Closed
Bug 402287
Opened 17 years ago
Closed 17 years ago
register{Protocol,Content}Handler should only be allowed from same host as handler
Categories
(Core Graveyard :: File Handling, defect, P2)
Core Graveyard
File Handling
Tracking
(Not tracked)
RESOLVED
FIXED
mozilla1.9beta4
People
(Reporter: dmosedale, Assigned: florian)
References
Details
(Keywords: dev-doc-complete, privacy, Whiteboard: [proto])
Attachments
(2 files, 2 obsolete files)
5.63 KB,
patch
|
Details | Diff | Splinter Review | |
4.20 KB,
patch
|
Details | Diff | Splinter Review |
This is to avoid the scenario where a user is tricked into setting up a handler to a major site that goes through a redirector for information stealing purposes. Requesting blocking-1.9?
Flags: blocking1.9?
Reporter | ||
Updated•17 years ago
|
Whiteboard: [proto]
Reporter | ||
Updated•17 years ago
|
Priority: -- → P2
Comment 2•17 years ago
|
||
Not a regression, registerContentHandler is on branch.
Flags: blocking1.9? → blocking1.9-
Reporter | ||
Comment 3•17 years ago
|
||
Requesting reconsideration for, at the very least, wanted+. The reasoning here that it's hard to add restrictions post facto if people come to depend on not having them, whereas it's easier to start conservative and remove restrictions later.
Flags: blocking1.9- → blocking1.9?
Reporter | ||
Updated•17 years ago
|
Group: security
Assignee | ||
Comment 4•17 years ago
|
||
If we really want to add this restriction, we could probably add a pref to switch that restriction off so that we can still use our curent testcases.
Updated•17 years ago
|
Group: security
Reporter | ||
Comment 5•17 years ago
|
||
Florian also pointed out to me at lunch that this policy doesn't prevent the phishing/redirection attack we had in mind: if someone is able to convince a user to accept their own site setting up a handler that redirects through them to Google Mail, they'll just host the registration on the same site as redirector. In the interested of starting off this feature from a generally conservative posture, I still think this probably deserves wanted+, but it's not as important as I thought.
Comment 6•17 years ago
|
||
That's why I want the hostname to be displayed in the pick-a-handler dialog.
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Comment 7•17 years ago
|
||
If we had this kind of restriction on adding search plugins that feature would be a lot less useful. No mycroft.mozdev.org :-(
Reporter | ||
Updated•17 years ago
|
Assignee: nobody → dmose
Reporter | ||
Comment 8•17 years ago
|
||
Since we don't know of any attacks that this would prevent, I assert that this is not blocking+, and at most wanted+. Setting back to blocking? for re-evaluation.
Flags: blocking1.9+ → blocking1.9?
Comment 9•17 years ago
|
||
I thought comment 0 described the attack pretty clearly. This needs to be fixed for Firefox 3 because otherwise sites will start relying on being able to do it the unsafe way.
Assignee | ||
Comment 10•17 years ago
|
||
(In reply to comment #9) > I thought comment 0 described the attack pretty clearly. This restriction would not protect against the attack described in comment 0. See comment 5.
Comment 11•17 years ago
|
||
It would protect against that attack as long as the hostname is displayed in the pick-an-application dialog.
Assignee | ||
Comment 12•17 years ago
|
||
(In reply to comment #11) > It would protect against that attack as long as the hostname is displayed in > the pick-an-application dialog. > This is bug 402620.
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Comment 13•17 years ago
|
||
Based on comment #12 taking off blocking list..
Flags: blocking1.9+ → blocking1.9-
Comment 14•17 years ago
|
||
Schrep, you might have misread comment 12. Both bugs need to be fixed to prevent malicious sites from suggesting bogus (e.g. redirecting) URLs at mail.google.com as mailto: handlers.
Flags: blocking1.9- → blocking1.9?
Assignee | ||
Comment 15•17 years ago
|
||
(In reply to comment #14) > Schrep, you might have misread comment 12. Both bugs need to be fixed to > prevent malicious sites from suggesting bogus (e.g. redirecting) URLs at > mail.google.com as mailto: handlers. > No. If evil.com wants to register a redirecting handler to mail.google.com, the url of the handler will be http://evil.com/something, and registerProtocolHandler will be called from evil.com Fixing this bug would not prevent anything in this attack. We should probably WONTFIX it. Maybe you mean "a protocol handler should not be allowed to redirect to a different host" but it's not what this bug is about.
Comment 16•17 years ago
|
||
I'm talking about redirecting the other way: evil.com registers a protocol handler pointing to https://mail.google.com/redirect?url=http://evil.com/collector, and Firefox shows mail.google.com as the host for the handler.
Assignee | ||
Comment 17•17 years ago
|
||
Are there really some urls like https://mail.google.com/redirect?url=%s that work and are hosted with the same hostname as a useful webapp? The only redirector I could find on a google website is http://www.google.com/url?q=%s and there are a lot of other parameters to check (probably with session data) that the redirecting page is trusted. If the check fails a warning is displayed: http://www.google.com/url?q=http://evil.com
Reporter | ||
Comment 18•17 years ago
|
||
I didn't realize what Jesse meant either. I'm of two minds about this bug; do we have any sort of data or even gut feel about whether this actually happens in the wild? It seems to be arguably a web-site bug.
Comment 19•17 years ago
|
||
Open redirects and "open framing" are very common and are not usually considered to be vulnerabilities. See http://sla.ckers.org/forum/read.php?3,505,10958 for tons of examples.
Reporter | ||
Updated•17 years ago
|
Assignee: dmose → florian
Assignee | ||
Comment 21•17 years ago
|
||
Adds the restriction with a hidden pref to disable it so that it doesn't bother us while testing the feature.
Comment 22•17 years ago
|
||
(In reply to comment #21) > Adds the restriction with a hidden pref to disable it so that it doesn't bother > us while testing the feature. Mochitest gives you the ability to run tests on any of a set of arbitrary domains, or to run tests on a single domain (see the Mochitest page on MDC). I don't see why a hidden pref is necessary here -- you should have more than enough control over this for automated tests to not need this. Further, you shouldn't be writing ad-hoc tests instead of automated tests, because ad-hoc tests lose their utility after being used, whereas automated ones are useful essentially forever.
Assignee | ||
Comment 23•17 years ago
|
||
By "while testing the feature" I meant while we finish the UI for registering a protocol/content handler. This restriction will basically break all the testcases we currently have. And btw, this restriction sucks. We need to have it by default, but some advanced users who are able to read the url and check themselves that there is not a redirection hidden in it may want to disable it.
Assignee | ||
Comment 24•17 years ago
|
||
Attachment #290582 -
Attachment is obsolete: true
Attachment #290606 -
Flags: review?(gavin.sharp)
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Reporter | ||
Updated•17 years ago
|
Whiteboard: [proto] → [proto] [needs r gavin]
Reporter | ||
Comment 25•17 years ago
|
||
Florian and I had a bit of discussion about whether we should loosen the restriction here to allow the entire eTLD+1 by default rather than just the hostname. My gut is that we should stay conservative and keep with the hostname and liberalize as necessary. That said, my feeling about it isn't that strong. One question I have is about what level of certainty the eTLD+1 service gives us; does it ever make mistakes? Other thoughts? dveditz? jesse?
Comment 26•17 years ago
|
||
My gut feeling matches dmose's. We shouldn't use eTLD+1 matches for everything.
Comment 27•17 years ago
|
||
See also bug 413567, "Figure out how we should display hostnames in the protocol handling dialog".
Comment 28•17 years ago
|
||
Comment on attachment 290606 [details] [diff] [review] patch >Index: browser/components/feeds/src/WebContentConverter.js >+ // We also reject handlers registered from a different host (see bug 402287) >+ // The pref allows us to test the feature >+ var pb = Cc["@mozilla.org/preferences-service;1"]. >+ getService(Ci.nsIPrefService).getBranch(null); Could just getService(Ci.nsIPrefBranch) and remove the call to getBranch(), the pref service QIs to nsIPrefBranch and forwards calls to the root branch. http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpref/src/nsPrefService.h&rev=1.25&mark=51,61,62#51 >+ if ((!pb.prefHasUserValue(PREF_ALLOW_DIFFERENT_HOST) || >+ !pb.getBoolPref(PREF_ALLOW_DIFFERENT_HOST)) && >+ aContentWindow.location.host != uri.host) nsLocation::GetHost() actually returns the URI's hostPort, so perhaps you should use location.hostName instead (which returns just .host)? I'm not sure whether you want to actually be comparing origins rather than just the host's name, but I guess the host name is probably sufficient. >+ throw("Permision denied to add " + uri.spec + " as a content or protocol handler");
Attachment #290606 -
Flags: review?(gavin.sharp) → review+
Updated•17 years ago
|
Whiteboard: [proto] [needs r gavin] → [proto]
Assignee | ||
Updated•17 years ago
|
Target Milestone: --- → mozilla1.9beta4
Assignee | ||
Comment 29•17 years ago
|
||
Tests will be added in bug 402788.
Attachment #290606 -
Attachment is obsolete: true
Assignee | ||
Comment 30•17 years ago
|
||
Checking in browser/components/feeds/src/WebContentConverter.js; /cvsroot/mozilla/browser/components/feeds/src/WebContentConverter.js,v <-- WebContentConverter.js new revision: 1.26; previous revision: 1.25 done Checking in browser/app/profile/firefox.js; /cvsroot/mozilla/browser/app/profile/firefox.js,v <-- firefox.js new revision: 1.275; previous revision: 1.274 done
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•17 years ago
|
Flags: in-testsuite+
Comment 31•17 years ago
|
||
Needs a touch of dev-doc, since I wound up having to read the code to find out why I suddenly couldn't use it while not doing anything devmo told me not to do.
Keywords: dev-doc-needed
Assignee | ||
Comment 34•17 years ago
|
||
(In reply to comment #33) > Created an attachment (id=323108) [details] > test case in mochitest for this bug > I added some tests for this bug as part of the patch for bug 402788. Did you see these? Was there something that wasn't tested right?
Comment 35•17 years ago
|
||
(In reply to comment #34) > (In reply to comment #33) > > Created an attachment (id=323108) [details] [details] > > test case in mochitest for this bug > > > > I added some tests for this bug as part of the patch for bug 402788. Did you > see these? Was there something that wasn't tested right? > Ah, this would be my fault. Heather is just starting out with test development. I directed her to do this test as I was unaware of the ones you had written, Florian.
Comment 36•17 years ago
|
||
Comment on attachment 323108 [details] [diff] [review] test case in mochitest for this bug Clearing review, since there already seem to be tests for this.
Attachment #323108 -
Flags: review?(dolske)
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•