Closed
Bug 404627
Opened 17 years ago
Closed 17 years ago
[FIX]XPinstall whitelist bypass using refresh after fix for bug 402649
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: dveditz, Assigned: bzbarsky)
References
()
Details
(Keywords: fixed1.8.0.15, regression, verified1.8.1.12, Whiteboard: [sg:low?])
Attachments
(1 file)
3.05 KB,
patch
|
jst
:
review+
jst
:
superreview+
dveditz
:
approval1.8.1.12+
caillon
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
bug 402649 described a way to fake a referer header, which amongst the various CSRF attacks envisioned by the reporter also allowed a trivial bypass of the xpinstall site blocking code -- you simply specify https://addons.mozilla.org as the referer. The fix made the referer always blank, which xpinstall then interprets as having been entered into the address bar by the user (or as a local file URI). When I try the refresh trick without the race condition the xpinstall is correctly blocked even though no referer is actually sent over the wire. The blocking actually uses an internal referer property set on the channel that may not always match the physical referer, we need to get that set in cases like bug 402649
Flags: wanted1.8.1.x+
Flags: blocking1.9?
Flags: blocking1.8.1.11?
Reporter | ||
Comment 1•17 years ago
|
||
This can be tested with the testcase from bug 402649, attachment 287538 [details] If the referring site is http://bugzilla.mozilla.org/ then the addon is correctly blocked (this is because of the principal-comparing), anything else and it's allowed. Prior to the fix the referer had to be https://addons.mozilla.org to bypass the whitelist. Handy harmless xpi link for testing: http://releases.mozilla.org/pub/mozilla.org/addons/3867/together_with_foxkeh-0.1.6.1-firefox.xpi
Reporter | ||
Comment 2•17 years ago
|
||
I hadn't checked trunk and made a bad assumption that the patches were equivalent. Trunk does not exhibit this bug, 1.8-branch only
Flags: blocking1.9?
Version: unspecified → 1.8 Branch
Assignee | ||
Comment 3•17 years ago
|
||
Sounds like we should take the trunk fix for bug 402649 on the branch, then. That's the only way we can get a sane referrer here. jst, does that sound OK to you? We should create an automated testcase for this, if we can....
Summary: XPinstall whitelist bypass using refresh after fix for bug 402649 → [FIX]XPinstall whitelist bypass using refresh after fix for bug 402649
Assignee | ||
Comment 4•17 years ago
|
||
Attachment #289554 -
Flags: superreview?(jst)
Attachment #289554 -
Flags: review?(jst)
Comment 5•17 years ago
|
||
Comment on attachment 289554 [details] [diff] [review] Like so Yes, seems like this is the way to go.
Attachment #289554 -
Flags: superreview?(jst)
Attachment #289554 -
Flags: superreview+
Attachment #289554 -
Flags: review?(jst)
Attachment #289554 -
Flags: review+
Assignee | ||
Updated•17 years ago
|
Attachment #289554 -
Flags: approval1.8.1.11?
Reporter | ||
Comment 7•17 years ago
|
||
(In reply to comment #6) > It's possible that this causes bug 405643... No, because this is not fixed on the branch yet :-) bug 402649 was in the regression range, but we've now narrowed it down to the jar: xss fix.
Assignee | ||
Comment 8•17 years ago
|
||
I meant that it was possible that this patch not being landed was causing bug 405643. But yes, good to know it's the jar: stuff.
Reporter | ||
Updated•17 years ago
|
Reporter | ||
Comment 9•17 years ago
|
||
Comment on attachment 289554 [details] [diff] [review] Like so approved for 1.8.1.12, a=dveditz for release-drivers
Attachment #289554 -
Flags: approval1.8.1.12? → approval1.8.1.12+
Assignee | ||
Comment 10•17 years ago
|
||
Fixed on branch.
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: blocking1.8.1.12?
Keywords: fixed1.8.1.12
Resolution: --- → FIXED
Updated•17 years ago
|
Flags: in-testsuite?
Comment 11•17 years ago
|
||
Verified fixed using the steps in comment 1. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/2008012820 Firefox/2.0.0.12
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.12 → verified1.8.1.12
Reporter | ||
Updated•16 years ago
|
Group: security
Comment 13•16 years ago
|
||
Comment on attachment 289554 [details] [diff] [review] Like so unmodified distro patch; caillon, please sign off for landing.
Attachment #289554 -
Flags: approval1.8.0.15?
Comment 14•16 years ago
|
||
Comment on attachment 289554 [details] [diff] [review] Like so a=caillon for 1.8.0.15 and I already committed this as part of the commit for bug 402649
Attachment #289554 -
Flags: approval1.8.0.15? → approval1.8.0.15+
Updated•16 years ago
|
Keywords: fixed1.8.0.15
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•