Closed Bug 411072 Opened 17 years ago Closed 17 years ago

"focus" Event can be used to set focus on file input and selectively capture keystrokes, which can be used to upload arbitrary files

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
1.8 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: gfleischer+bugzilla, Assigned: smaug)

References

(
URL
)

Details

(Keywords: fixed1.8.0.15, testcase, verified1.8.1.12, Whiteboard: [sg:moderate])

Attachments

(5 files)

Example of dispatching focus event to file input element
3.10 KB, text/html
Details
Example of dispatching focus event to label element
3.10 KB, text/html
Details
Example of how an actual attack could be constructed
8.77 KB, application/java-archive
Details
And more type="file" fixing...
4.66 KB, patch
jst
: review+
jst
: superreview+
dveditz
: approval1.8.1.12+
asac
: approval1.8.0.next+
Details | Diff | Splinter Review
Example attack using disabled property to selectively cancel keystrokes
9.18 KB, application/java-archive
Details
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 By creating a "focus" Event and using dispatchEvent to send it to a file input element or a label associated with the file, the focus can be set on the text portion of the file input. This can be used to selectively capture keystrokes and construct a path that can be used to upload arbitrary files from a user's computer. By sending the click as an event, the focus restrictions in bug #370092 and bug #370092 can be bypassed. An alternate approach is to use the observation in bug #404391 and send click to an additional input element nested inside of the label. Reproducible: Always Tested with user agents: - Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 - Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11 - Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.12pre) Gecko/20080106 BonEcho/2.0.0.12pre - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12pre) Gecko/20080106 BonEcho/2.0.0.12pre
The focus-event-stealing.html file demonstrates how an actual attack could be constructed. On Mac OS X and Linux, "/etc/hosts" is targeted and on Windows, "c:\boot.ini". The demo is standalone by default, but the included 'upload.cgi' Perl CGI script can be used to capture the submitted the file.
The description should have been: By sending the focus as an event, the focus restrictions in bug #370092 and bug #388784 can be bypassed.
Assignee: nobody → dveditz
Flags: blocking1.8.1.12?
Product: Firefox → Core
QA Contact: firefox → toolkit
Whiteboard: [sg:moderate]
Not sure these aren't all ultimately dupes for the same fix, but until that's shown I can confirm we need to fix whatever leads to these testcases.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8.1.12? → blocking1.8.1.12+
Whiteboard: [sg:moderate] → [sg:moderate] 1.8-branch
I guess I should fix this. I'll try to come up with a patch during this weekend.
Assignee: dveditz → Olli.Pettay
Attachment #295708 - Attachment mime type: application/zip → application/java-archive
Flags: wanted1.8.1.x+
Version: unspecified → 1.8 Branch
Depends on: 413135
Regardless of bug 413135, fixing this bug would be good.
Updated the example attack to use the disabled property to selectively cancel keystrokes. This bypasses the fix for bug 413135 in attachment 298006 [details] [diff] [review].
Attachment #299495 - Attachment mime type: application/octet-stream → application/java-archive
Whiteboard: [sg:moderate] 1.8-branch → [sg:moderate] need r=jst for 1.8.1.12
Attachment #296728 - Flags: superreview+
Attachment #296728 - Flags: review?(jst)
Attachment #296728 - Flags: review+
Comment on attachment 296728 [details] [diff] [review] And more type="file" fixing... Requesting approval on this blocker. Olli, what's the risk of this patch?
Attachment #296728 - Flags: approval1.8.1.12?
The risk should be small. The patch changes only the case when someone is manually dispatching focus events to <input type="file"> element. The result is that browser... button is focused, not the text field.
Comment on attachment 296728 [details] [diff] [review] And more type="file" fixing... approved for 1.8.1.12, a=dveditz for release-drivers
Attachment #296728 - Flags: approval1.8.1.12? → approval1.8.1.12+
Keywords: fixed1.8.1.12, testcase
Whiteboard: [sg:moderate] need r=jst for 1.8.1.12 → [sg:moderate]
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Verified with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12) Gecko/2008012822 Firefox/2.0.0.12.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.12verified1.8.1.12
Comment on attachment 296728 [details] [diff] [review] And more type="file" fixing... a=asac for 1.8.0.15
Attachment #296728 - Flags: approval1.8.0.15+
Flags: blocking1.8.0.15+
Committed to the 1.8.0 branch...
Keywords: fixed1.8.0.15
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: