Note: There are a few cases of duplicates in user autocompletion which are being worked on.
Bug 466937 (CVE-2009-0355)

File stealing with SessionStore

RESOLVED FIXED in Firefox 3.6a1

Status

()

Firefox
Session Restore
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: moz_bug_r_a4, Assigned: Simon Bünzli)

Tracking

(4 keywords)

unspecified
Firefox 3.6a1
fixed1.8.1.21, fixed1.9.1, testcase, verified1.9.0.6
Points:
---
Bug Flags:
blocking-firefox3.5 +
blocking1.9.0.6 +
wanted1.9.0.x +
blocking1.8.1.next +
wanted1.8.1.x +
blocking1.8.0.next -
wanted1.8.0.x -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:high])

Attachments

(3 attachments, 1 obsolete attachment)

(Reporter)

Description

9 years ago
It's possible to change the type of an input control during restoration.

Updated

9 years ago
Keywords: testcase
Whiteboard: [sg:high]
(Assignee)

Comment 2

9 years ago
Created attachment 350380 [details] [diff] [review]
patch and test

In order to keep sessionstore.js small and to remain compatible with Betas 1 and 2, this patch special-cases <input type="file">. AFAICT this is the only privacy sensitive of our input elements (please correct me now, if I'm wrong!).

On a side-note: The same vulnerability works the other way round, as well: If the user selects a file, it'd be possible to get the full file path instead of just the filename. Both patch and test take care of both ways.
Assignee: nobody → zeniko
Status: NEW → ASSIGNED
Attachment #350380 - Flags: review?(dietrich)
(Assignee)

Comment 3

9 years ago
Created attachment 350381 [details] [diff] [review]
1.9 branch patch
(Assignee)

Comment 4

9 years ago
Created attachment 350382 [details] [diff] [review]
1.8.1 branch patch
(Assignee)

Comment 5

9 years ago
(In reply to comment #2)
> AFAICT this is the only privacy sensitive of our input elements

... besides <input type="password"> which we single out already.
(Assignee)

Comment 6

9 years ago
Do we still need 1.8.1 patches, anyway?
Flags: blocking1.9.0.6?
Flags: blocking1.8.1.next?
Flags: blocking-firefox3.1?
(Assignee)

Comment 7

9 years ago
Created attachment 350477 [details] [diff] [review]
patch and test

Minor update to the test: Let's also make sure that <input type="file"> restoration wasn't broken in the same circumstances.
Attachment #350380 - Attachment is obsolete: true
Attachment #350477 - Flags: review?(dietrich)
Attachment #350380 - Flags: review?(dietrich)
Flags: blocking-firefox3.1? → blocking-firefox3.1+

Updated

9 years ago
Whiteboard: [sg:high] → [sg:high][has patch][needs review dietrich]
This has been placed on our "Top Security Bugs" list.  Please treat as a top priority.
(Assignee)

Updated

9 years ago
Attachment #350477 - Flags: review?(gavin.sharp)
(Assignee)

Updated

9 years ago
Whiteboard: [sg:high][has patch][needs review dietrich] → [sg:high][has patch][needs review dietrich or gavin]
Comment on attachment 350477 [details] [diff] [review]
patch and test

looks fine, r=me
Attachment #350477 - Flags: review?(dietrich) → review+
(Assignee)

Updated

9 years ago
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [sg:high][has patch][needs review dietrich or gavin] → [sg:high][has patch][needs approval]
(Assignee)

Updated

9 years ago
Attachment #350477 - Flags: review?(gavin.sharp) → approval1.9.1?
(Assignee)

Updated

9 years ago
Attachment #350382 - Flags: approval1.9.0.6?
(Assignee)

Updated

9 years ago
Attachment #350382 - Flags: approval1.9.0.6? → approval1.8.1.next?
(Assignee)

Updated

9 years ago
Attachment #350381 - Flags: approval1.9.0.6?
(In reply to comment #6)
> Do we still need 1.8.1 patches, anyway?

Several vendors will continue to support Firefox 2 longer than MoCo, so yeah, it's extremely helpful.
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
Flags: blocking1.9.0.6?
Flags: blocking1.9.0.6+
We're going to wait for 1.9.1 approval and landing before approving for the older branches, but why is 1.9.1 so different from 1.9.0 here? That would seem to call for a separate review.
(Assignee)

Comment 12

9 years ago
Comment on attachment 350381 [details] [diff] [review]
1.9 branch patch

(In reply to comment #11)
> why is 1.9.1 so different from 1.9.0 here?

Because with all the improvements on 1.9.1 we can actually distinguish type="file" from type="text" and restore both whereas on older branches we can't and thus just have to ignore type="file" during both saving and restoring.

Dietrich: The second bit has been included in the 1.9.1 patch and the first bit is equal to the type="password" one. Please nod if I haven't missed anything.
Attachment #350381 - Flags: review?(dietrich)
Attachment #350381 - Flags: review?(dietrich) → review+
Comment on attachment 350477 [details] [diff] [review]
patch and test

a191=beltzner
Attachment #350477 - Flags: approval1.9.1? → approval1.9.1+
(Assignee)

Updated

9 years ago
Keywords: checkin-needed
Whiteboard: [sg:high][has patch][needs approval] → [sg:high][has patch][needs branch approval]
Whiteboard: [sg:high][has patch][needs branch approval] → [sg:high][has patch][needs trunk/1.9.1 landing]
http://hg.mozilla.org/mozilla-central/rev/8d0d5017c101
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Whiteboard: [sg:high][has patch][needs trunk/1.9.1 landing] → [sg:high][has patch][needs 1.9.1 landing]
Target Milestone: --- → Firefox 3.2a1
Whiteboard: [sg:high][has patch][needs 1.9.1 landing] → [sg:high][has patch]
Comment on attachment 350381 [details] [diff] [review]
1.9 branch patch

Approved for 1.9.0.6, a=dveditz for release-drivers.
Attachment #350381 - Flags: approval1.9.0.6? → approval1.9.0.6+

Comment 16

9 years ago
dveditz, please approve blocking1.8.1.next if you come to it.
Flags: wanted1.8.0.x-
Flags: blocking1.8.0.next-
Flags: blocking1.8.1.next? → blocking1.8.1.next+
checked into 1.9.1:

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/b9c4584c3fc2
Keywords: fixed1.9.1
checked into 1.9.0 branch:

Checking in browser/components/sessionstore/src/nsSessionStore.js;
/cvsroot/mozilla/browser/components/sessionstore/src/nsSessionStore.js,v  <--  nsSessionStore.js
new revision: 1.108; previous revision: 1.107
done
Keywords: fixed1.9.0.6
Removing checkin-needed keyword, as I think this has been completely landed, but please correct me if I'm wrong.
Keywords: checkin-needed
Whiteboard: [sg:high][has patch] → [sg:high]
(Assignee)

Comment 20

9 years ago
This hasn't landed on the 1.8.1 branch yet. Needs approval first, though.
Whiteboard: [sg:high] → [sg:high][approval needed for 1.8.1.next]

Comment 21

9 years ago
yep. we are waiting for approval1.8.1.next? from comment 16 ... drivers please support us!
Verified for 1.9.0.6 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6pre) Gecko/2009010606 GranParadiso/3.0.6pre.
Keywords: fixed1.9.0.6 → verified1.9.0.6
Comment on attachment 350382 [details] [diff] [review]
1.8.1 branch patch

Approved for 1.8 branch, a=dveditz
Attachment #350382 - Flags: approval1.8.1.next? → approval1.8.1.next+
(Assignee)

Updated

9 years ago
Keywords: checkin-needed
Whiteboard: [sg:high][approval needed for 1.8.1.next] → [sg:high][checkin needed: 1.8.1 branch]
MOZILLA_1_8_BRANCH:

Checking in browser/components/sessionstore/src/nsSessionStore.js;
/cvsroot/mozilla/browser/components/sessionstore/src/nsSessionStore.js,v  <--  nsSessionStore.js
new revision: 1.5.2.55; previous revision: 1.5.2.54
done
Keywords: checkin-needed → fixed1.8.1.21
Whiteboard: [sg:high][checkin needed: 1.8.1 branch] → [sg:high]
Group: core-security
Alias: CVE-2009-0355
You need to log in before you can comment on or make changes to this bug.