Need to prevent inadvertent bookmarking of javascript: and data: URLs

RESOLVED FIXED

Status

SeaMonkey
Security
RESOLVED FIXED
11 years ago
8 years ago

People

(Reporter: Chris Thomas (CTho) [formerly cst@andrew.cmu.edu cst@yecc.com], Assigned: neil@parkwaycc.co.uk)

Tracking

(Depends on: 1 bug, {fixed-seamonkey1.1.8})

Trunk
fixed-seamonkey1.1.8
Bug Flags:
blocking-seamonkey1.1.8 +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

1.20 KB, patch
Chris Thomas (CTho) [formerly cst@andrew.cmu.edu cst@yecc.com]
: review+
dveditz
: superreview+
Details | Diff | Splinter Review
From firefox bug 371179 (camino is 372020)
> User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.8.1.1)
> Gecko/20061204 Firefox/2.0.0.1
> Build Identifier: 
> 
> It should be not possible to bookmark data: and other inline / special URL
> schemes, or, if this functionality is needed, Javascript execution context
> should be properly initialized. Otherwise, such a bookmark, when invoked, will
> be allowed to execute Javascript code in the context of a currently viewed
> resource (Google start page = stealing GMail authentication cookies, for
> example).
> 
> See this demonstration:
> 
> http://lcamtuf.coredump.cx/ffbook/
> 
> Reproducible: Always
Flags: blocking-seamonkey1.1.2+
Flags: blocking-seamonkey1.0.9+

Comment 1

11 years ago
Assigning to me.
Status: NEW → ASSIGNED

Updated

11 years ago
Assignee: nobody → benoit
Status: ASSIGNED → NEW
[Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a3pre) Gecko/2007022704 Minefield/3.0a3pre] (nightly) (W2Ksp4)

For the record,
I can reproduce the Ctrl+D behaviour with the FF testcase,
and the JS exploit which leads me to <http://lcamtuf.coredump.cx/ffbook/success.html>.


[Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a3pre) Gecko/20070227 SeaMonkey/1.5a] (nightly) (W2Ksp4)

I can reproduce the Ctrl+D behaviour with the FF testcase,
and not the JS exploit which leads me to <http://lcamtuf.coredump.cx/ffbook/failure.html>. (Maybe related to my profile ?)

*(D.o.) Bug 371179, as I guess the SM patch will be based after the FF one.
Status: NEW → ASSIGNED
Component: Bookmarks → Security
Depends on: 371179
OS: Windows XP → All
Hardware: PC → All
Version: 1.8 Branch → Trunk
It would be nice to know what caused the failure for you Serge.
With the latest SM trunk, on Linux, it's the same behavior as with FX.

Maybe google.com redirects you to google.co.uk?
With google.com.br here it fails.

[Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a3pre) Gecko/20070228 SeaMonkey/1.5a] (nightly) (W2Ksp4)

No redirection.
I tested again, with a new profile, and it succeeded.
...
I guess the |document.cookie| in <http://lcamtuf.coredump.cx/ffbook/attack.js> is "blocked" in my usual profile.
[I don't like JS "playing" with cookies.]

Sorry for my first report:
I didn't try this, because the try+catch masked the exception I get otherwise.
It looks like that demonstration does not explicitly account for secure browser/profile ;-/

Comment 5

10 years ago
What's up here? No action for almost two months on something marked as a blocker? We would strictly be entering code freezes for 1.0.9 and 1.1.2 today, and if we want to hold off those releases for this bug, as the blocking+ flags imply, we badly need a solution. Not tomorrow, but yesterday or some weeks ago, actually!

So, what's the status on this?
(Assignee)

Comment 6

10 years ago
Created attachment 262484 [details] [diff] [review]
Fix Add Bookmark

As for Groupmarks, they work by adding new tabs for the bookmarks (and optionally deleting the old tabs), so they always run on a safe context.
Assignee: benoit → neil
Attachment #262484 - Flags: review?(cst)
Comment on attachment 262484 [details] [diff] [review]
Fix Add Bookmark

looks good.
Attachment #262484 - Flags: review?(cst) → review+

Comment 8

10 years ago
[14:08] <BenoitRen> KaiRo: I'm sorry. I'm sorry. I'm sorry. :(
[14:08] <BenoitRen> KaiRo: Read the bugmail. What happened is that I looked at the Firefox patch, got confused, investigated it for a while, and then forgot about it.
[14:08] <BenoitRen> ("Read the bugmail." is meant as paste tense, I didn't add a comment to the bug.)
Comment on attachment 262484 [details] [diff] [review]
Fix Add Bookmark

sr=dveditz

I'm not sure users will know that a data: url is potentially dangerous even if you show them the dialog
Attachment #262484 - Flags: superreview+

Comment 10

10 years ago
Does this still need to land on the branch(es)?
(In reply to comment #10)
> Does this still need to land on the branch(es)?

[Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.12pre) Gecko/20070504 SeaMonkey/1.0.9] (nightly) (W2Ksp4)
[Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1.4pre) Gecko/20070505 SeaMonkey/1.1.2] (nightly) (W2Ksp4)
[Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a5pre) Gecko/20070504 SeaMonkey/1.5a] (nightly) (W2Ksp4)

Bug still there.

***

Well :-/
Actually, this patch has not been checked in anywhere yet.

NB:
</xpfe/components/bookmarks/resources/bookmarks.js>
was recently moved to
</suite/common/bookmarks/bookmarks.js>.

Updated

10 years ago
Flags: blocking-seamonkey1.1.8?
(Assignee)

Comment 12

10 years ago
Fix checked in to the trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED

Comment 13

10 years ago
Should we also be triggering a dialog for "Bookmark this link" and "Bookmark this page" from the context menu?

Comment 14

10 years ago
a=me for SM1.1.8
Flags: blocking-seamonkey1.1.8? → blocking-seamonkey1.1.8+

Updated

10 years ago
Attachment #262484 - Flags: approval-seamonkey1.1.8+
(Assignee)

Comment 15

10 years ago
Fix checked in to the branch.
Keywords: fixed-seamonkey1.1.8

Updated

8 years ago
Flags: blocking-seamonkey1.1.2+
Flags: blocking-seamonkey1.0.9+
You need to log in before you can comment on or make changes to this bug.