Last Comment Bug 447579 - (CVE-2008-5015) [FIX]file: URIs inherit chrome privs if opened from chrome
(CVE-2008-5015)
: [FIX]file: URIs inherit chrome privs if opened from chrome
Status: VERIFIED FIXED
[sg:moderate] post 1.8 branch
: regression, verified1.9.0.4, verified1.9.1
Product: Core
Classification: Components
Component: Security: CAPS (show other bugs)
: Trunk
: All All
: -- major (vote)
: mozilla1.9.1b1
Assigned To: Boris Zbarsky [:bz] (TPAC)
:
Mentors:
Depends on: 424484
Blocks: 435362
  Show dependency treegraph
 
Reported: 2008-07-22 22:55 PDT by Daniel Veditz [:dveditz]
Modified: 2009-01-14 12:37 PST (History)
8 users (show)
jst: blocking1.9.1+
samuel.sidler+old: blocking1.9.0.2-
dveditz: blocking1.9.0.4+
samuel.sidler+old: wanted1.9.0.x+
dveditz: wanted1.8.1.x-
bzbarsky: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Fix (1.49 KB, patch)
2008-08-21 21:45 PDT, Boris Zbarsky [:bz] (TPAC)
dveditz: review+
jst: superreview+
dveditz: approval1.9.0.4+
Details | Diff | Splinter Review

Description Daniel Veditz [:dveditz] 2008-07-22 22:55:02 PDT
the security alias received a report from Luke Bryan that file: URIs are given chrome privileges if opened in the same tab as a chrome (or privileged about:) page. This does not happen in the latest Firefox 2.0.0.17pre.

Steps:
 1. create a local file that contains the following script:
  <script>
    try{ alert((Components.classes) ? "Chrome -- bad!" : "Invalid test"); }
    catch (e) { alert( "Not chrome -- good!"); throw (e); } 
  <script>
 2. open about:config
 3. in the same tab open the file created in step 1.

The first step is to get a regression range. It would be ironic if it were my bug 230606 "restrict file: abilities" fix.
Comment 1 Daniel Veditz [:dveditz] 2008-07-22 23:09:41 PDT
To exploit this you have to
 1. get attack code saved locally
 2. get a user to open a privileged about or chrome: URI
 3. convince the user to open the local file

It seems a tall order, but I wouldn't rule it out completely. Our MFSA 2008-35 advisory, for example, described a Safari+Firefox blended threat that accomplished 1 and 2 (now fixed).
Comment 3 Blake Kaplan (:mrbkap) 2008-07-23 08:06:47 PDT
More likely a regression from bug 435362.
Comment 4 Blake Kaplan (:mrbkap) 2008-07-23 08:38:32 PDT
Yeah, a local backout confirms that. Does a docshell know if its current document is a chrome document? It seems like we shouldn't inherit for a file URI if our current document is chrome.
Comment 5 Boris Zbarsky [:bz] (TPAC) 2008-07-23 09:06:40 PDT
I thought we weren't supposed to inherit unless the URI we're linked from was itself a file:// URI.  Did this check get lost?
Comment 6 Blake Kaplan (:mrbkap) 2008-07-23 11:56:11 PDT
It looks like that code was removed with the followup checkin for bug 402983.
Comment 7 Boris Zbarsky [:bz] (TPAC) 2008-07-23 14:25:58 PDT
Or rather it got moved into CheckMayLoad, but in this case we're not calling nsPrincipal::CheckMayLoad.
Comment 8 Samuel Sidler (old account; do not CC) 2008-08-14 17:58:05 PDT
Dan, this needs an owner. I believe CAPS is you... Not going to block on it for now.
Comment 9 Boris Zbarsky [:bz] (TPAC) 2008-08-21 21:45:54 PDT
Created attachment 334998 [details] [diff] [review]
Fix
Comment 10 Daniel Veditz [:dveditz] 2008-08-23 23:12:17 PDT
Comment on attachment 334998 [details] [diff] [review]
Fix

r=dveditz
Comment 11 Boris Zbarsky [:bz] (TPAC) 2008-08-28 06:16:34 PDT
Pushed changeset fddfa9210e76.
Comment 12 Boris Zbarsky [:bz] (TPAC) 2008-08-28 06:17:07 PDT
Comment on attachment 334998 [details] [diff] [review]
Fix

We should take this on branch.
Comment 13 Daniel Veditz [:dveditz] 2008-09-10 15:34:04 PDT
Comment on attachment 334998 [details] [diff] [review]
Fix

Approved for 1.9.0.3, a=dveditz for release-drivers
Comment 14 Boris Zbarsky [:bz] (TPAC) 2008-09-12 06:36:52 PDT
Actually, this was changeset 0e630c354e2b.

Fixed on branch.
Comment 15 Johnny Stenback (:jst, jst@mozilla.com) 2008-09-24 16:44:47 PDT
bz, should this be marked fixed?
Comment 16 Boris Zbarsky [:bz] (TPAC) 2008-09-24 17:56:16 PDT
Uh, yes.  ;)
Comment 17 Al Billings [:abillings] 2008-10-23 11:03:54 PDT
Verified for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102304 GranParadiso/3.0.4pre.
Comment 18 Al Billings [:abillings] 2008-10-23 11:04:31 PDT
Verified for trunk with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2pre) Gecko/20081023 Minefield/3.1b2pre.

Note You need to log in before you can comment on or make changes to this bug.