Closed
Bug 335334
Opened 19 years ago
Closed 19 years ago
Fix string URI consumers to use CheckLoadURIStr
Categories
(Firefox :: General, defect, P1)
Tracking
()
RESOLVED
FIXED
Firefox 2
People
(Reporter: bzbarsky, Assigned: Gavin)
References
Details
(Keywords: fixed1.8.1, verified1.8.0.7, Whiteboard: [sg:investigate][mustfix])
Attachments
(3 files, 4 obsolete files)
|
826 bytes,
text/html
|
Details | |
|
9.04 KB,
patch
|
dveditz
:
approval1.8.0.7+
mtschrep
:
approval1.8.1+
|
Details | Diff | Splinter Review |
|
9.01 KB,
patch
|
Details | Diff | Splinter Review |
At least the following consumers in Firefox code use CheckLoadURI for strings, which we've discovered (in bug 334341) is unsafe:
nsFeedLoadListener::IsLinkValid
nsLivemarkLoadListener::IsLinkValid
<method name="onLinkAdded"> in tabbrowser.xml
<method name="open"> in text.xml
onDrop function in browser.js (two different onDrop functions, actually)
These should probably be switched to CheckLoadURIStr or something... And other consumers of CheckLoadURI should be checked over.
|
Reporter | |
Updated•19 years ago
|
Flags: blocking1.9a1?
Flags: blocking1.8.0.3?
Flags: blocking-firefox2?
|
Assignee | |
Comment 1•19 years ago
|
||
"open" in text.xml is only used as a safeguard against accidental data:/javascript: loads (kind of a misuse of checkLoadURI, I guess), so it isn't really "vulnerable" to anything.
|
|
Reporter | |
Comment 2•19 years ago
|
||
Er... why does it care about javascript: or data:? Does it care about jar:data:? Or view-source:javascript:?
It does sound like the wrong check is being done here; could you file a separate bug on that with a description of what this code is trying to accomplish so we can figure out what check _should_ be happening?
|
|
Assignee | |
Comment 3•19 years ago
|
||
(In reply to comment #2)
> Er... why does it care about javascript: or data:? Does it care about
> jar:data:? Or view-source:javascript:?
It cares about javascript: or data: because they are "dangerous" if loaded unknowingly. It's just a safeguard against situations like bug 315004. See bug 315166.
The fact that jar:data: or view-source:javascript: are blocked doesn't really matter: people who are using that binding can just use an onclick handler if they want to load a URI like that. The binding is meant to be used to load http[s]/ftp/etc links.
|
||
Comment 4•19 years ago
|
||
I'd really want this one, but we're running out of time in 1.8.0.4 (formerly .0.3)
Assignee: nobody → dveditz
Flags: blocking1.8.0.4? → blocking1.8.0.4+
|
|
||
Updated•19 years ago
|
Whiteboard: [sg:investigate]
|
|
Reporter | |
Updated•19 years ago
|
Keywords: helpwanted
|
||
Comment 5•19 years ago
|
||
+ open in text.xml has no CheckLoadURI in ffox 1.5.0.3
+ nsLivemarkListener does to exist in ffox 1.5.0.3
Have no source tree for 1_8_BRANCH right now. If patch is ok I can do patches for other branches as well.
BTW, is there a way to test this on linux or is it a non-issue on unix archs?
|
|
||
Comment 6•19 years ago
|
||
last one was an accident.
|
|
||
Updated•19 years ago
|
Attachment #221704 -
Attachment is obsolete: true
|
|
||
Updated•19 years ago
|
Flags: blocking1.8.0.4+ → blocking1.8.0.5+
|
||
Updated•19 years ago
|
Flags: blocking-firefox2? → blocking-firefox2+
|
|
||
Updated•19 years ago
|
Target Milestone: --- → Firefox 2 beta1
|
||
Comment 7•19 years ago
|
||
Missed the 1.8.0.5 train, we should look in this for the next release.
Flags: blocking1.8.0.6?
Flags: blocking1.8.0.5-
Flags: blocking1.8.0.5+
|
|
||
Updated•19 years ago
|
Target Milestone: Firefox 2 beta1 → Firefox 2 beta2
|
|
||
Comment 8•19 years ago
|
||
Need this for 1.8.0.6 and Fx2.
Dveditz, if you don't have the cycles, dump this to nobody@ and I'll find someone to fix this.
Whiteboard: [sg:investigate] → [sg:investigate][mustfix]
|
|
||
Updated•19 years ago
|
Flags: blocking1.8.0.6? → blocking1.8.0.6+
|
||
Comment 9•19 years ago
|
||
Gavin or Biesi do you have any cycles for this?
|
|
||
Comment 10•19 years ago
|
||
Resetting milestone to final.
Target Milestone: Firefox 2 beta2 → Firefox 2
|
|
Assignee | |
Comment 11•19 years ago
|
||
Attachment #221705 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 12•19 years ago
|
||
I've audited all of the checkLoadURI callers in /browser and /toolkit, and these were the only ones where the checked URIs where then passed on to a method that may fix up the URI. This makes urlSecurityCheck more flexible by taking an optional flags param, and uses it instead of explicit calls to checkLoadURI(Str). In the viewImage case, I decided to always pass DISALLOW_SCRIPT to match the current behavior (there's a bug in the code, this.docURL != gBrowser.currentURI is never false, since one is a URL string and the other an nsIURI).
Assignee: dveditz → gavin.sharp
Status: NEW → ASSIGNED
Attachment #234262 -
Flags: superreview?(bzbarsky)
Attachment #234262 -
Flags: review?(mconnor)
|
|
Assignee | |
Comment 13•19 years ago
|
||
The patch fixes the two tests in the attached testcase.
|
|
Assignee | |
Comment 14•19 years ago
|
||
Forgot a file in the diff.
Attachment #234262 -
Attachment is obsolete: true
Attachment #234264 -
Flags: superreview?(bzbarsky)
Attachment #234264 -
Flags: review?(mconnor)
Attachment #234262 -
Flags: superreview?(bzbarsky)
Attachment #234262 -
Flags: review?(mconnor)
|
|
||
Comment 15•19 years ago
|
||
Comment on attachment 234264 [details] [diff] [review]
real patch
good work, and nice catch on the viewImage bug!
Attachment #234264 -
Flags: review?(mconnor) → review+
|
|
Reporter | |
Comment 16•19 years ago
|
||
Comment on attachment 234264 [details] [diff] [review]
real patch
Looks good for branch. For trunk, I'd like us to use checkLoadURIStrWithPrincipal, since checkLoadURIStr will generally give the wrong answer (hopefully always too restrictive?), but I'm OK with a followup for that.
Attachment #234264 -
Flags: superreview?(bzbarsky) → superreview+
|
|
Assignee | |
Comment 17•19 years ago
|
||
(In reply to comment #16)
> (From update of attachment 234264 [details] [diff] [review] [edit])
> Looks good for branch. For trunk, I'd like us to use
> checkLoadURIStrWithPrincipal, since checkLoadURIStr will generally give the
> wrong answer (hopefully always too restrictive?), but I'm OK with a followup
> for that.
Checked this patch in on the trunk to bake. Does bug 327244 sufficiently cover the things you want to address on the trunk, or should I file another bug that depends on bug 348559?
mozilla/toolkit/content/contentAreaUtils.js 1.85
mozilla/browser/base/content/browser.js 1.688
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 18•19 years ago
|
||
Bug 327244 is a tracking bug at the moment; we should probably have separate bugs for the code changes to stop using those functions. I forgot that bug 348559 hasn't landed yet; a bug depending on it and blocking bug 327244 is a good idea.
Thanks!
|
|
Assignee | |
Comment 19•19 years ago
|
||
(In reply to comment #18)
> Bug 327244 is a tracking bug at the moment; we should probably have separate
> bugs for the code changes to stop using those functions. I forgot that bug
> 348559 hasn't landed yet; a bug depending on it and blocking bug 327244 is a
> good idea.
I talked to bz on IRC, and we decided that bug 342485 can be that bug.
Flags: blocking1.9a1?
|
|
Assignee | |
Comment 20•19 years ago
|
||
This includes the trivial fix for bug 349757, which the original patch caused. It's been on the trunk since Monday, Aug 21st.
Attachment #234264 -
Attachment is obsolete: true
Attachment #235025 -
Flags: approval1.8.1?
Attachment #235025 -
Flags: approval1.8.0.7?
|
|
Assignee | |
Updated•19 years ago
|
Whiteboard: [sg:investigate][mustfix] → [181approval pending][sg:investigate][mustfix]
|
|
||
Comment 21•19 years ago
|
||
Comment on attachment 235025 [details] [diff] [review]
1.8 branch patch
a=schrep for drivers - approving all [181approval pending] bugs now that tree is open.
Attachment #235025 -
Flags: approval1.8.1? → approval1.8.1+
|
|
Assignee | |
Comment 22•19 years ago
|
||
Comment on attachment 235025 [details] [diff] [review]
1.8 branch patch
Sorry, I misunderstood the use of the [181approval pending] s/w marking.
Attachment #235025 -
Flags: approval1.8.1+ → approval1.8.1?
|
|
Assignee | |
Updated•19 years ago
|
Whiteboard: [181approval pending][sg:investigate][mustfix] → [a?][sg:investigate][mustfix]
|
|
||
Comment 23•19 years ago
|
||
Comment on attachment 235025 [details] [diff] [review]
1.8 branch patch
a=schrep for drivers for real this time :-). Thanks Gavin for resetting the approval request.
Attachment #235025 -
Flags: approval1.8.1? → approval1.8.1+
|
|
Assignee | |
Comment 24•19 years ago
|
||
mozilla/browser/base/content/browser.js 1.479.2.190
mozilla/toolkit/content/contentAreaUtils.js 1.77.2.6
Keywords: fixed1.8.1
Whiteboard: [a?][sg:investigate][mustfix] → [sg:investigate][mustfix]
|
|
||
Comment 25•19 years ago
|
||
Comment on attachment 235025 [details] [diff] [review]
1.8 branch patch
approved for 1.8.0 branch, a=dveditz for drivers
Attachment #235025 -
Flags: approval1.8.0.7? → approval1.8.0.7+
|
|
Assignee | |
Updated•19 years ago
|
Attachment #235025 -
Attachment description: branch patch → 1.8 branch patch
|
|
Assignee | |
Comment 26•19 years ago
|
||
|
|
Assignee | |
Comment 27•19 years ago
|
||
mozilla/browser/base/content/browser.js 1.479.2.43.2.4
mozilla/toolkit/content/contentAreaUtils.js 1.77.2.2.2.3
Keywords: fixed1.8.0.7
|
|
||
Comment 28•18 years ago
|
||
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060906 Firefox/1.5.0.7
Keywords: fixed1.8.0.7 → verified1.8.0.7
|
|
||
Updated•18 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•