Closed
Bug 414540
Opened 17 years ago
Closed 16 years ago
RDFXMLDataSource should reject cross-domain redirects
Categories
(Core Graveyard :: RDF, defect, P2)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: guninski, Assigned: benjamin)
References
Details
(4 keywords, Whiteboard: [sg:high])
Attachments
(2 files, 2 obsolete files)
9.10 KB,
patch
|
bzbarsky
:
review+
Waldo
:
review+
dveditz
:
approval1.9.0.7+
|
Details | Diff | Splinter Review |
7.28 KB,
patch
|
dveditz
:
approval1.8.1.next+
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
it is possible to still RDF from any http hosts via: datasources="/cgi-bin/re?http://SOMEWHERE/steal.rdf" if the RDF structure is known /cgi-bin/re does a http redirect testcase won't work from bugzilla not clear if this allows stealing arbitrary XML. both trunk and 2.0 are vulnerable
Reporter | ||
Comment 1•17 years ago
|
||
Comment 2•17 years ago
|
||
Is it specific to RDF? More likely it would apply to any non-local template data. There is a movement to remove RDF from the trunk, but obviously this kind of XUL widget needs some kind of datasource. Could whatever replaces it also have the same problem? How does the "Mozilla Amazon Browser" work? I'd be surprised if the Amazon interface were RDF specifically rather than plain XML, but maybe it's not using a tree widget with a datasource. http://faser.net/mab/chrome/content/mab.xul
Component: Security → RDF
Product: Firefox → Core
QA Contact: firefox → rdf
Version: 2.0 Branch → unspecified
Assignee | ||
Comment 3•17 years ago
|
||
The same-origin check is here: http://mxr.mozilla.org/mozilla/source/content/xul/templates/src/nsXULTemplateBuilder.cpp#1275 So yes, it appears that you could steal XML using this method as well (on trunk). Is there a way to tell necko not to follow redirects across origins (or a redirect observer mechanism which could do the check)?
Severity: normal → critical
Flags: blocking1.9?
Reporter | ||
Comment 4•17 years ago
|
||
(In reply to comment #2) > > How does the "Mozilla Amazon Browser" work? I'd be surprised if the Amazon > interface were RDF specifically rather than plain XML, but maybe it's not using > a tree widget with a datasource. > http://faser.net/mab/chrome/content/mab.xul > don't know how it works, but it seems to parse plain XML. sniffer catched this request which returns plain XML: http://faser.net/mab/chrome/content/server/proxy.cfm?t=faser-20&dev-t=D3MAIAYX2Q6JLY&KeywordSearch=math&mode=books&sort=+salesrank&type=lite&page=2&f=xml so it seems this bug allows stealing XML and well formed (X)HTML, allowing harvesting luser's webmail. this makes it at least [sg:moderate] in my opinion
Reporter | ||
Updated•17 years ago
|
Whiteboard: [sg:investigate] → [sg:investigate] [sg:moderate?]
Reporter | ||
Comment 5•17 years ago
|
||
(In reply to comment #3) > > Is there a way to tell necko not to follow redirects across origins (or a > redirect observer mechanism which could do the check)? > don't know, but XMLHttpRequest provides similar functionality and it is not vulnerable to this attack, so probably you may reuse code from it.
Comment 6•17 years ago
|
||
> Is there a way to tell necko not to follow redirects across origins (or a
> redirect observer mechanism which could do the check)?
>
XMLHttpRequest does this by implementing nsIChannelEventSink and adding itself as an observer on the channel. RDF datasources could implement this but there isn't currently a means for the template builder to indicate this. XML datasources are loaded via the dom document.load api so don't have access to a channel, as far as I know.
Assignee | ||
Comment 7•17 years ago
|
||
ok, the XMLDocument.load API does a redirect check successfully: http://mxr.mozilla.org/mozilla/source/content/xml/document/src/nsXMLDocument.cpp#292
Reporter | ||
Comment 8•17 years ago
|
||
[sg:high?] per defintion High: Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
Whiteboard: [sg:investigate] [sg:moderate?] → [sg:investigate] [sg:high?]
Reporter | ||
Updated•17 years ago
|
Summary: stealing RDF via http redirects → stealing RDF and XML via http redirects
Reporter | ||
Comment 9•17 years ago
|
||
on second thought, http redirects are recurring attack vector. xmlhttprequest is safe now, yet SOAP* and WSDL* should be hit with redirects hard. are there other ways to process xml except the above?
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.13?
Comment 10•17 years ago
|
||
We'll block on this when the trunk fix is done. Might be '.14 rather than '.13
Flags: blocking1.8.1.13?
Whiteboard: [sg:investigate] [sg:high?] → [sg:high?]
Updated•17 years ago
|
Flags: tracking1.9+ → wanted1.9.0.x+
Reporter | ||
Comment 11•17 years ago
|
||
i consider reading arbitrary xml (including well formed html) "blocking ?" so requesting blocking
Flags: blocking1.9?
Comment 12•17 years ago
|
||
Sigh, remote XUL. Let's just disable it with a per-site pref for 3.next, OK? Pretty please? I don't think we should push back FF3 for this -- which is what "blocking" means on a bug with no patch at this point -- but we could and should take a well-tested fix into 3.0.1.
Flags: in-testsuite?
Flags: blocking1.9?
Flags: blocking1.9.0.1?
Flags: blocking1.9-
Reporter | ||
Comment 13•17 years ago
|
||
>Sigh, remote XUL. Let's just disable it with a per-site pref for 3.next, OK?
Quite agree.
Comment 14•17 years ago
|
||
who would/could work on a patch?
Comment 15•16 years ago
|
||
Neil can you help us out here. Also can you work up the disable but for per-site remote xul pref for 3.1? As an aside could we do that in a 3.0.x?
Assignee: nobody → enndeakin
Comment 16•16 years ago
|
||
(In reply to comment #12) > Sigh, remote XUL. Let's just disable it with a per-site pref for 3.next, OK? > Pretty please? File that bug and mark it blocking1.9.1?
Flags: blocking1.9.0.1? → blocking1.9.0.1-
Updated•16 years ago
|
Status: NEW → ASSIGNED
Summary: stealing RDF and XML via http redirects → RDFXMLDataSource should reject cross-domain redirects
Comment 17•16 years ago
|
||
I can't get the test to actually run though, so I haven't tested this, but something like this should work.
Comment 18•16 years ago
|
||
Nominating this bug for blocking1.9.1: security researchers are looking for redirect bugs, so this is very likely to be discovered independently.
Flags: blocking1.9.1?
Updated•16 years ago
|
Whiteboard: [sg:high?] → [sg:high]
Updated•16 years ago
|
Flags: blocking1.9.0.7?
Assignee | ||
Comment 19•16 years ago
|
||
Neil, is this patch ready for review? When you say you couldn't get the test to run, what do you mean? If you don't have time to drive this, assign it to me.
Flags: blocking1.9.1? → blocking1.9.1+
Comment 20•16 years ago
|
||
It should be ready, but wasn't sure how to run unit tests. I'll be on vacation tomorrow so reassigning would be the best option.
Assignee: enndeakin → benjamin
Assignee | ||
Comment 21•16 years ago
|
||
This is Neil's patch with the test fixed (you needed to have "server" in the global scope). r=me, requesting sr from bz
Attachment #359329 -
Flags: superreview?(bzbarsky)
Attachment #359329 -
Flags: review+
Comment 22•16 years ago
|
||
Comment on attachment 359329 [details] [diff] [review] Neils patch with the test fixed Does that test really fail without this patch? Shouldn't the port in the url be 4444 instead of 8080, since you start the server on 4444? Also, the OnChannelRedirect impl needs to look more like nsSameOriginChecker::OnChannelRedirect (and we really need to expose that on the security manager or some such...)
Attachment #359329 -
Flags: superreview?(bzbarsky) → superreview-
Updated•16 years ago
|
Flags: blocking1.9.0.7? → blocking1.9.0.7+
Comment 23•16 years ago
|
||
Comment on attachment 359329 [details] [diff] [review] Neils patch with the test fixed >diff --git a/rdf/tests/unit/test_rdfredirect.js b/rdf/tests/unit/test_rdfredirect.js >+ server.start(4444); >+ var ds = rdfService.GetDataSource("http://localhost:8080/sample.rdf"); This will fail with or without the patch, I'll bet, because the use of an unexpected hostport will trigger a HTTP 400 response. (Or rather, it will if the request is HTTP/1.1, which I have no reason to assume wouldn't be the case.) Probably need to check for that specific case using the ignored arguments in the sink observer methods, probably also check that the request handler was actually called as well to be safe... >+var gErrorOccured = false; typo >diff --git a/testing/xpcshell/test_all.sh b/testing/xpcshell/test_all.sh > # Make assertions fatal >-XPCOM_DEBUG_BREAK=stack-and-abort; export XPCOM_DEBUG_BREAK >+# XPCOM_DEBUG_BREAK=stack-and-abort; export XPCOM_DEBUG_BREAK Don't even think about it. :-P If you really have to, flip the environment variable inside the test itself, but don't take away assertion-checking from everyone else's tests.
Assignee | ||
Comment 24•16 years ago
|
||
This copies nsSameOriginChecker. I filed bug 475940 on providing this code in a shared location. The test for this is significantly reworked. It loads two HTTP servers on different ports. It verifies that it can load RDF from each, as well as that a same-origin redirect is not blocked and a cross-origin redirect is blocked. Asking Waldo to review the testing code because I'm just learning my way around there. As noted on IRC, there's inconsistent behavior when loading data from a rejected redirect. In some cases we'll get an error code and the load will fail. In other cases, the load will succeed but give us data from the redirecting page. So instead of relying on the onError callback, we actually check to see whether we loaded the RDF data.
Attachment #359507 -
Flags: review?(jwalden+bmo)
Attachment #359507 -
Flags: review?(bzbarsky)
Assignee | ||
Updated•16 years ago
|
Attachment #359329 -
Attachment is obsolete: true
Assignee | ||
Updated•16 years ago
|
Attachment #326758 -
Attachment is obsolete: true
Comment 25•16 years ago
|
||
Comment on attachment 359507 [details] [diff] [review] Copied nsSameOriginChecker code, fixed tests, rev. 2 Looks good. Gods, our RDF API is ugly. :(
Attachment #359507 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 26•16 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/01c42e286b4c
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 27•16 years ago
|
||
Comment on attachment 359507 [details] [diff] [review] Copied nsSameOriginChecker code, fixed tests, rev. 2 Only thing worth mentioning is that if this ever fails, you're likely to not decrement the pending count correctly and thus hang, but that seems relatively unlikely to happen; best would be to put the decrement and is-done test in a finally block (rest of method in a try) to be safe.
Attachment #359507 -
Flags: review?(jwalden+bmo) → review+
Assignee | ||
Comment 28•16 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/de14d3aaefdf
Keywords: fixed1.9.1
Assignee | ||
Updated•16 years ago
|
Attachment #359507 -
Flags: approval1.9.0.7?
Reporter | ||
Comment 29•16 years ago
|
||
>Nominating this bug for blocking1.9.1: security researchers are looking for >redirect bugs, so this is very likely to be discovered independently. similar redirect stuff is: Bug 466989 stealing xul overlays via http redirects
Updated•16 years ago
|
Attachment #359507 -
Flags: approval1.9.0.7? → approval1.9.0.7+
Comment 30•16 years ago
|
||
Comment on attachment 359507 [details] [diff] [review] Copied nsSameOriginChecker code, fixed tests, rev. 2 Approved for 1.9.0.7, a=dveditz for release-drivers.
Assignee | ||
Comment 31•16 years ago
|
||
Checking in rdf/base/src/Makefile.in; new revision: 1.38; previous revision: 1.37 Checking in rdf/base/src/nsRDFXMLDataSource.cpp; new revision: 1.159; previous revision: 1.158 Checking in rdf/tests/Makefile.in; new revision: 1.11; previous revision: 1.10 Checking in rdf/tests/unit/sample.rdf; initial revision: 1.1 Checking in rdf/tests/unit/test_rdfredirect.js; initial revision: 1.1
Keywords: fixed1.9.0.7
Updated•16 years ago
|
Flags: blocking1.8.1.next?
Updated•16 years ago
|
Flags: blocking1.8.1.next? → blocking1.8.1.next+
Comment 32•16 years ago
|
||
This was a pain in the butt to set up on my private webservers. :-) Verified fixed in 1.9.0.7 with: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.7pre) Gecko/2009021304 GranParadiso/3.0.7pre Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.7pre) Gecko/2009021304 GranParadiso/3.0.7pre
Keywords: fixed1.9.0.7 → verified1.9.0.7
Comment 33•16 years ago
|
||
Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090213 Shiretoko/3.1b3pre.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
Comment 34•16 years ago
|
||
I wonder how the fix should look like for 1.8. Is the test by CheckSameOriginURI() enough here or do we need to involve (and backport) CheckMayLoad() from 1.9?
Comment 35•16 years ago
|
||
CheckSameOriginURI is probably fine.
Comment 36•16 years ago
|
||
Updated•16 years ago
|
Attachment #363399 -
Flags: approval1.8.1.next?
Attachment #363399 -
Flags: approval1.8.0.next?
Comment 37•16 years ago
|
||
Comment on attachment 363399 [details] [diff] [review] 1.8.0 version (looks like 1.8.1 too) Approved for 1.8.1.21, a=dveditz for release-drivers
Attachment #363399 -
Flags: approval1.8.1.next? → approval1.8.1.next+
Comment 38•16 years ago
|
||
Fix checked into the 1.8 branch. I did not check in the tests since 1.8 doesn't support XPCSHELL_TESTS
Keywords: fixed1.8.1.21
Updated•16 years ago
|
Group: core-security
Comment 39•16 years ago
|
||
Comment on attachment 363399 [details] [diff] [review] 1.8.0 version (looks like 1.8.1 too) a=asac for 1.8.0 - thanks requesting approval1.8.0
Attachment #363399 -
Flags: approval1.8.0.next? → approval1.8.0.next+
Updated•16 years ago
|
Flags: blocking1.8.0.next+
Updated•6 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•