?

  

  



    
    

    
  
no, the only caller of that is in the objectframe. pluginhost would be better in
the maybe unlikely case that another caller is ever added...

  

  



    
    

    
  
Hmm...  OK, fair enough.  Let's just put it all in pluginhost.

  

  



        Attachment #194041 -
        Attachment is obsolete: true

        Attachment #194041 -
        Flags: superreview?(bzbarsky)

        Attachment #194041 -
        Flags: review?(jst)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch v2 (obsolete)
        — Splinter Review
      

    


  
removes objectframe's contentpolicy code.

  

  



        Attachment #194203 -
        Flags: superreview?(bzbarsky)

        Attachment #194203 -
        Flags: review?(jst)

    
    

    
  
Comment on attachment 194203 [details] [diff] [review]
patch v2

>Index: modules/plugin/base/src/nsPluginHostImpl.cpp
>+    nsresult rv =
>+      NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_OBJECT,
>+                                aURL,
>+                                doc->GetDocumentURI(),
>+                                doc, // XXX this is not good

Indeed.  If we can't get to the content node from here, let's leave the content
policy check in nsObjectFrame for now (but move the security check in here)
file a bug to move the code down here once we can get to the node off the
owner?

  

  



    
    

    
  
Comment on attachment 194203 [details] [diff] [review]
patch v2

turns out we can get the DOM element, I just didn't notice the function

  

  



        Attachment #194203 -
        Attachment is obsolete: true

        Attachment #194203 -
        Flags: superreview?(bzbarsky)

        Attachment #194203 -
        Flags: review?(jst)

        Attachment #194203 -
        Flags: review-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch v3Splinter Review
      

    


  

  

  



        Attachment #194525 -
        Flags: superreview?(bzbarsky)

        Attachment #194525 -
        Flags: review?(jst)

    
    

    
  
Comment on attachment 194525 [details] [diff] [review]
patch v3

I guess we can't get to the SHOW_ALT error code from here, eh?

  

  



        Attachment #194525 -
        Flags: superreview?(bzbarsky) → superreview+

    
    

    
  
hmm, actually, I could get to it... (I wrote the pluginhost changes w/o being
aware of the objectframe conpol check). the question is, would it work? I
suppose it should.

ok, I'll include nsContentErrors.h and return that error code.

  

  



    
    

    
  
Comment on attachment 194525 [details] [diff] [review]
patch v3

r=jst

  

  



        Attachment #194525 -
        Flags: review?(jst) → review+

    
    

    
  
Comment on attachment 194525 [details] [diff] [review]
patch v3

I think we want this security fix on the branch... it's quite safe.

  

  



        Attachment #194525 -
        Flags: approval1.8b4?

    
    

    
  
Comment on attachment 194525 [details] [diff] [review]
patch v3

Per bug traige meeting please land immediately on branch.

  

  



        Attachment #194525 -
        Flags: approval1.8b4? → approval1.8b4+

    
  
Flags: blocking1.8b4+

    
    

    
  


  

  

  



    
    

    
  
Fixed on trunk and 1.8 branch.

/be

  

  


Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED

    
    

    
  


  
thanks for landing this for me.

I think we want this additional patch at least on trunk, not sure about branch.

  

  



        Attachment #195135 -
        Flags: superreview?(bzbarsky)

        Attachment #195135 -
        Flags: review?(bzbarsky)

        Attachment #195135 -
        Flags: superreview?(bzbarsky)

        Attachment #195135 -
        Flags: superreview+

        Attachment #195135 -
        Flags: review?(bzbarsky)

        Attachment #195135 -
        Flags: review+

    
    

    
  
Checking in modules/plugin/base/src/nsPluginHostImpl.cpp;
/cvsroot/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp,v  <-- 
nsPluginHostImpl.cpp
new revision: 1.534; previous revision: 1.533
done


  

  



    
    

    
  
Comment on attachment 195135 [details] [diff] [review]
additional patch per comment 16 / comment 17

this additional patch improves the behaviour of <object>/<embed> when a content
policy implementation blocks the load; it's low risk.

  

  



        Attachment #195135 -
        Flags: approval1.8b5?

    
  

        Attachment #195135 -
        Flags: approval1.8b5? → approval1.8b5+

    
    

    
  
additional patch checked in to MOZILLA_1_8_BRANCH for 1.8b5.

Checking in modules/plugin/base/src/nsPluginHostImpl.cpp;
/cvsroot/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp,v  <-- 
nsPluginHostImpl.cpp
new revision: 1.532.2.3; previous revision: 1.532.2.2
done


  

  


Flags: testcase+

    
    

    
  
fyi, fails ff 1.0.8/winxp/20060221

  

  



    
    

    
  
(In reply to comment #1)
> so er, is there a checkLoadURI call missing somewhere?
> 

can it be done checkLoadURI to be put in a place where it can't be missed?

what is called and checkLoadURI is missed?

  

  



    
    

    
  
similar stuff in Bug 328454

  

  



    
    

    
  
> can it be done checkLoadURI to be put in a place where it can't be missed?

Not easily, unfortunately.  :(  I'd thought about putting it in newChannel or something (a new api that takes the principal too), but that would not really work because some of the newChannel callers do not in fact have the right principal around...  We might be able to fix that, but we'd need a lot of API changes to get it right.  :(

  

  


Group: security
Flags: in-testsuite+ → in-testsuite?

    
  
Keywords: csec-disclosure, 
          
            sec-low
Whiteboard: [sg:fix]

    
  
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: