Closed
Bug 381412
Opened 17 years ago
Closed 17 years ago
Avoid XSS with incomplete sequences in multibyte character sets
Categories
(Core :: DOM: HTML Parser, defect)
Core
DOM: HTML Parser
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha8
People
(Reporter: u217243, Assigned: emk)
References
()
Details
(Keywords: jp-critical, verified1.8.1.8, Whiteboard: [sg:moderate] embargo until Feb 2008 (comment 29), longtest)
Attachments
(7 files, 5 obsolete files)
351 bytes,
text/html; charset=iso-2022-jp
|
Details | |
338 bytes,
text/html
|
Details | |
36.02 KB,
patch
|
smontagu
:
review+
dveditz
:
superreview+
dveditz
:
approval1.8.1.8+
dveditz
:
approval1.8.0.14-
|
Details | Diff | Splinter Review |
81 bytes,
message/rfc822
|
Details | |
351 bytes,
text/html; charset=ISO-2022-JP
|
Details | |
1.42 KB,
patch
|
smontagu
:
review+
dveditz
:
superreview+
|
Details | Diff | Splinter Review |
321 bytes,
text/html; charset=ISO-2022-JP
|
Details |
Yosuke Hasegawa at WebAppSec.jp reported a bug in the Mozilla parser through JPCERT/CC. The parser ignores control character '0x80' in HTML tag attributes if character encoding of the page is Shift_JIS commonly used in Japan, and allows Cross-Site Scripting attacks in some cases. Scripts cannot be run if the charset is not Shift_JIS. He posted the POC here: http://openmya.hacker.jp/hasegawa/PoC/firefox-0x80.html It contains the following codes: <div [0x80]onmouseover="alert('xss');">aaa</div> <[0x80][0x80]s[0x80][0x80]c[0x80]r[0x80]i[0x80]p[0x80]t[0x80]>[0x80]document.write('[0x80]xss');</script>
Comment 1•17 years ago
|
||
Is the HTML parser ignoring characters or is the Shift_JIS decoder ignoring bytes?
Comment 2•17 years ago
|
||
I doubt it's the parser because we recently added checks for stuff like this
Comment 3•17 years ago
|
||
If it's in the charset converter, are similar issues lurking in scripts other than shift-JIS?
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.9?
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Whiteboard: [sg:moderate]
Comment 4•17 years ago
|
||
This looks to me like a regression from bug 108136, and probably applies to all Japanese codepages.
Comment 5•17 years ago
|
||
This fixes the testcase, but I want to do more investigation in other codepages and regression testing.
Assignee: nobody → smontagu
Status: NEW → ASSIGNED
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Updated•17 years ago
|
Target Milestone: --- → mozilla1.9alpha6
Comment 6•17 years ago
|
||
Unlike the original, this one also works in IE, and I think it will be somewhat harder to fix. It uses ISO-2022-JP escape sequences to create zero-length JIS X 0208 runs between ASCII characters.
Updated•17 years ago
|
Attachment #267398 -
Attachment mime type: text/html → text/html; charset=iso-2022-jp
Updated•17 years ago
|
Summary: Avoid XSS with control character 0x80 in HTML tag attributes (charset Shift_JIS only) → Avoid XSS with incomplete sequences in multibyte character sets
Updated•17 years ago
|
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Comment 7•17 years ago
|
||
For extra points, this one works in Mozilla, IE and Safari
Comment 8•17 years ago
|
||
I audited all the DBCS and MCBS encodings in intl/uconv/ucvja ucvcn ucvko ucvtw and ucvtw2 for similar holes. This patch fixes: The originally reported flaw with 0x80 in Shift-JIS Assertions with out-of-range bytes in HZ-GB-2312 Zero-length non-ASCII runs in ISO-2022-JP (attachment 267398 [details]) Zero-length non-ASCII runs in ISO-2022-CN Zero-length non-ASCII runs in ISO-2022-KR Zero-length non-ASCII runs in HZ-GB-2312 (attachment 268763 [details]).
Attachment #265538 -
Attachment is obsolete: true
Attachment #269066 -
Flags: superreview?(dveditz)
Attachment #269066 -
Flags: review?(jshin1987)
Updated•17 years ago
|
Whiteboard: [sg:moderate] → [sg:moderate] longtest
Comment 9•17 years ago
|
||
punting remaining a6 bugs to b1, all of these shipped in a5, so we're at least no worse off by doing so.
Target Milestone: mozilla1.9alpha6 → mozilla1.9beta1
Updated•17 years ago
|
Whiteboard: [sg:moderate] longtest → [sg:moderate] longtest, need r=jshin, sr=dveditz
Updated•17 years ago
|
Flags: blocking1.8.1.5+ → blocking1.8.1.6?
Updated•17 years ago
|
Flags: blocking1.8.0.13+ → blocking1.8.0.14?
Comment 10•17 years ago
|
||
Comment on attachment 269066 [details] [diff] [review] Patch r+. Sorry for the terrible delay. >Index: intl/uconv/ucvja/nsJapaneseToUnicode.cpp >=================================================================== >+++ intl/uconv/ucvja/nsJapaneseToUnicode.cpp 20 Jun 2007 11:55:10 -0000 >@@ -132,18 +132,22 @@ NS_IMETHODIMP nsShiftJISToUnicode::Conve > if(0xFFFD == mData) { > // IE convert fd-ff as single byte and convert to > // U+f8f1 to U+f8f3 > if((0xfd == *src) || (0xfe == *src) || (0xff == *src)) > { > *dest++ = (PRUnichar) 0xf8f1 + > (*src - (unsigned char)(0xfd)); > if(dest >= destEnd) > goto error1; >+ } else { >+ *dest++ = 0x30FB; >+ if(dest >= destEnd) >+ goto error1; Does IE also map 0x80 to U+30FB? If so, please mention that. BTW, can we do this and 0xFD - 0xFF mapping regardless of the value of intl.jis0208.map?
Attachment #269066 -
Flags: review?(jshin1987) → review+
Updated•17 years ago
|
Whiteboard: [sg:moderate] longtest, need r=jshin, sr=dveditz → [sg:moderate] longtest, need sr=dveditz
Comment 11•17 years ago
|
||
> Does IE also map 0x80 to U+30FB? If so, please mention that. IE maps 0x80 to itself, and 0xA0 to U+F8F0. I've changed the patch to follow this. > BTW, can we do > this and 0xFD - 0xFF mapping regardless of the value of intl.jis0208.map? I've tested that that's what we do already.
Attachment #269066 -
Attachment is obsolete: true
Attachment #278301 -
Flags: superreview?(dveditz)
Attachment #278301 -
Flags: review+
Attachment #269066 -
Flags: superreview?(dveditz)
Updated•17 years ago
|
Flags: blocking1.8.1.7? → blocking1.8.1.7+
Comment 12•17 years ago
|
||
Comment on attachment 278301 [details] [diff] [review] addressed review comments sr=dveditz
Attachment #278301 -
Flags: superreview?(dveditz) → superreview+
Updated•17 years ago
|
Attachment #278301 -
Flags: approval1.8.1.7?
Attachment #278301 -
Flags: approval1.8.0.14?
Comment 13•17 years ago
|
||
Checked in, with testcases.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Comment 14•17 years ago
|
||
Simon says IE, Opera and Safari are also affected
Comment 15•17 years ago
|
||
Comment on attachment 278301 [details] [diff] [review] addressed review comments approved for 1.8.1.7 and 1.8.0.14, a=dveditz for release-drivers
Attachment #278301 -
Flags: approval1.8.1.7?
Attachment #278301 -
Flags: approval1.8.1.7+
Attachment #278301 -
Flags: approval1.8.0.14?
Attachment #278301 -
Flags: approval1.8.0.14+
Updated•17 years ago
|
Keywords: fixed1.8.0.14,
fixed1.8.1.7
Updated•17 years ago
|
Keywords: fixed1.8.1.8 → verified1.8.1.8
Whiteboard: [sg:moderate] longtest, need sr=dveditz → [sg:moderate] longtest
Comment 16•17 years ago
|
||
Microsoft and Opera both asked for us to delay disclosure of this flaw while they address it, both have releases early-to-mid December coming up so tentatively that's when we can announce this (along with FF2009 perhaps).
Whiteboard: [sg:moderate] longtest → [sg:moderate] embargo until Dec 2007 (comment 16), longtest
Comment 17•17 years ago
|
||
I re-pinged Apple for a status update (so far I've only gotten the initial "The issue is being investigated" reply). Kohei suggested I post their tracking number here.
> Please include the line below in follow-up emails for this request.
> Follow-up: 34991641
Assignee | ||
Comment 18•17 years ago
|
||
Why ISO-2022-JP decoder fails if it encounters a empty sequence? Some Japanese mail subjects are *completely* garbled even if the empty sequence is at end of the subject. Other encoders seem to fallback to U+FFFD. Why ONLY the Japanese encoder fails?
Assignee | ||
Comment 19•17 years ago
|
||
Moreover, the fix is incomplete. I could cause XSS attack against Firefox 2.0.0.9 using empty sequences.
Assignee | ||
Comment 20•17 years ago
|
||
This will fix both problems.
Assignee: smontagu → VYV03354
Status: RESOLVED → ASSIGNED
Attachment #289168 -
Flags: superreview?(dveditz)
Attachment #289168 -
Flags: review?(smontagu)
Attachment #289168 -
Flags: approval1.9?
Attachment #289168 -
Flags: approval1.8.1.11?
Attachment #289168 -
Flags: approval1.8.1.10?
Attachment #289168 -
Flags: approval1.8.0.14?
Resolution: FIXED → ---
Assignee | ||
Updated•17 years ago
|
Keywords: fixed1.8.0.14,
verified1.8.1.8
Updated•17 years ago
|
Flags: blocking1.8.1.10?
Comment 21•17 years ago
|
||
Comment on attachment 289168 [details] [diff] [review] Patch Could you add an automated testcase to this patch, so this problem doesn't accidentally reappear in the future?
Assignee | ||
Comment 22•17 years ago
|
||
Updated•17 years ago
|
Flags: blocking1.8.1.11?
Comment 23•17 years ago
|
||
Comment on attachment 289168 [details] [diff] [review] Patch Clearing the approval1.9 flag because reviews are not complete. once you get code review please re-nominate
Attachment #289168 -
Flags: approval1.9?
Assignee | ||
Comment 24•17 years ago
|
||
Attachment #289168 -
Attachment is obsolete: true
Attachment #289188 -
Attachment is obsolete: true
Attachment #290136 -
Flags: review?(smontagu)
Attachment #289168 -
Flags: superreview?(dveditz)
Attachment #289168 -
Flags: review?(smontagu)
Attachment #289168 -
Flags: approval1.8.1.11?
Attachment #289168 -
Flags: approval1.8.1.10?
Attachment #289168 -
Flags: approval1.8.0.14?
Comment 26•17 years ago
|
||
Comment on attachment 290136 [details] [diff] [review] patch incorporated into a test > } else if ('J' == *src) { > mState = mState_JISX0201_1976Roman; >+ if (mRunLength == 0) { >+ if((dest+1) >= destEnd) >+ goto error1; >+ *dest++ = 0xFFFD; >+ } This is going to put in U+FFFD whenever we shift from ASCII to JIS-X Roman, no? That seems wrong to me. Maybe the condition should be if (mRunLength == 0 && mLastLegalState != mState_ASCII) ? > } else { > // XXX We need to decide how to handle \ and ~ here > // we may need a if statement here for '\' and '~' > // to map them to Yen and Overbar > *dest++ = (PRUnichar) *src; >- ++mRunLength; And removing this line is going to cause U+FFFD whenever we shift back from JIS-X Roman to ASCII
Attachment #290136 -
Flags: review?(smontagu) → review-
Reporter | ||
Comment 27•17 years ago
|
||
Some Thunderbird users, including myself, have confirmed the garbled message subjects since 2.0.0.9.
Keywords: jp-critical
Assignee | ||
Comment 28•17 years ago
|
||
(In reply to comment #26) > (From update of attachment 290136 [details] [diff] [review]) > This is going to put in U+FFFD whenever we shift from ASCII to JIS-X Roman, no? > That seems wrong to me. Maybe the condition should be > if (mRunLength == 0 && mLastLegalState != mState_ASCII) > ? I know it's technically wrong, but we have no choice to avoid XSS with sequnces such as "<" ESC "(" "J" "script". > And removing this line is going to cause U+FFFD whenever we shift back from > JIS-X Roman to ASCII Ditto. it's required to avoid XSS with sequences such as ESC "(" "J" "<" ESC "(" "B" "script". And of course, we need to avoid "JIS-X Roman to JIS-X Roman" sequences. Do you have a good idea to prevent these attacks?
Comment 29•17 years ago
|
||
Microsoft found regressions in their patch and won't be releasing their fix until February. Please embargo until at least then.
Whiteboard: [sg:moderate] embargo until Dec 2007 (comment 16), longtest → [sg:moderate] embargo until Feb 2008 (comment 29), longtest
Updated•17 years ago
|
Flags: blocking1.8.0.14? → blocking1.8.0.15?
Comment 30•17 years ago
|
||
Comment on attachment 278301 [details] [diff] [review] addressed review comments Minusing this patch for the 1.8.0 branch due to Thunderbird regressions.
Attachment #278301 -
Flags: approval1.8.0.14+ → approval1.8.0.14-
Assignee | ||
Comment 31•17 years ago
|
||
I removed a testcase because this version will FAIL the test.
Attachment #290136 -
Attachment is obsolete: true
Attachment #291406 -
Flags: review?(smontagu)
Assignee | ||
Comment 32•17 years ago
|
||
New patch is vulnerable to this test. I'll file a followup bug about this problem when this bug is resolved again.
Comment 33•17 years ago
|
||
I'm sorry, I need more time to think about "the right thing" to do here. We should certainly fix the Thunderbird regression, but I'm not sure what to about the vulnerabilities with ASCII to JIS-X Roman sequences. Unlike the sequences that my original patch was designed to prevent, these sequences are completely legal ISO-2022-JP
Assignee | ||
Comment 34•17 years ago
|
||
(In reply to comment #33) Your patch refuses ASCII to ASCII sequences that are also completely valid per BNF defined in RFC 1468. There is no point to allow switching between JIS Roman and ASCII. BTW, my new patch will fix only the Thunderbird regression which is urgent for Japanese users. So I proposed filing a new bug to consider about remaining problem. Another BTW, bug 406777 may become a solution.
Comment 35•17 years ago
|
||
Comment on attachment 291406 [details] [diff] [review] resolved review comment OK, that's fair enough. r=smontagu
Attachment #291406 -
Flags: superreview?(dveditz)
Attachment #291406 -
Flags: review?(smontagu)
Attachment #291406 -
Flags: review+
Comment 36•17 years ago
|
||
Covering the regression in this bug obscures the fact that real problems were fixed in previous releases, including charsets that do not appear to suffer from this regression. I filed bug 407161 to cover the regression and to track landing the patch we're reviewing in this bug (future patches, if necessary, should go in the regression bug). (In reply to comment #32) > New patch is vulnerable to this test. > I'll file a followup bug about this problem when this bug is resolved again. If it's not going to be handled along with this patch (now bug 407161) go ahead and file the new bug now and make it block 407161. And I guess in that case remove the 'XSS variant' bit from the bug 407161 title
Status: ASSIGNED → RESOLVED
Closed: 17 years ago → 17 years ago
Keywords: verified1.8.1.8
Resolution: --- → FIXED
Comment 37•17 years ago
|
||
Comment on attachment 291406 [details] [diff] [review] resolved review comment sr=dveditz
Attachment #291406 -
Flags: superreview?(dveditz)
Attachment #291406 -
Flags: superreview+
Attachment #291406 -
Flags: approval1.8.1.12?
Updated•17 years ago
|
Attachment #291406 -
Flags: approval1.9?
Comment 38•17 years ago
|
||
Comment on attachment 291406 [details] [diff] [review] resolved review comment copied patch into regression bug for purposes of approval, not sure it'll get found correctly here (see "Dan misses follow-up patch and causes FF2.0.0.11" debacle).
Attachment #291406 -
Flags: approval1.9?
Attachment #291406 -
Flags: approval1.8.1.12?
Updated•17 years ago
|
Flags: blocking1.8.1.12?
Updated•16 years ago
|
Flags: blocking1.8.0.15? → blocking1.8.0.15+
Reporter | ||
Comment 39•16 years ago
|
||
Any updates from other vendors?
Assignee | ||
Comment 40•16 years ago
|
||
(In reply to comment #39) > Any updates from other vendors? Before that, did we prepare to make the vulnerability public? The issue I mentioned in comment #28 is not fixed yet. Is it appropriate to filter out completely valid sequences?
Updated•16 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•