Closed Bug 404627 Opened 17 years ago Closed 17 years ago

[FIX]XPinstall whitelist bypass using refresh after fix for bug 402649

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
1.8 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: dveditz, Assigned: bzbarsky)

References

(
URL
)

Details

(Keywords: fixed1.8.0.15, regression, verified1.8.1.12, Whiteboard: [sg:low?])

Attachments

(1 file)

Like so
3.05 KB, patch
jst
: review+
jst
: superreview+
dveditz
: approval1.8.1.12+
caillon
: approval1.8.0.next+
Details | Diff | Splinter Review 
bug 402649 described a way to fake a referer header, which amongst the various CSRF attacks envisioned by the reporter also allowed a trivial bypass of the xpinstall site blocking code -- you simply specify https://addons.mozilla.org as the referer.

The fix made the referer always blank, which xpinstall then interprets as having been entered into the address bar by the user (or as a local file URI). When I try the refresh trick without the race condition the xpinstall is correctly blocked even though no referer is actually sent over the wire. The blocking actually uses an internal referer property set on the channel that may not always match the physical referer, we need to get that set in cases like bug 402649
Flags: wanted1.8.1.x+
Flags: blocking1.9?
Flags: blocking1.8.1.11?
This can be tested with the testcase from bug 402649, attachment 287538 [details]

If the referring site is http://bugzilla.mozilla.org/ then the addon is correctly blocked (this is because of the principal-comparing), anything else and it's allowed. Prior to the fix the referer had to be https://addons.mozilla.org to bypass the whitelist.

Handy harmless xpi link for testing: http://releases.mozilla.org/pub/mozilla.org/addons/3867/together_with_foxkeh-0.1.6.1-firefox.xpi
URL: https://bugzilla.mozilla.org/attachme...
I hadn't checked trunk and made a bad assumption that the patches were equivalent. Trunk does not exhibit this bug, 1.8-branch only
Flags: blocking1.9?
Version: unspecified → 1.8 Branch
Sounds like we should take the trunk fix for bug 402649 on the branch, then.  That's the only way we can get a sane referrer here.

jst, does that sound OK to you?

We should create an automated testcase for this, if we can....
Summary: XPinstall whitelist bypass using refresh after fix for bug 402649 → [FIX]XPinstall whitelist bypass using refresh after fix for bug 402649
Attached patch Like soSplinter Review 

        Attachment #289554 -
        Flags: superreview?(jst)

        Attachment #289554 -
        Flags: review?(jst)

    
    

    
  
Comment on attachment 289554 [details] [diff] [review]
Like so

Yes, seems like this is the way to go.

        Attachment #289554 -
        Flags: superreview?(jst)

        Attachment #289554 -
        Flags: superreview+

        Attachment #289554 -
        Flags: review?(jst)

        Attachment #289554 -
        Flags: review+

    
  

        Attachment #289554 -
        Flags: approval1.8.1.11?

    
    

    
  
It's possible that this causes bug 405643...
Blocks: 405643

    
  
No longer blocks: 405643

    
    

    
  
(In reply to comment #6)
> It's possible that this causes bug 405643...

No, because this is not fixed on the branch yet :-)

bug 402649 was in the regression range, but we've now narrowed it down to the
jar: xss fix.

    
    

    
  
I meant that it was possible that this patch not being landed was causing bug 405643.

But yes, good to know it's the jar: stuff.

    
  
Blocks: 402649
Keywords: regression
Whiteboard: [sg:low?]

    
    

    
  
Comment on attachment 289554 [details] [diff] [review]
Like so

approved for 1.8.1.12, a=dveditz for release-drivers

        Attachment #289554 -
        Flags: approval1.8.1.12? → approval1.8.1.12+

    
    

    
  
Fixed on branch.
Status: NEW → RESOLVED
Closed: 17 years ago
Flags: blocking1.8.1.12?
Keywords: fixed1.8.1.12
Resolution: --- → FIXED

    
  
Flags: in-testsuite?

    
    

    
  
Verified fixed using the steps in comment 1. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/2008012820 Firefox/2.0.0.12
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.12verified1.8.1.12

    
  
Group: security

    
    

    
  
distro patches block 1.8.0.15
Flags: blocking1.8.0.15+

    
    

    
  
Comment on attachment 289554 [details] [diff] [review]
Like so

unmodified distro patch; caillon, please sign off for landing.

        Attachment #289554 -
        Flags: approval1.8.0.15?

    
    

    
  
Comment on attachment 289554 [details] [diff] [review]
Like so

a=caillon for 1.8.0.15 and I already committed this as part of the commit for bug 402649

        Attachment #289554 -
        Flags: approval1.8.0.15? → approval1.8.0.15+
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: