Closed Bug 401343 Opened 17 years ago Closed 17 years ago

restrict web-based protocol handlers to http/https

Categories

(Core Graveyard :: File Handling, defect, P1)

Product:
Core Graveyard
Component:
File Handling
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
mozilla1.9beta2

People

(Reporter: Waldo, Assigned: florian)

References

Details

(Whiteboard: [proto][has-patch])

Attachments

(2 files)

Proof of concept, works with a little setup
408 bytes, text/html
Details
patch v1
2.29 KB, patch
Gavin
: review+
Details | Diff | Splinter Review 
I shouldn't be able to register a URI as a content handler to which I couldn't create a link.

URL encoding makes this a bit tricky to actually make work, but if you can find a file whose name contains a colon, you can load it by using the newly-registered protocol.  Stuff like "file:///bin/rm -rf %s" falls afoul of the encoding restriction.  The example given here works for me if I create a file named "test:bar" in the right location.

I tend to think we should go beyond "create a link" to "is a URL from a specific blacklist of protocols", because this works partly because file: URL objects have a non-throwing .host property, and I wouldn't trust that to always hold for anything we care about (also extensions as well).
Flags: blocking1.9?
Summary: Need some checkLoadURI love, blacklist (?) for registerContentHandler → Need some checkLoadURI love, blacklist (?) for register{Content,Protocol}Handler
Whiteboard: [proto]
At the security review for the web-based protocol handling, we tentatively decided to go one better and restrict it to http: or https: URIs until such time as someone comes up with a compelling use case for opening it up more.  We might want to suggest this to the WhatWG as well.
Summary: Need some checkLoadURI love, blacklist (?) for register{Content,Protocol}Handler → restrict protocol / content handlers to http/https
Looks like the registerContentHandler used by Firefox already has this restriction; we only really need to fix registerProtocolHandler.  But see also bug 401535 about how this logic really shouldn't need to be implemented once per frontend.
Summary: restrict protocol / content handlers to http/https → restrict protocol to http/https
Summary: restrict protocol to http/https → restrict web-based protocol handlers to http/https
Flags: blocking1.9? → blocking1.9+
Priority: -- → P1
Assignee: nobody → dmose
Assignee: dmose → f.qu
Attached patch patch v1Splinter Review 

        Attachment #287748 -
        Flags: review?(gavin.sharp)

    
  
Whiteboard: [proto] → [proto][has-patch]
Priority: P1 → --
Priority: -- → P1

    
    

    
  
Comment on attachment 287748 [details] [diff] [review]
patch v1

Native callers can optimize by using schemeIs rather than getting scheme and doing a compare, but since this is going through xpconnect either way it probably doesn't matter much.

        Attachment #287748 -
        Flags: review?(gavin.sharp) → review+

    
  
Keywords: checkin-needed

    
    

    
  
Checking in browser/components/feeds/src/WebContentConverter.js;
/cvsroot/mozilla/browser/components/feeds/src/WebContentConverter.js,v  <--  WebContentConverter.js
new revision: 1.24; previous revision: 1.23
done
Status: NEW → RESOLVED
Closed: 17 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9 M10

    
  
Flags: in-testsuite?
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: