Closed Bug 336903 Opened 18 years ago Closed 18 years ago

New feed view run under chrome context

Categories

(Firefox Graveyard :: RSS Discovery and Preview, defect, P1)

Product:
Firefox Graveyard
Component:
RSS Discovery and Preview
Version:
2.0 Branch
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
Firefox 2 beta1

People

(Reporter: martijn.martijn, Assigned: bugs)

References

(
URL
)

Details

(Keywords: fixed1.8.1, Whiteboard: [sg:critical][swag:2d] 181b1+ post ff1.5)

Attachments

(13 files, 4 obsolete files)

testcase
422 bytes, application/rdf+xml
Details
another test
667 bytes, application/rss+xml
Details
image src test (crashes 1.8 branch builds on load)
637 bytes, application/rss+xml
Details
patch, check every uri attribute set.
7.39 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
patch for browser code
61.08 KB, patch
mark
: review+
Details | Diff | Splinter Review
docshell portion (trunk only)
3.20 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
caps portion
1.96 KB, patch
dveditz
: review+
Details | Diff | Splinter Review
revised trunk docshell patch
3.24 KB, patch
darin.moz
: superreview+
Details | Diff | Splinter Review
final trunk pieces for checkin, browser
63.35 KB, patch
Details | Diff | Splinter Review
final trunk pieces for checkin, docshell
3.33 KB, patch
Details | Diff | Splinter Review
branch browser patch
54.17 KB, patch
darin.moz
: approval1.8.1+
Details | Diff | Splinter Review
branch caps patch
1.95 KB, patch
darin.moz
: approval1.8.1+
Details | Diff | Splinter Review
ook. the right docshell patch
2.80 KB, patch
darin.moz
: review+
darin.moz
: approval1.8.1+
Details | Diff | Splinter Review 
New feed view run under chrome context. This is very dangerous, as you can see with the url testcase.
When clicking on the link, it opens a new tab with google.com inside. That should not be possible.
OS: Windows XP → All
Hardware: PC → All
Version: unspecified → 2.0 Branch
Flags: blocking1.9a1?
Flags: blocking-firefox2?
Assignee: nobody → beng
Flags: blocking1.9a1?
Flags: blocking1.9a1+
Flags: blocking-firefox2?
Flags: blocking-firefox2+
Whiteboard: [sg:critical]
This should block 2.0a2
Assignee: beng → bugs
The main problem is that the feed viewer page has chrome privilege rather than using the feed URL as the origin (though that's the page's document.location, so it's partly correct). It is probably easier and safer to make sure the entire page has the correct privilege than to deny javascript: on each link.

Not sure what kind of rich-content support the feed-viewer has, but relying on perfect sanitization to protect against <script></script> in content worries me. Fixing the page's privilege would provide back-stop protection against that kind of failure too.
So does adding:

  chromeChannel.owner = null;

at http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/browser/components/feeds/src/FeedConverter.js&rev=1.5#210 fix this?  It ought to...

Ideally, we'd set this to the owner of the original channel; Ben might know how we can get that here.
Target Milestone: --- → Firefox 2 alpha2
The problem with that is that the page is really subscribe.xhtml and needs chrome privs to do its thing. I don't think a trivially easy fix like that will work, the subscription controls must be segregated from the massaged feed content.
yup, adding channel.owner=null fubars the page.

It does fix the security hole however ;-)
OK.  So let's try this the other way.  Right now what we do is http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/browser/components/feeds/content/subscribe.js&rev=1.6&mark=176-178#170

Perhaps instead of that we should use something more like:

  var a = document.createElementNS(HTML_NS, "a");
  a.appendChild(document.createTextNode(entry.title));
  a.setAttribute("href", "javascript:doLoad(" + entry.link.spec + ");");

and have:

function doLoad(uri) {
   checkLoadURIStr(document.documentURI, uri, DISALLOW_SCRIPT_OR_DATA);
   // Then do the load by setting document.location or whatever
}

Would that work?
I guess that could work.
But wasn't there concern that unprivileged code could open windows with privileged code (like about:config, etc). That has been fixed, not? But with this feed view thing, it would be possible again, just do window.open on any feed url.
Looking, will have a patch right quick.
Status: NEW → ASSIGNED
Attached file another test 
uses the title image link
uses the image src for the title image
Comment on attachment 221259 [details]
image src test (crashes 1.8 branch builds on load)

This crashes branch builds on load because bug 328697 wasn't landed there yet.
Attachment #221259 - Attachment description: image src test → image src test (crashes 1.8 branch builds on load)
Attachment #221261 - Flags: review?(bzbarsky)
Comment on attachment 221261 [details] [diff] [review]
patch, check every uri attribute set. 

ignore the microsummaries aprt, it was so my tree would build
Comment on attachment 221261 [details] [diff] [review]
patch, check every uri attribute set. 

r=bzbarsky, except the makefile change.  Do run this whole thing by Jesse, though...
Attachment #221261 - Flags: review?(bzbarsky) → review+
OK, I have landed this fix on the trunk and the 1.8 branch... I'm going to ask Jesse to take a look at this and see if he can see anything else that might be problematic.
Martijn is correct in comment 8 -- leaving this page privileged means any same-origin violation XSS bug is trivially elevated to an arbitrary code execution bug. It also means the feed sanitization has to be perfect.
Retargetted at beta1
Target Milestone: Firefox 2 alpha2 → Firefox 2 beta1
Priority: -- → P1
Whiteboard: [sg:critical] → [sg:critical][swag:10d]
Attached patch pass one (obsolete) — Splinter Review 
moves content generation and utilities into a service, and makes this an about safe page without chrome privs. (this was dveditz' suggestion). The MOZ_PHOENIX in  netwerk/caps is highly unfortunate. We should make AboutRedirector and the about:safe stuff parameterizable.
Whiteboard: [sg:critical][swag:10d] → [sg:critical][swag:5d]
Attached patch pass two (obsolete) — Splinter Review 
don't add MOZ_PHOENIX to netwerk if we don't have to
Attachment #225326 - Attachment is obsolete: true
> We should make AboutRedirector and the about:safe stuff parameterizable.

I've had a patch that does that waiting on dveditz's review for about a month in bug 337746... Not that his helps you on branch, of course.

I'm not sure what the purpose of the docshell GetInterface change is.  Why is that needed?  Pretty much any use of GetInterface is an undiscoverable hack, imo... Is the problem that nsIDocument is not scriptable?
Yeah, I need to get at the channel so I can do a rudimentary check on the "actual" URI of the page so as to prevent this from being called from pages other than the preview page. 

Is there a better way to do this branch and trunk? I think access to the channel could be useful - I can't remember the exact case but I remember wishing for this in the past.
On trunk, we could use the same setup as we'll probably end up using for nsIURI and nsIPrincipal, I guess, but that doesn't really work for branch.

The problem I have is that it doesn't really make sense to get the channel off the docshell and get the channel of the last-loaded document (as opposed to, say, the currently-loading channel).  It's prone to nasty side effects, and impossible to remove once we add it, since we have no way to tell who's depending on it.

Darin, biesi, any idea how we could expose the channel here in a sane way?

I also wonder what you mean by "actual" URI.  Does this differ from the nsIWebNavigation's current URI somehow?
Yes, the "actual" URI is a jar: URI of the preview page. At some point, code in docshell and friends begin using the channel's originalURI for updating UI, etc, and originalURI is the web feed URI.
I see.  Perhaps we just need to expose that URI somehow, then.
> Darin, biesi, any idea how we could expose the channel here in a sane way?

Put it on nsIDocShell (or the Mozilla 1.8 branch version that we can edit).  You could have getters for the previous channel as well as the one that is currently loading.  It might be useful to have the full channel instead of just a URI.
Boris, what do you think of this? If you like the idea I'll revise my patch.
I'm happier adding an nsIChannel prop on nsIDocShell, yes.  At least that way we can find the consumers if we find a better way to expose it (e.g. on the document, on trunk).  Ben, if you would do that, that would be great. 

        Attachment #225337 -
        Attachment is obsolete: true

        Attachment #226398 -
        Flags: review?(sspitzer)

    
    

    
  


  
Adds currentDocumentChannel attribute to nsIDocShell

Once this patch is reviewed I will create a branch patch that adds this to the nsIDocShell_MOZILLA_1_8_BRANCH interface.

        Attachment #226399 -
        Flags: review?(bzbarsky)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        caps portionSplinter Review
      

    


  
adds about:feeds to SSM to show about safe feed preview page

        Attachment #226400 -
        Flags: review?(dveditz)

    
    

    
  
Comment on attachment 226399 [details] [diff] [review]
docshell portion (trunk only)

>Index: docshell/base/nsDocShell.cpp
>+nsDocShell::GetCurrentDocumentChannel(nsIChannel** aResult)

>+    nsresult rv = EnsureContentViewer();

Why not just return null if there's no viewer?  That would make a lot more sense to me.

You seem to never set *aResult when there's no document; that's wrong.

>Index: docshell/base/nsIDocShell.idl

>+   * Gets the channel for the currently loaded document.

Add ", if any" at the end.

r=bzbarsky with those nits picked.

        Attachment #226399 -
        Flags: review?(bzbarsky) → review+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        revised trunk docshell patch (obsolete)
        — Splinter Review
      

    


  

        Attachment #226419 -
        Flags: superreview?(darin)

    
    

    
  


  

        Attachment #226419 -
        Attachment is obsolete: true

        Attachment #226423 -
        Flags: superreview?(darin)

        Attachment #226419 -
        Flags: superreview?(darin)

    
    

    
  
Comment on attachment 226423 [details] [diff] [review]
revised trunk docshell patch

It might be good to add some comments about when currentDocumentChannel changes.

        Attachment #226423 -
        Flags: superreview?(darin) → superreview+

    
    

    
  
Er... that's still calling EnsureContentViewer().  Just take that line out.  ;)
Whiteboard: [sg:critical][swag:5d] → [sg:critical][swag:2d] - needs reviews

    
    

    
  
Comment on attachment 226400 [details] [diff] [review]
caps portion

r=dveditz

        Attachment #226400 -
        Flags: review?(dveditz) → review+

    
    

    
  
Comment on attachment 226400 [details] [diff] [review]
caps portion

Do you really want "about:feeedsaroo" to execute scripts?

    
    

    
  
good call, revised patch coming.

    
  

        Attachment #226398 -
        Flags: review?(sspitzer) → review?(mark)

    
    

    
  
Comment on attachment 226398 [details] [diff] [review]
patch for browser code

Some of your functions begin with FH_ and others with SH_ - consolidate.

nsAboutFeeds on the trunk needs a new GetURIFlags method which should set its result to 0, following bug 337746.

        Attachment #226398 -
        Flags: review?(mark) → review+

    
    

    
  
Will have the final trunk patches in place tomorrow morning. Will land then get branch patches ready. 
Whiteboard: [sg:critical][swag:2d] - needs reviews → [sg:critical][swag:2d]

    
    

    
  
Actually, GetURIFlags should return ALLOW_SCRIPT, I'd guess.

    
    

    
  
yeah, URI_SAFE_FOR_UNTRUSTED_CONTENT | ALLOW_SCRIPT

rebuilding final trunk patch now...

    
    

    
  
Landed on the trunk. Will now make a branch patch. 

    
    

    
  
So does untrusted content really need acess to the about:feeds pages?   That is, why was the GetBaseURIScheme change needed in the original patch?

    
  
Whiteboard: [sg:critical][swag:2d] → [sg:critical][swag:2d] 181b1+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        branch docshell patch (obsolete)
        — Splinter Review
      

    


  
Same as the other patch, but the attribute is on nsIDocShell_MOZILLA_1_8_BRANCH instead. Requesting quick re-review for this minor change for the branch.

        Attachment #227456 -
        Flags: review?(darin)

    
    

    
  


  
fix merge error

        Attachment #227456 -
        Attachment is obsolete: true

        Attachment #227460 -
        Flags: review?

        Attachment #227456 -
        Flags: review?(darin)

        Attachment #227460 -
        Flags: review? → review?(darin)

    
    

    
  
Comment on attachment 227460 [details] [diff] [review]
ook. the right docshell patch

Might be good to bump UUID of nsIDocShell_MOZILLA_1_8_BRANCH since we've shipped the old version of the interface in an alpha.  If someone needed to use it, they would get hosed by an alpha.

r=darin

        Attachment #227460 -
        Flags: review?(darin) → review+

        Attachment #227460 -
        Flags: approval1.8.1?

        Attachment #227453 -
        Flags: approval1.8.1?

        Attachment #227454 -
        Flags: approval1.8.1?

    
  

        Attachment #227460 -
        Flags: approval1.8.1? → approval1.8.1+

    
    

    
  
Comment on attachment 227453 [details] [diff] [review]
branch browser patch

micro-nit: destructor in nsAboutFeeds can be private and non-virtual.

        Attachment #227453 -
        Flags: approval1.8.1? → approval1.8.1+

    
  

        Attachment #227454 -
        Flags: approval1.8.1? → approval1.8.1+

    
    

    
  
fixed-1.8-branch, fixed-on-trunk
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: blocking1.8.0.8-
Whiteboard: [sg:critical][swag:2d] 181b1+ → [sg:critical][swag:2d] 181b1+ post ff1.5
Group: security

    
  
Product: Firefox → Firefox Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: