Closed
Bug 454087
Opened 16 years ago
Closed 16 years ago
Don't rely on NSURL to check for javascript: or data: in set URL requests
Categories
(Camino Graveyard :: OS Integration, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: alqahira, Assigned: bugzilla-graveyard)
References
Details
(Keywords: fixed1.8.1.18, Whiteboard: [sg:low])
Attachments
(3 files, 2 obsolete files)
752 bytes,
text/plain; charset=x-mac-roman
|
Details | |
1.55 KB,
patch
|
stuart.morgan+bugzilla
:
review+
mikepinkerton
:
superreview+
|
Details | Diff | Splinter Review |
5.54 KB,
patch
|
stuart.morgan+bugzilla
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.16) Gecko/20080803 Camino/1.6.3 (like Firefox/2.0.0.16) Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en; rv:1.8.1.16) Gecko/20080803 Camino/1.6.3 (like Firefox/2.0.0.16) Chris discovered in his paste reworking that the URL validation fails for many javascript: and data: URLs over in ScriptingSupport.mm. NSURL apparently bails or fails when it hits a URL that is not "well-formed", which many javascript: and data: URLs are by default. The end result is that our security hole is wide open. You can't file security-sensitive bugs except via Bugzilla Helper, so I'll twiddle stuff after filing. Reproducible: Always
Reporter | ||
Updated•16 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: camino2.0a1?
Flags: camino1.6.5?
Reporter | ||
Comment 1•16 years ago
|
||
Uncomment each set url command in turn to see the failures in our dangerous-protocol-catching.
Reporter | ||
Comment 2•16 years ago
|
||
Chris was working on this...he wanted me to file it while he went on a ride to think more about it.
Assignee: nobody → cl-bugs-new
Reporter | ||
Updated•16 years ago
|
Attachment #337310 -
Attachment mime type: text/plain; charset=x-macroman → text/plain; charset=x-mac-roman
Assignee | ||
Comment 3•16 years ago
|
||
This works with everything in the testcase (except the last example; since I don't have the same bookmarks Smokey does, the script can't find that bookmark anyway) with the patch for bug 453623 installed as well. It obviously won't work at all otherwise :-p
Attachment #337337 -
Flags: superreview?(stuart.morgan+bugzilla)
Attachment #337337 -
Flags: review?
Assignee | ||
Updated•16 years ago
|
Attachment #337337 -
Flags: review? → review?(peter.a.jaros)
Assignee | ||
Comment 4•16 years ago
|
||
Should we get mento to take a look at this too, since he's the one who suggested the NSURL approach in the first place?
Reporter | ||
Comment 5•16 years ago
|
||
(In reply to comment #3) > fix v1.0, depends on patch in bug 453623 Is there a way to fix this on the branch that doesn't rely on bug 453623 (which in turn relies on checkins from three or four other bugs)?
Assignee | ||
Comment 6•16 years ago
|
||
(In reply to comment #5) > Is there a way to fix this on the branch that doesn't rely on bug 453623 (which > in turn relies on checkins from three or four other bugs)? Yes. As soon as I can get a branch patch generated, I'll post it.
Assignee | ||
Updated•16 years ago
|
Status: NEW → ASSIGNED
Reporter | ||
Comment 7•16 years ago
|
||
Since Chris doesn't know the wonders of stub trees, he passed me a block of code to generate a patch for him--good thing, apparently, since it didn't compile ;) The attached patch compiles and works.
Attachment #337375 -
Flags: review?(peter.a.jaros)
Comment 8•16 years ago
|
||
Guessing at security priority, assuming local commandline scripting is the only attack vector. If this can be accessed remotely that would up the severity a bit.
Whiteboard: [sg:low]
Comment 9•16 years ago
|
||
Yes, local attack only.
Updated•16 years ago
|
Attachment #337337 -
Flags: superreview?(stuart.morgan+bugzilla) → superreview-
Comment 10•16 years ago
|
||
Comment on attachment 337337 [details] [diff] [review] fix v1.0, depends on patch in bug 453623 >+ if ([newURI isJavascriptOrDataURIString]) { Now we see why I don't like this kind of name. This adds a client of this method that has a *completely* different need than the existing client ("dangerous" vs. "can have spaces and the like in it"), but happens to, currently, share an implementation. That feels like a recipe for later mistakes. Make a new NSString method called something like isPotentiallyDangerousURI, and duplicate the implementation, so that the method is for the concept, rather than the implementation that we've thought of so far and we don't accidentally break one usage when fixing a bug for the other. >+ NSString *schemeString = [[[newURI componentsSeparatedByString:@":"] objectAtIndex:0] lowercaseString]; > [[NSScriptCommand currentCommand] setScriptErrorNumber:NSArgumentsWrongScriptError]; >- [[NSScriptCommand currentCommand] setScriptErrorString:[NSString stringWithFormat:@"Can't set URL of tab to a '%@:' URL.", scheme]]; >+ [[NSScriptCommand currentCommand] setScriptErrorString:[NSString stringWithFormat:@"Can't set URL of tab to a '%@:' URI.", schemeString]]; Stick with scheme, not schemeString; what else would the scheme be?
Assignee | ||
Comment 11•16 years ago
|
||
Trunk patch updated for sr comments. Branch patch doesn't need any changes AFAICT.
Attachment #337337 -
Attachment is obsolete: true
Attachment #337474 -
Flags: superreview?(stuart.morgan+bugzilla)
Attachment #337337 -
Flags: review?(peter.a.jaros)
Comment 12•16 years ago
|
||
Comment on attachment 337474 [details] [diff] [review] fix v1.1 >+#import "NSString+Utils.h" I assume you meant to actually add the NSString+Utils files to the diff? >+ // Don't allow |javascript:| or |data:| URIs for security reasons. >+ if ([newURI isPotentiallyDangerousURI]) { The comment needs to change to that it's not tied to implementation of the other method.
Attachment #337474 -
Flags: superreview?(stuart.morgan+bugzilla) → superreview-
Assignee | ||
Comment 13•16 years ago
|
||
Comment on attachment 337474 [details] [diff] [review] fix v1.1 Obsoleting until the other bug lands.
Attachment #337474 -
Attachment is obsolete: true
Comment 14•16 years ago
|
||
Comment on attachment 337375 [details] [diff] [review] MOZILLA_1_8_BRANCH patch sr=pink might be nice to have a comment on why we have to do this and can't use NSURL (but again this is just the branch, so i think that's being handled on the trunk).
Attachment #337375 -
Flags: superreview+
Assignee | ||
Comment 15•16 years ago
|
||
Comment on attachment 337375 [details] [diff] [review] MOZILLA_1_8_BRANCH patch Even though this has sr+, I'd like a second set of eyes on it just in case.
Attachment #337375 -
Flags: review?(peter.a.jaros) → review?(stuart.morgan+bugzilla)
Updated•16 years ago
|
Attachment #337375 -
Flags: review?(stuart.morgan+bugzilla) → review+
Assignee | ||
Comment 16•16 years ago
|
||
This should do it. I moved the comments on the methods to the header since they're all public methods.
Attachment #337553 -
Flags: superreview?(stuart.morgan+bugzilla)
Updated•16 years ago
|
Attachment #337553 -
Flags: superreview?(stuart.morgan+bugzilla) → superreview+
Comment 17•16 years ago
|
||
Comment on attachment 337553 [details] [diff] [review] fix v1.2 sr=smorgan
Reporter | ||
Comment 18•16 years ago
|
||
Checked in on 1.8.1 and cvs trunk. Since mento's already going to have to minibranch to get the relnotes, we should be able to get this in 1.6.4. We can probably make this public after 1.6.4 is out, or we could wait until 2.0a1 is out just to make sure all 2.0a1pre nightly users have the fix, too.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Flags: camino2.0a1?
Flags: camino2.0a1+
Flags: camino1.6.5?
Flags: camino1.6.4+
Keywords: fixed1.8.1.18
Resolution: --- → FIXED
Reporter | ||
Comment 19•16 years ago
|
||
Comment on attachment 337310 [details] Sample text applescript Remind me to attach these (as separate script files, perhaps) to bug 453202 when this bug is opened up.
Comment 20•16 years ago
|
||
Opening this bug up. Camino 1.6.4 has shipped, as has Camino 2.0 alpha 1.
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•