Closed Bug 372075 Opened 17 years ago Closed 17 years ago

javascript: URI evaluation should use sandboxed context for toString, etc

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: bzbarsky, Assigned: mrbkap)

References

Details

(Keywords: fixed1.8.0.15, verified1.8.1.12, Whiteboard: [sg:moderate] spun off an sg:critical bug, reveals bug 344495)

Attachments

(5 files)

Proposed fix
7.54 KB, patch
bzbarsky
: review+
jst
: superreview+
Details | Diff | Splinter Review
What I'm about to check in
9.20 KB, patch
Details | Diff | Splinter Review
Backport to 1.8
16.80 KB, patch
jst
: review+
bzbarsky
: superreview+
samuel.sidler+old
: approval1.8.1.12+
caillon
: approval1.8.0.next+
Details | Diff | Splinter Review
Screenshot of 2.0.0.11 on Vista
120.35 KB, image/png
Details
Screenshot of 2.0.0.12rc1 on XP
43.74 KB, image/png
Details 
See bug 368763 comment 9.  Basically, if someone manages to run an unprivileged javascript: URI against a privileged iframe they can possibly escalate their privileges.  I bet moz_bug_r_a4@yahoo.com can provide an exploit if people need convincing... ;)

We should probably either duplicate the context-creation stuff in XPConnect or somehow expose it.
Flags: blocking1.9?
Flags: blocking1.8.1.3?
Flags: blocking1.8.0.11?
Group: security
Would using a safe object wrapper work here? Can we use them from C++?
Hmm...  That might work...  Especially if XPConnect returned that wrapper to start with (I bet XPConnect can use them from C++ if it wants!).

Wanted on the branches, but without an assignee or patch doesn't seem likely to happen any time soon. If we get a trunk solution renominate for a specific branch release at that time.
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Whiteboard: [sg:investigate] spun off an sg:critical bug
Flags: blocking1.9? → blocking1.9+
So I'm not sure whether a safe object wrapper would work here, to be honest.  I guess it might because we'll never be looking at the context...

Just creating a new JSContext won't work -- a JSContext without an nsIScriptContext is treated as all-powerful.
Or we could just compile a scripted function with the right principal and use that to stringify the value...  Do we need any sort of protection around JS_ReportPendingException, though?
(In reply to comment #4)
> So I'm not sure whether a safe object wrapper would work here, to be honest.  I
> guess it might because we'll never be looking at the context...

Right, that was why I suggested it.

So is JS_ReportPendingException safe?  e.g. if toString() or valueOf() throws some object defined by the javascript: URI, what happens?
(In reply to comment #7)

JS_ReportPendingException seems to be not safe.  Exploits work even with throw.
Attached file testcase 1 - without throwing (obsolete) — 

    
    

    
  

      
      
      
      

        Attached file
          
        testcase 2 - toString() throws (obsolete)
        — 
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        testcase 3 - throws in the sandbox (obsolete)
        — 
      

    


  

    
    

    
  
Hmm...  Throwing in the sandbox _also_ works?  How do those exceptions end up on our "outer" context anyway?

    
    

    
  
Ah, I see...

By the way, this seems to be basically a duplicate of bug 363597, no?

I wonder whether we could create the sandbox context together with the sandbox object and have xpconnect's API here return both or something?
Blocks: 363597

    
    

    
  
Old testcases no longer work on trunk.  They use strObj.eval.valueOf to access
Object.prototype.valueOf, but now strObj.eval is undefined on trunk. (see bug
382509.)  I'll attach new testcases, which use strObj.valueOf.valueOf to access
Object.prototype.valueOf.

    
  
Depends on: 386635

    
    

    
  
This should now be fixed by the checkin for bug 386635.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED

    
    

    
  
Should get this into a test suite.
Flags: in-testsuite?

    
    

    
  
The patch that fixed this was backed out.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Proposed fixSplinter Review
      

    


  
This patch makes the sandbox itself convert the return value (and exception) to a string, using good scope chains, etc.

The only "problem" with the patch, is that if the sandbox throws an object whose toString throws an exception, that exception will get lost. I'm pretty confident that this will only happen to those developers who are up to no good, so I'm fine with that.
Assignee: general → mrbkap
Status: REOPENED → ASSIGNED

        Attachment #272584 -
        Flags: superreview?(jst)

        Attachment #272584 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 272584 [details] [diff] [review]
Proposed fix

>+++ b/js/src/xpconnect/idl/nsIXPConnect.idl
>+                                         in PRBool returnString);

Please document.  Same for the declaration of  xpc_EvalInSandbox.

And maybe name it returnStringOnly?

r=bzbarsky other than that.

        Attachment #272584 -
        Flags: review?(bzbarsky) → review+

        Attachment #272584 -
        Flags: superreview?(jst) → superreview+

    
    

    
  
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago17 years ago
Resolution: --- → FIXED

    
    

    
  
Is this fix appropriate for the 1.8.1.8 release or is it tied up with XOW?
Flags: blocking1.8.1.8?

    
    

    
  
In general, PAC doesn't interface with XOW. This should be easy to backport.
Flags: blocking1.8.1.8? → blocking1.8.1.8+
Whiteboard: [sg:investigate] spun off an sg:critical bug → [sg:moderate] spun off an sg:critical bug

    
    

    
  
Blake: this didn't make 1.8.1.8, but please back-port when you get time so this doesn't miss 1.8.1.9 as well.
Flags: blocking1.8.1.8+ → blocking1.8.1.9+

    
    

    
  
Yeah, sorry about that. I have a backport, but wasn't able to test it.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Backport to 1.8Splinter Review
      

    


  
This backports this patch to the 1.8 branch. The conflicts come from API compat (nsIXPConnect_MOZILLA_1_8_BRANCH2) and the fact that the request stuff never landed on the 1.8 branch.

        Attachment #283810 -
        Flags: superreview?(bzbarsky)

        Attachment #283810 -
        Flags: review?(jst)

    
    

    
  
Comment on attachment 283810 [details] [diff] [review]
Backport to 1.8

sr=bzbarsky

        Attachment #283810 -
        Flags: superreview?(bzbarsky) → superreview+
Whiteboard: [sg:moderate] spun off an sg:critical bug → [sg:moderate][need r=jst on branch] spun off an sg:critical bug

    
    

    
  
jst: Ping? The branch patch still needs review.

        Attachment #283810 -
        Flags: review?(jst) → review+

    
  

        Attachment #283810 -
        Flags: approval1.8.1.12?
Whiteboard: [sg:moderate][need r=jst on branch] spun off an sg:critical bug → [sg:moderate] spun off an sg:critical bug

    
    

    
  
Comment on attachment 283810 [details] [diff] [review]
Backport to 1.8

approved for 1.8.1.12, a=dveditz for release-drivers

        Attachment #283810 -
        Flags: approval1.8.1.12? → approval1.8.1.12+

    
  
Keywords: fixed1.8.1.12

    
    

    
  
Fixed on the 1.8 branch.

    
    

    
  
Verified FIXED on the 1.8 branch using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080128 Firefox/2.0.0.12.

Replacing fixed1.8.1.12 with verified1.8.1.12.
Keywords: fixed1.8.1.12verified1.8.1.12

    
    

    
  
I forgot to mention that all testcases in this bug (testcase 1-6) use bug
344495's trick.
Depends on: 344495
Whiteboard: [sg:moderate] spun off an sg:critical bug → [sg:moderate] spun off an sg:critical bug, reveals bug 344495
Group: security

    
    

    
  
distro patch blocking 1.8.0.15     
Flags: blocking1.8.0.15+

    
    

    
  
Comment on attachment 283810 [details] [diff] [review]
Backport to 1.8

unmodified distro patch. caillon, please sign off.

        Attachment #283810 -
        Flags: approval1.8.0.15?

    
    

    
  
Comment on attachment 283810 [details] [diff] [review]
Backport to 1.8

a=caillon

        Attachment #283810 -
        Flags: approval1.8.0.15? → approval1.8.0.15+

    
    

    
  
MOZILLA_1_8_0_BRANCH:

Checking in dom/src/jsurl/nsJSProtocolHandler.cpp;
/cvsroot/mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp,v  <--  nsJSProtocolHandler.cpp
new revision: 1.113.2.2.2.6; previous revision: 1.113.2.2.2.5
done
Checking in js/src/xpconnect/idl/nsIXPConnect.idl;
/cvsroot/mozilla/js/src/xpconnect/idl/nsIXPConnect.idl,v  <--  nsIXPConnect.idl
new revision: 1.35.4.1.4.3; previous revision: 1.35.4.1.4.2
done
Checking in js/src/xpconnect/src/nsXPConnect.cpp;
/cvsroot/mozilla/js/src/xpconnect/src/nsXPConnect.cpp,v  <--  nsXPConnect.cpp
new revision: 1.73.4.3.2.5; previous revision: 1.73.4.3.2.4
done
Checking in js/src/xpconnect/src/xpccomponents.cpp;
/cvsroot/mozilla/js/src/xpconnect/src/xpccomponents.cpp,v  <--  xpccomponents.cpp
new revision: 1.75.2.6.2.9; previous revision: 1.75.2.6.2.8
done
Checking in js/src/xpconnect/src/xpcprivate.h;
/cvsroot/mozilla/js/src/xpconnect/src/xpcprivate.h,v  <--  xpcprivate.h
new revision: 1.162.2.4.2.9; previous revision: 1.162.2.4.2.8
done
Keywords: fixed1.8.0.15
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: