Closed Bug 305565 Opened 19 years ago Closed 19 years ago

<object> can be used to determine whether some types of local files exist

Categories

(Core Graveyard :: Plug-ins, defect, P1)

Product:
Core Graveyard
Component:
Plug-ins
Version:
1.8 Branch
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta4

People

(Reporter: jruderman, Assigned: Biesinger)

References

Details

(Keywords: csectype-disclosure, fixed1.8, sec-low)

Attachments

(4 files, 2 obsolete files)

testcase (uses /tmp/f[1-3].rtf)
252 bytes, text/html
Details
patch v3
4.21 KB, patch
jst
: review+
bzbarsky
: superreview+
mtschrep
: approval1.8b4+
Details | Diff | Splinter Review
branch patch attempt (about to test on my windows box)
4.65 KB, patch
Details | Diff | Splinter Review
additional patch per comment 16 / comment 17
1.37 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
asa
: approval1.8b5+
Details | Diff | Splinter Review
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050822 Firefox/1.0+ 1. Create a file named f2.rtf on your desktop. 2. Load the following HTML file from an http(s) URL: <p>f1.rtf - <object data="file:///Users/admin/Desktop/f1.rtf">f1</object></p> <p>f2.rtf - <object data="file:///Users/admin/Desktop/f2.rtf">f2</object></p> <p>f3.rtf - <object data="file:///Users/admin/Desktop/f3.rtf">f3</object></p> Result: "Click here to download plugin" appears only for f2.rtf; the rest show alternate content. This demonstrates that a web page can determine whether the file exists. (It also means some types of DoS might be possible on some OSes.) Note: there are some filetypes for which this does not work (.txt and .gif are two).
Flags: blocking1.8b4?
Whiteboard: [sg:fix]
so er, is there a checkLoadURI call missing somewhere?
Yes, or in the wrong place. CheckLoadURI seems to be called if the extension is .txt or .gif, regardless of whether the file exists.
nsObjectFrame never calls CheckLoadURI. If the plugin code never does either (and I bet it doesn't), then yes.
For known image or document types the call happens in nsImageLoadingContent and nsFrameLoader respectively. On trunk we should just fix this with biesi's changes, but on branch we need more work. :(
Flags: blocking1.8b4? → blocking1.8b4+
Biesi, can you own this?
Assignee: nobody → cbiesinger
OS: MacOS X → All
Priority: -- → P1
Hardware: Macintosh → All
Target Milestone: --- → mozilla1.8beta4
Attached patch patch (obsolete) — Splinter Review
Attachment #194041 - Flags: superreview?(bzbarsky)
Attachment #194041 - Flags: review?(jst)
Status: NEW → ASSIGNED
hmm, the calling code in nsObjectFrame already does a content policy check... I should probably remove one, probably the one in ObjectFrame, any opinions?
> hmm, the calling code in nsObjectFrame already does a content policy check... Should we just put the CheckLoadURI() call up there too? Or are there other ways to get into the plugin code than through nsObjectFrame?
no, the only caller of that is in the objectframe. pluginhost would be better in the maybe unlikely case that another caller is ever added...
Hmm... OK, fair enough. Let's just put it all in pluginhost.
Attachment #194041 - Attachment is obsolete: true
Attachment #194041 - Flags: superreview?(bzbarsky)
Attachment #194041 - Flags: review?(jst)
Attached patch patch v2 (obsolete) — Splinter Review
removes objectframe's contentpolicy code.
Attachment #194203 - Flags: superreview?(bzbarsky)
Attachment #194203 - Flags: review?(jst)
Comment on attachment 194203 [details] [diff] [review] patch v2 >Index: modules/plugin/base/src/nsPluginHostImpl.cpp >+ nsresult rv = >+ NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_OBJECT, >+ aURL, >+ doc->GetDocumentURI(), >+ doc, // XXX this is not good Indeed. If we can't get to the content node from here, let's leave the content policy check in nsObjectFrame for now (but move the security check in here) file a bug to move the code down here once we can get to the node off the owner?
Comment on attachment 194203 [details] [diff] [review] patch v2 turns out we can get the DOM element, I just didn't notice the function
Attachment #194203 - Attachment is obsolete: true
Attachment #194203 - Flags: superreview?(bzbarsky)
Attachment #194203 - Flags: review?(jst)
Attachment #194203 - Flags: review-
Attached patch patch v3Splinter Review
Attachment #194525 - Flags: superreview?(bzbarsky)
Attachment #194525 - Flags: review?(jst)
Comment on attachment 194525 [details] [diff] [review] patch v3 I guess we can't get to the SHOW_ALT error code from here, eh?
Attachment #194525 - Flags: superreview?(bzbarsky) → superreview+
hmm, actually, I could get to it... (I wrote the pluginhost changes w/o being aware of the objectframe conpol check). the question is, would it work? I suppose it should. ok, I'll include nsContentErrors.h and return that error code.
Comment on attachment 194525 [details] [diff] [review] patch v3 r=jst
Attachment #194525 - Flags: review?(jst) → review+
Comment on attachment 194525 [details] [diff] [review] patch v3 I think we want this security fix on the branch... it's quite safe.
Attachment #194525 - Flags: approval1.8b4?
Comment on attachment 194525 [details] [diff] [review] patch v3 Per bug traige meeting please land immediately on branch.
Attachment #194525 - Flags: approval1.8b4? → approval1.8b4+
Flags: blocking1.8b4+
Fixed on trunk and 1.8 branch. /be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
thanks for landing this for me. I think we want this additional patch at least on trunk, not sure about branch.
Attachment #195135 - Flags: superreview?(bzbarsky)
Attachment #195135 - Flags: review?(bzbarsky)
Attachment #195135 - Flags: superreview?(bzbarsky)
Attachment #195135 - Flags: superreview+
Attachment #195135 - Flags: review?(bzbarsky)
Attachment #195135 - Flags: review+
Checking in modules/plugin/base/src/nsPluginHostImpl.cpp; /cvsroot/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp,v <-- nsPluginHostImpl.cpp new revision: 1.534; previous revision: 1.533 done
Comment on attachment 195135 [details] [diff] [review] additional patch per comment 16 / comment 17 this additional patch improves the behaviour of <object>/<embed> when a content policy implementation blocks the load; it's low risk.
Attachment #195135 - Flags: approval1.8b5?
Attachment #195135 - Flags: approval1.8b5? → approval1.8b5+
additional patch checked in to MOZILLA_1_8_BRANCH for 1.8b5. Checking in modules/plugin/base/src/nsPluginHostImpl.cpp; /cvsroot/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp,v <-- nsPluginHostImpl.cpp new revision: 1.532.2.3; previous revision: 1.532.2.2 done
Flags: testcase+
fyi, fails ff 1.0.8/winxp/20060221
(In reply to comment #1) > so er, is there a checkLoadURI call missing somewhere? > can it be done checkLoadURI to be put in a place where it can't be missed? what is called and checkLoadURI is missed?
> can it be done checkLoadURI to be put in a place where it can't be missed? Not easily, unfortunately. :( I'd thought about putting it in newChannel or something (a new api that takes the principal too), but that would not really work because some of the newChannel callers do not in fact have the right principal around... We might be able to fix that, but we'd need a lot of API changes to get it right. :(
Group: security
Flags: in-testsuite+ → in-testsuite?
Keywords: csec-disclosure, sec-low
Whiteboard: [sg:fix]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: