Closed
Bug 366568
Opened 19 years ago
Closed 13 years ago
potential problem with favicons and useDefaultIcon
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
INVALID
People
(Reporter: guninski, Assigned: Gavin)
References
()
Details
Attachments
(1 file)
|
2.33 KB,
patch
|
dao
:
review-
|
Details | Diff | Splinter Review |
no exploit for this yet, filing seperate bug per bz's suggestion.
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/toolkit/content/widgets/tabbrowser.xml&rev=1.216&mark=496-517#496
in tabbrowser.xml |shouldLoadFavIcon| tries to prevent active content in
favicons. this does not work for |data:image/png;,VALIDPNG| (in this case the
uri is loaded as favicon because of the special ImageDocument check) - so at
least
data: uris are loaded as favicons. in case |javascript:| uris may return
|instanceof ImageDocument| this may lead to problems with favicons (according to bz this is possible).
probably other abuse may be possible in this case.
having in mind the problems with active favicons in the past, regardless
whether comment #86 is exploitable or not, the check for sane favicon better be
applied for the |image| case.
|
Reporter | |
Updated•19 years ago
|
|
|
Reporter | |
Comment 1•19 years ago
|
||
example javascript uri will be appreciated - manage to get just 'text/html' or 'text/plain' from javascript.
|
|
Reporter | |
Comment 2•19 years ago
|
||
dveditz, believe that can fix this tomorrow my time by moving |shouldload...| in the innermost place that doesn't break world no matter if the bug is real or imaginary. feel free to assign to me if you feel like it.
|
|
||
Comment 3•19 years ago
|
||
Oh, hmm... So actually, javascript: seems to always return text/html for now:
494 // If the resultant script evaluation actually does return a value, we
495 // treat it as html.
496 rv = NS_NewInputStreamChannel(getter_AddRefs(channel), aURI, mIOThunk,
497 NS_LITERAL_CSTRING("text/html"));
498 if (NS_FAILED(rv)) return rv;
While this works for loading images with <img> because that ignores the type, that won't work for image documents... unless we start to content-sniff more or something.
I still think we should check here. Just a checkLoadURI for DISALLOW_SCRIPT should do the trick. No need to filter out data:.
Flags: blocking1.8.1.2?
Flags: blocking1.8.0.10?
Flags: blocking-firefox3?
|
||
Comment 4•19 years ago
|
||
(In reply to comment #0)
> having in mind the problems with active favicons in the past, regardless
> whether comment #86 is exploitable or not,
comment 86 in what other bug?
|
|
Reporter | |
Comment 5•19 years ago
|
||
(In reply to comment #4)
>
> comment 86 in what other bug?
>
in the meta. this was just mistyping, the full description is in the report.
|
|
||
Comment 6•19 years ago
|
||
We need an owner and patch quickly if this is going to make the next release... otherwise this is at-risk for being pushed out.
Flags: blocking1.8.1.2?
Flags: blocking1.8.1.2+
Flags: blocking1.8.0.10?
Flags: blocking1.8.0.10+
|
|
||
Updated•19 years ago
|
Assignee: nobody → dveditz
|
|
||
Updated•19 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.2-
Flags: blocking1.8.1.2+
Flags: blocking1.8.0.10-
Flags: blocking1.8.0.10+
|
|
||
Comment 7•18 years ago
|
||
Gavin, Boris's comment 3 should get you started
Assignee: dveditz → gavin.sharp
Flags: blocking-firefox3? → blocking-firefox3+
|
|
||
Updated•18 years ago
|
Target Milestone: --- → Firefox 3 alpha6
|
Assignee | |
Updated•18 years ago
|
Summary: potential problem with faviocons and useDefaultIcon → potential problem with favicons and useDefaultIcon
|
|
||
Updated•18 years ago
|
Target Milestone: Firefox 3 M7 → Firefox 3 M8
|
|
||
Updated•18 years ago
|
Target Milestone: Firefox 3 M8 → Firefox 3 M9
|
|
||
Updated•18 years ago
|
Target Milestone: Firefox 3 M9 → Firefox 3 M10
|
|
||
Updated•18 years ago
|
Priority: -- → P3
Target Milestone: Firefox 3 M10 → Firefox 3 M11
|
|
||
Updated•18 years ago
|
Priority: P3 → P4
|
|
||
Comment 10•17 years ago
|
||
Not blocking on this bug for final ship. Would take a safe enough patch if one comes through.
Flags: wanted-firefox3+
Flags: blocking-firefox3-
Flags: blocking-firefox3+
|
|
Assignee | |
Comment 11•14 years ago
|
||
I can't really make any sense out of why we have both browser.chrome.site_icons and browser.chrome.favicons. Rather than explicitly checking for javascript:, I decided to refactor the code and just re-use shouldLoadFavicon (which restricts to http[s]).
Attachment #603960 -
Flags: review?(dao)
|
||
Comment 12•14 years ago
|
||
Comment on attachment 603960 [details] [diff] [review]
patch
> re-use shouldLoadFavicon (which restricts to http[s]).
This restriction makes sense for appending /favicon.ico, but I don't think it makes sense for image documents. E.g. we still want favicons for file:// URI images.
Attachment #603960 -
Flags: review?(dao) → review-
|
|
||
Comment 13•14 years ago
|
||
I think we can resolve this as invalid as per comment 3...
|
|
Assignee | |
Comment 14•13 years ago
|
||
Still seems prudent to check for javascript:, I think.
Group: core-security
OS: Linux → All
Priority: P4 → --
Hardware: x86 → All
Whiteboard: [sg:nse]
Target Milestone: Firefox 3 beta3 → ---
Version: 2.0 Branch → Trunk
|
|
Assignee | |
Comment 15•13 years ago
|
||
I changed my mind!
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•