Closed
Bug 325426
Opened 19 years ago
Closed 18 years ago
Don't rely on baseuri for same-origin checks
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
People
(Reporter: sicking, Assigned: sicking)
References
()
Details
(Keywords: fixed1.8.0.4, fixed1.8.1, Whiteboard: [sg:investigate])
Attachments
(2 files)
27.07 KB,
patch
|
bzbarsky
:
review+
jst
:
superreview+
jst
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.4+
|
Details | Diff | Splinter Review |
35.67 KB,
patch
|
Details | Diff | Splinter Review |
We currently have security checks when setting the baseuri on html elements. However, we don't have similar checks for the xml:base. We also (until recently) didn't have these checks in the html fragment sink. These checks should not be needed. Same-origin checks should always be done against the document uri, not the document base-uri. I'm currently looking through all users of GetBaseURI to make sure that is the case. So far it seems like nsGenericElement::TriggerLink (or arguably the two users in nsGenericHTMLElement::HandleDOMEventForAnchors) are doing the wrong thing.
Assignee | ||
Comment 1•19 years ago
|
||
Many other clients of nsGenericElement::TriggerLink has the same issue as nsGenericHTMLElement::HandleDOMEventForAnchors. We should just remove the aOrigin argument from TriggerLink and let the function grab the origin from the document itself. Note to self: more places to check are CSSParser::ParseStyleAttribute CSSParser::ParseProperty nsXMLDocument::Load (not sure where the security check for this lives) nsXULContentUtils::MakeElementURI (seems like this should use GetDocumentURI rather then GetBaseURI) nsXULContentUtils::MakeElementID (same as above) txExecutionState::retrieveDocument (this uses the wrong referrer) nsGlobalWindow::BuildURIfromBase These functions seem wrong: TX_CompileStylesheet, as does most of the xslt compiler checks SendPing in nsWebShell.cpp nsDOMParser::ParseFromStream I've done up until nsXFormsModelElement. Given how many places we seem to be doing this wrong (though luckily most of them seem to use the document where we do have same-origin policies), maybe we need to keep the current checks :( It is technically wrong, but it might be safest.
Assignee | ||
Updated•19 years ago
|
Comment 2•19 years ago
|
||
> However, we don't have similar checks for the xml:base. Er... We sure seem to in nsGenericElement::GetBaseURI(). What am I missing? > Same-origin checks should always be done against the document uri, not the > document base-uri. Agreed on that, but this has always seemed like a belt-and-suspenders kinda thing to me. If we change this we have to audit all document or content base users, of course. I guess that's what you're doing, eh? > So far it seems like nsGenericElement::TriggerLink (or arguably the two users > in nsGenericHTMLElement::HandleDOMEventForAnchors) are doing the wrong thing. It certainly is, but the patch in bug 324600 fixes it. Want to review? ;) And yeah, I think we should fix the existing misusers but probably keep the checks on setting the base, just in case.
Updated•19 years ago
|
Whiteboard: [sg:investigate]
Assignee | ||
Comment 3•19 years ago
|
||
Doh, not sure how I missed the check in nsGenericElement::GetBaseURI. However, all the checks we do (both in nsGenericElement::GetBaseURI and nsDocument::SetBaseURI) are CheckLoadURI check rather then same-origin checks. This means that you can set any http-uri as your base uri, so we must not rely on it for same-origin checks. So all the places i've listed above are more or less vulnerable :(
Comment 4•19 years ago
|
||
Oh, yes. Using the base URI for same-origin checks is broken. So is using the document URI. All same-origin checks should use the document principal. Otherwise they're not accounting for document.domain, for example.
Comment 5•19 years ago
|
||
In fact, I'd really like to remove the URI version of CheckSameOrigin completely.... We need to make principals scriptable and accessible from script first, though.
Assignee | ||
Comment 6•19 years ago
|
||
So I'm slightly mutating this bug. Since the checks we do have are very lenient, there is no point in removing them. What we should do is to audit all users of GetBaseURI to make sure they do the right thing. The places I've mentioned above needs fixing, and I'll audit the remaining ones too.
Summary: Remove security checks on baseuri setting and stop relying on them → Don't rely on baseuri for same-origin checks
Assignee | ||
Comment 7•18 years ago
|
||
This should fix it. Some of this is just renaming variables to more clearly indicate that they contain the baseuri or documenturi.
Attachment #214277 -
Flags: superreview?(jst)
Attachment #214277 -
Flags: review?(bzbarsky)
Assignee | ||
Updated•18 years ago
|
Flags: blocking1.8.0.3?
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Comment 8•18 years ago
|
||
Comment on attachment 214277 [details] [diff] [review] Patch to fix >Index: content/xslt/src/xslt/txMozillaStylesheetCompiler.cpp >+ // XXX This would be simpler if GetBaseURI lived on nsINode File a bug to do that, reference it here? I guess the issue is the difference in method signatures, eh? :( >+ uri->GetSpec(spec); Yuck. Any chance this code could move towards using nsIURI instead of strings? In the future? >Index: content/xul/templates/src/nsXULContentUtils.cpp >- nsIURI *docURL = aDocument->GetBaseURI(); >+ nsIURI *docURL = aDocument->GetDocumentURI(); Why? This looks to me like it wants to be using the base URI, no? Or is this code actually using URIs when it doesn't mean URIs? > nsXULContentUtils::MakeElementID(nsIDocument* aDocument, const nsAString& aURI, nsAString& aElementID) >- aDocument->GetBaseURI()->GetSpec(spec); >+ aDocument->GetDocumentURI()->GetSpec(spec); Same. r=bzbarsky with the questions answered.
Attachment #214277 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 9•18 years ago
|
||
(In reply to comment #8) > (From update of attachment 214277 [details] [diff] [review] [edit]) > >Index: content/xslt/src/xslt/txMozillaStylesheetCompiler.cpp > >+ // XXX This would be simpler if GetBaseURI lived on nsINode > > File a bug to do that, reference it here? I guess the issue is the difference > in method signatures, eh? :( So far this is the only usecase and i'd rather that we waited with filing a bug until we know that having it on nsINode is what we really want. I'll change the comment to that effect. > >+ uri->GetSpec(spec); > > Yuck. Any chance this code could move towards using nsIURI instead of > strings? In the future? Yeah, we really should. It's tricky to get that sensible in standalone transformiix though. > >Index: content/xul/templates/src/nsXULContentUtils.cpp > >- nsIURI *docURL = aDocument->GetBaseURI(); > >+ nsIURI *docURL = aDocument->GetDocumentURI(); > > Why? This looks to me like it wants to be using the base URI, no? Or is this > code actually using URIs when it doesn't mean URIs? These two function is creating/parsing uris that refer to elements in the current document. So to get to these elements you need to go through the current documents uri, not base uri. Makes sense?
Comment 10•18 years ago
|
||
Comment on attachment 214277 [details] [diff] [review] Patch to fix sr=jst
Attachment #214277 -
Flags: superreview?(jst) → superreview+
Comment 11•18 years ago
|
||
Sounds good.
Assignee | ||
Updated•18 years ago
|
Attachment #214277 -
Flags: approval1.8.0.3?
Attachment #214277 -
Flags: approval1.7.14?
Attachment #214277 -
Flags: approval-branch-1.8.1?(jst)
Attachment #214277 -
Flags: approval-aviary1.0.9?
Updated•18 years ago
|
Attachment #214277 -
Flags: approval-branch-1.8.1?(jst) → approval-branch-1.8.1+
Updated•18 years ago
|
Flags: blocking1.8.0.3?
Flags: blocking1.8.0.3+
Flags: blocking1.7.14?
Flags: blocking1.7.14+
Flags: blocking-aviary1.0.9?
Flags: blocking-aviary1.0.9+
Comment 12•18 years ago
|
||
Please get this fix on the trunk and 1.8.1 branch so it can bake before we consider it for the next 1.8.0.x train. Thanks!
Assignee | ||
Comment 13•18 years ago
|
||
Assignee | ||
Updated•18 years ago
|
Keywords: fixed1.8.1
Comment 14•18 years ago
|
||
Comment on attachment 214277 [details] [diff] [review] Patch to fix approved for 1.8.0 branch, a=dveditz for drivers
Attachment #214277 -
Flags: approval1.8.0.3? → approval1.8.0.3+
Assignee | ||
Updated•18 years ago
|
Keywords: fixed1.8.0.3
Comment 15•18 years ago
|
||
sicking, any idea on how to test this?
Assignee | ||
Updated•18 years ago
|
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Updated•18 years ago
|
Flags: in-testsuite?
Updated•17 years ago
|
Group: security
Comment 16•14 years ago
|
||
Comment on attachment 214277 [details] [diff] [review] Patch to fix Clearing stale requests.
Attachment #214277 -
Flags: approval1.7.14?
Attachment #214277 -
Flags: approval-aviary1.0.9?
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•