Closed Bug 414540 Opened 17 years ago Closed 15 years ago

RDFXMLDataSource should reject cross-domain redirects

Categories

(Core Graveyard :: RDF, defect, P2)

Product:
Core Graveyard
Component:
RDF
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: guninski, Assigned: benjamin)

References

Details

(4 keywords, Whiteboard: [sg:high])

Attachments

(2 files, 2 obsolete files)

Copied nsSameOriginChecker code, fixed tests, rev. 2
9.10 KB, patch
bzbarsky
: review+
Waldo
: review+
dveditz
: approval1.9.0.7+
Details | Diff | Splinter Review
1.8.0 version (looks like 1.8.1 too)
7.28 KB, patch
dveditz
: approval1.8.1.next+
asac
: approval1.8.0.next+
Details | Diff | Splinter Review 
it is possible to still RDF from any http hosts via:
datasources="/cgi-bin/re?http://SOMEWHERE/steal.rdf"

if the RDF structure is known
/cgi-bin/re does a http redirect
testcase won't work from bugzilla

not clear if this allows stealing arbitrary XML.
both trunk and 2.0 are vulnerable
Attached file steal.rdf 
Keywords: testcase
Whiteboard: [sg:investigate]

    
    

    
  
Is it specific to RDF? More likely it would apply to any non-local template data. There is a movement to remove RDF from the trunk, but obviously this kind of XUL widget needs some kind of datasource. Could whatever replaces it also have the same problem?

How does the "Mozilla Amazon Browser" work? I'd be surprised if the Amazon interface were RDF specifically rather than plain XML, but maybe it's not using a tree widget with a datasource.
http://faser.net/mab/chrome/content/mab.xul
Component: Security → RDF
Product: Firefox → Core
QA Contact: firefox → rdf
Version: 2.0 Branch → unspecified

    
    

    
  
The same-origin check is here: http://mxr.mozilla.org/mozilla/source/content/xul/templates/src/nsXULTemplateBuilder.cpp#1275

So yes, it appears that you could steal XML using this method as well (on trunk).

Is there a way to tell necko not to follow redirects across origins (or a redirect observer mechanism which could do the check)?
Severity: normal → critical
Flags: blocking1.9?

    
    

    
  
(In reply to comment #2)
> 
> How does the "Mozilla Amazon Browser" work? I'd be surprised if the Amazon
> interface were RDF specifically rather than plain XML, but maybe it's not using
> a tree widget with a datasource.
> http://faser.net/mab/chrome/content/mab.xul
> 

don't know how it works, but it seems to parse plain XML.
sniffer catched this request which returns plain XML:

http://faser.net/mab/chrome/content/server/proxy.cfm?t=faser-20&dev-t=D3MAIAYX2Q6JLY&KeywordSearch=math&mode=books&sort=+salesrank&type=lite&page=2&f=xml

so it seems this bug allows stealing XML and well formed (X)HTML, allowing harvesting luser's webmail.

this makes it at least [sg:moderate] in my opinion


Whiteboard: [sg:investigate] → [sg:investigate] [sg:moderate?]

    
    

    
  
(In reply to comment #3)
> 
> Is there a way to tell necko not to follow redirects across origins (or a
> redirect observer mechanism which could do the check)?
> 

don't know, but XMLHttpRequest provides similar functionality and it is not vulnerable to this attack, so probably you may reuse code from it.

    
    

    
  
> Is there a way to tell necko not to follow redirects across origins (or a
> redirect observer mechanism which could do the check)?
> 

XMLHttpRequest does this by implementing nsIChannelEventSink and adding itself as an observer on the channel. RDF datasources could implement this but there isn't currently a means for the template builder to indicate this. XML datasources are loaded via the dom document.load api so don't have access to a channel, as far as I know.



    
    

    
  
ok, the XMLDocument.load API does a redirect check successfully: http://mxr.mozilla.org/mozilla/source/content/xml/document/src/nsXMLDocument.cpp#292

    
    

    
  
[sg:high?] per defintion
High: Vulnerability can be used to gather sensitive data from
         sites in other windows or inject data or code into those
         sites, requiring no more than normal browsing actions.

Whiteboard: [sg:investigate] [sg:moderate?] → [sg:investigate] [sg:high?]
Summary: stealing RDF via http redirects → stealing RDF and XML via http redirects

    
    

    
  
on second thought, http redirects are recurring attack vector.
xmlhttprequest is safe now, yet SOAP* and WSDL* should be hit with redirects hard.
are there other ways to process xml except the above?

    
  
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.13?

    
    

    
  
We'll block on this when the trunk fix is done. Might be '.14 rather than '.13
Flags: blocking1.8.1.13?
Whiteboard: [sg:investigate] [sg:high?] → [sg:high?]
Flags: tracking1.9+ → wanted1.9.0.x+

    
    

    
  
i consider reading arbitrary xml (including well formed html) "blocking ?" so requesting blocking
Flags: blocking1.9?

    
    

    
  
Sigh, remote XUL.  Let's just disable it with a per-site pref for 3.next, OK?  Pretty please?

I don't think we should push back FF3 for this -- which is what "blocking" means on a bug with no patch at this point -- but we could and should take a well-tested fix into 3.0.1.
Flags: in-testsuite?
Flags: blocking1.9?
Flags: blocking1.9.0.1?
Flags: blocking1.9-

    
    

    
  
>Sigh, remote XUL.  Let's just disable it with a per-site pref for 3.next, OK? 

Quite agree.

    
    

    
  
who would/could work on a patch?

    
    

    
  
Neil can you help us out here.  Also can you work up the disable but for per-site remote xul pref for 3.1?  As an aside could we do that in a 3.0.x?
Assignee: nobody → enndeakin

    
    

    
  
(In reply to comment #12)
> Sigh, remote XUL.  Let's just disable it with a per-site pref for 3.next, OK? 
> Pretty please?

File that bug and mark it blocking1.9.1?


Flags: blocking1.9.0.1? → blocking1.9.0.1-

    
  
Status: NEW → ASSIGNED
Summary: stealing RDF and XML via http redirects → RDFXMLDataSource should reject cross-domain redirects

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix with test (obsolete)
        — Splinter Review
      

    


  
I can't get the test to actually run though, so I haven't tested this, but something like this should work.

    
    

    
  
Nominating this bug for blocking1.9.1: security researchers are looking for redirect bugs, so this is very likely to be discovered independently.
Flags: blocking1.9.1?
Whiteboard: [sg:high?] → [sg:high]
Flags: blocking1.9.0.7?

    
    

    
  
Neil, is this patch ready for review? When you say you couldn't get the test to run, what do you mean?

If you don't have time to drive this, assign it to me.
Flags: blocking1.9.1? → blocking1.9.1+

    
    

    
  
It should be ready, but wasn't sure how to run unit tests. I'll be on vacation tomorrow so reassigning would be the best option.
Assignee: enndeakin → benjamin

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Neils patch with the test fixed (obsolete)
        — Splinter Review
      

    


  
This is Neil's patch with the test fixed (you needed to have "server" in the global scope). r=me, requesting sr from bz

        Attachment #359329 -
        Flags: superreview?(bzbarsky)

        Attachment #359329 -
        Flags: review+

    
    

    
  
Comment on attachment 359329 [details] [diff] [review]
Neils patch with the test fixed

Does that test really fail without this patch?  Shouldn't the port in the url be 4444 instead of 8080, since you start the server on 4444?

Also, the OnChannelRedirect impl needs to look more like nsSameOriginChecker::OnChannelRedirect (and we really need to expose that on the security manager or some such...)

        Attachment #359329 -
        Flags: superreview?(bzbarsky) → superreview-
Flags: blocking1.9.0.7? → blocking1.9.0.7+

    
    

    
  
Comment on attachment 359329 [details] [diff] [review]
Neils patch with the test fixed

>diff --git a/rdf/tests/unit/test_rdfredirect.js b/rdf/tests/unit/test_rdfredirect.js

>+  server.start(4444);
>+  var ds = rdfService.GetDataSource("http://localhost:8080/sample.rdf");

This will fail with or without the patch, I'll bet, because the use of an unexpected hostport will trigger a HTTP 400 response.  (Or rather, it will if the request is HTTP/1.1, which I have no reason to assume wouldn't be the case.)  Probably need to check for that specific case using the ignored arguments in the sink observer methods, probably also check that the request handler was actually called as well to be safe...

>+var gErrorOccured = false;

typo


>diff --git a/testing/xpcshell/test_all.sh b/testing/xpcshell/test_all.sh

> # Make assertions fatal
>-XPCOM_DEBUG_BREAK=stack-and-abort; export XPCOM_DEBUG_BREAK
>+# XPCOM_DEBUG_BREAK=stack-and-abort; export XPCOM_DEBUG_BREAK

Don't even think about it.  :-P

If you really have to, flip the environment variable inside the test itself, but don't take away assertion-checking from everyone else's tests.

    
    

    
  


  
This copies nsSameOriginChecker. I filed bug 475940 on providing this code in a shared location.

The test for this is significantly reworked. It loads two HTTP servers on different ports. It verifies that it can load RDF from each, as well as that a same-origin redirect is not blocked and a cross-origin redirect is blocked. Asking Waldo to review the testing code because I'm just learning my way around there.

As noted on IRC, there's inconsistent behavior when loading data from a rejected redirect. In some cases we'll get an error code and the load will fail. In other cases, the load will succeed but give us data from the redirecting page. So instead of relying on the onError callback, we actually check to see whether we loaded the RDF data.

        Attachment #359507 -
        Flags: review?(jwalden+bmo)

        Attachment #359507 -
        Flags: review?(bzbarsky)

    
  

        Attachment #359329 -
        Attachment is obsolete: true

    
  

        Attachment #326758 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 359507 [details] [diff] [review]
Copied nsSameOriginChecker code, fixed tests, rev. 2

Looks good.  Gods, our RDF API is ugly.  :(

        Attachment #359507 -
        Flags: review?(bzbarsky) → review+

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/01c42e286b4c
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 359507 [details] [diff] [review]
Copied nsSameOriginChecker code, fixed tests, rev. 2

Only thing worth mentioning is that if this ever fails, you're likely to not decrement the pending count correctly and thus hang, but that seems relatively unlikely to happen; best would be to put the decrement and is-done test in a finally block (rest of method in a try) to be safe.

        Attachment #359507 -
        Flags: review?(jwalden+bmo) → review+

    
  

        Attachment #359507 -
        Flags: approval1.9.0.7?

    
    

    
  
>Nominating this bug for blocking1.9.1: security researchers are looking for
>redirect bugs, so this is very likely to be discovered independently.

similar redirect stuff is:
Bug 466989 stealing xul overlays via http redirects

        Attachment #359507 -
        Flags: approval1.9.0.7? → approval1.9.0.7+

    
    

    
  
Comment on attachment 359507 [details] [diff] [review]
Copied nsSameOriginChecker code, fixed tests, rev. 2

Approved for 1.9.0.7, a=dveditz for release-drivers.

    
    

    
  
Checking in rdf/base/src/Makefile.in;
new revision: 1.38; previous revision: 1.37
Checking in rdf/base/src/nsRDFXMLDataSource.cpp;
new revision: 1.159; previous revision: 1.158
Checking in rdf/tests/Makefile.in;
new revision: 1.11; previous revision: 1.10
Checking in rdf/tests/unit/sample.rdf;
initial revision: 1.1
Checking in rdf/tests/unit/test_rdfredirect.js;
initial revision: 1.1
Keywords: fixed1.9.0.7
Flags: blocking1.8.1.next?
Flags: blocking1.8.1.next? → blocking1.8.1.next+

    
    

    
  
This was a pain in the butt to set up on my private webservers. :-)

Verified fixed in 1.9.0.7 with:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.7pre) Gecko/2009021304 GranParadiso/3.0.7pre

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.7pre) Gecko/2009021304 GranParadiso/3.0.7pre
Keywords: fixed1.9.0.7verified1.9.0.7

    
    

    
  
Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090213 Shiretoko/3.1b3pre.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1
Depends on: 477930

    
    

    
  
I wonder how the fix should look like for 1.8. Is the test by CheckSameOriginURI() enough here or do we need to involve (and backport) CheckMayLoad() from 1.9?

    
    

    
  
CheckSameOriginURI is probably fine.

        Attachment #363399 -
        Flags: approval1.8.1.next?

        Attachment #363399 -
        Flags: approval1.8.0.next?

    
    

    
  
Comment on attachment 363399 [details] [diff] [review]
1.8.0 version (looks like 1.8.1 too)

Approved for 1.8.1.21, a=dveditz for release-drivers

        Attachment #363399 -
        Flags: approval1.8.1.next? → approval1.8.1.next+

    
    

    
  
Fix checked into the 1.8 branch. I did not check in the tests since 1.8 doesn't support XPCSHELL_TESTS
Keywords: fixed1.8.1.21
Group: core-security

    
    

    
  
Comment on attachment 363399 [details] [diff] [review]
1.8.0 version (looks like 1.8.1 too)

a=asac for 1.8.0 - thanks requesting approval1.8.0

        Attachment #363399 -
        Flags: approval1.8.0.next? → approval1.8.0.next+

    
  
Flags: blocking1.8.0.next+

    
  
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: