Closed Bug 451938 Opened 13 years ago Closed 13 years ago

stealing frames from <video> via canvas


(Core :: Canvas: 2D, defect, P1)






(Reporter: guninski, Assigned: vlad)


(Keywords: fixed1.9.1, Whiteboard: [sg:low?])


(2 files, 1 obsolete file)

it is possible to steal frames from arbitrary videos that the luser can load via
canvas + drawImage or fillRect

as of now works directly - no need for http redirects
Whiteboard: [sg:low?]
Component: General → Video/Audio
Product: Firefox → Core
Component: Video/Audio → Layout: Canvas
this seems to works with "file:///" uris, basically allowing stealing homemade pron with known filename
<video> being able to refer to file:/// URLs might be a separate bug.
> <video> being able to refer to file:/// URLs might be a separate bug.

sure, it allows checking for existence of local files. soon to file a new bug + testcase
checking for file existence via <video> is Bug 451958
Flags: blocking1.9.1?
Indeed, the wrong principal is being used here -- .  How do I get the principal of the actual video stream, e.g. what happens at ?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
You can get the actual URI of the video being played (ie. the one that was selected from the multiple sources to play) with GetCurrentSrc on the media element.
I don't want the URI though, I want the principal -- or can I turn that URI into a principal?
Here's a fix -- this passes the principal down the chain so that canvas can get at it.
Assignee: nobody → vladimir
Attachment #336699 - Flags: superreview?
Attachment #336699 - Flags: review?(chris.double)
Attachment #336699 - Flags: superreview? → superreview?(bzbarsky)
Comment on attachment 336699 [details] [diff] [review]
pass the principal down the relay line...

I wish -p -U 8 worked for these diffs....

>+++ b/content/canvas/src/nsCanvasRenderingContext2D.cpp
>@@ -2823,7 +2823,8 @@
>+        video->GetCurrentPrincipal(prinOut);

So... right now now callers of this method assume the principal is never null.  In particular, DoDrawImageSecurityCheck certainly does.  Your newly added code looks like it might return null sometimes.  So we either need to add null-checks in various places or make ThebesSurfaceFromElement throw on a null principal.  The latter is probably better.

The rest looks fine, though I'd just have the methods return nsIPrincipal* instead of doing the COM-like dance.
Attached patch updatedSplinter Review
Updated; note that this depends on bug 417836 which I'll land shortly.  I changed the interface to just return a nsIPrincipal*, and explicitly check for null (and throw an error in that case).
Attachment #336699 - Attachment is obsolete: true
Attachment #336933 - Flags: superreview?(bzbarsky)
Attachment #336933 - Flags: review?(bzbarsky)
Attachment #336699 - Flags: superreview?(bzbarsky)
Attachment #336699 - Flags: review?(chris.double)
Comment on attachment 336933 [details] [diff] [review]

>+++ b/content/canvas/src/nsCanvasRenderingContext2D.cpp
>+        *prinOut = principal.forget().get();


r+sr=bzbarsky with that.
Attachment #336933 - Flags: superreview?(bzbarsky)
Attachment #336933 - Flags: superreview+
Attachment #336933 - Flags: review?(bzbarsky)
Attachment #336933 - Flags: review+
Fix checked in:

18910[tip]   ad53051ebd43   2008-09-06 16:47 -0700   vladimir
  b=451938; ensure correct principal is used in case of <video> and drawImage; r=bz
Closed: 13 years ago
Resolution: --- → FIXED
seems fixed on trunk according to my tests.

tried fillRect and http redirects - both seem fixed
do some svg filters or similar stuff alter images so they can be stolen?

some tests with filter feImage show the image yet when drawn to canvas the original image is drawn, i.e. no theft.
Flags: wanted1.9.0.x-
Group: core-security
You need to log in before you can comment on or make changes to this bug.