Last Comment Bug 466937 - (CVE-2009-0355) File stealing with SessionStore
(CVE-2009-0355)
: File stealing with SessionStore
Status: RESOLVED FIXED
[sg:high]
: fixed1.8.1.21, fixed1.9.1, testcase, verified1.9.0.6
Product: Firefox
Classification: Client Software
Component: Session Restore (show other bugs)
: unspecified
: All All
: -- normal (vote)
: Firefox 3.6a1
Assigned To: Simon Bünzli
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-26 22:03 PST by moz_bug_r_a4
Modified: 2009-02-03 17:29 PST (History)
12 users (show)
mbeltzner: blocking‑firefox3.5+
dveditz: blocking1.9.0.6+
dveditz: wanted1.9.0.x+
dveditz: blocking1.8.1.next+
dveditz: wanted1.8.1.x+
asac: blocking1.8.0.next-
asac: wanted1.8.0.x-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch and test (7.94 KB, patch)
2008-11-27 13:06 PST, Simon Bünzli
no flags Details | Diff | Review
1.9 branch patch (2.14 KB, patch)
2008-11-27 13:06 PST, Simon Bünzli
dietrich: review+
dveditz: approval1.9.0.6+
Details | Diff | Review
1.8.1 branch patch (2.23 KB, patch)
2008-11-27 13:06 PST, Simon Bünzli
dveditz: approval1.8.1.next+
Details | Diff | Review
patch and test (8.19 KB, patch)
2008-11-28 07:19 PST, Simon Bünzli
dietrich: review+
mbeltzner: approval1.9.1+
Details | Diff | Review

Description moz_bug_r_a4 2008-11-26 22:03:05 PST
It's possible to change the type of an input control during restoration.
Comment 2 Simon Bünzli 2008-11-27 13:06:03 PST
Created attachment 350380 [details] [diff] [review]
patch and test

In order to keep sessionstore.js small and to remain compatible with Betas 1 and 2, this patch special-cases <input type="file">. AFAICT this is the only privacy sensitive of our input elements (please correct me now, if I'm wrong!).

On a side-note: The same vulnerability works the other way round, as well: If the user selects a file, it'd be possible to get the full file path instead of just the filename. Both patch and test take care of both ways.
Comment 3 Simon Bünzli 2008-11-27 13:06:24 PST
Created attachment 350381 [details] [diff] [review]
1.9 branch patch
Comment 4 Simon Bünzli 2008-11-27 13:06:39 PST
Created attachment 350382 [details] [diff] [review]
1.8.1 branch patch
Comment 5 Simon Bünzli 2008-11-27 13:07:43 PST
(In reply to comment #2)
> AFAICT this is the only privacy sensitive of our input elements

... besides <input type="password"> which we single out already.
Comment 6 Simon Bünzli 2008-11-27 13:16:17 PST
Do we still need 1.8.1 patches, anyway?
Comment 7 Simon Bünzli 2008-11-28 07:19:34 PST
Created attachment 350477 [details] [diff] [review]
patch and test

Minor update to the test: Let's also make sure that <input type="file"> restoration wasn't broken in the same circumstances.
Comment 8 Brandon Sterne (:bsterne) 2008-12-04 10:47:42 PST
This has been placed on our "Top Security Bugs" list.  Please treat as a top priority.
Comment 9 Dietrich Ayala (:dietrich) 2008-12-04 12:01:31 PST
Comment on attachment 350477 [details] [diff] [review]
patch and test

looks fine, r=me
Comment 10 Daniel Veditz [:dveditz] 2008-12-05 11:41:45 PST
(In reply to comment #6)
> Do we still need 1.8.1 patches, anyway?

Several vendors will continue to support Firefox 2 longer than MoCo, so yeah, it's extremely helpful.
Comment 11 Daniel Veditz [:dveditz] 2008-12-08 11:50:55 PST
We're going to wait for 1.9.1 approval and landing before approving for the older branches, but why is 1.9.1 so different from 1.9.0 here? That would seem to call for a separate review.
Comment 12 Simon Bünzli 2008-12-08 12:11:30 PST
Comment on attachment 350381 [details] [diff] [review]
1.9 branch patch

(In reply to comment #11)
> why is 1.9.1 so different from 1.9.0 here?

Because with all the improvements on 1.9.1 we can actually distinguish type="file" from type="text" and restore both whereas on older branches we can't and thus just have to ignore type="file" during both saving and restoring.

Dietrich: The second bit has been included in the 1.9.1 patch and the first bit is equal to the type="password" one. Please nod if I haven't missed anything.
Comment 13 Mike Beltzner [:beltzner, not reading bugmail] 2008-12-08 22:43:27 PST
Comment on attachment 350477 [details] [diff] [review]
patch and test

a191=beltzner
Comment 14 Reed Loden [:reed] (use needinfo?) 2008-12-14 23:15:34 PST
http://hg.mozilla.org/mozilla-central/rev/8d0d5017c101
Comment 15 Daniel Veditz [:dveditz] 2008-12-15 11:55:22 PST
Comment on attachment 350381 [details] [diff] [review]
1.9 branch patch

Approved for 1.9.0.6, a=dveditz for release-drivers.
Comment 16 Alexander Sack 2008-12-15 23:58:27 PST
dveditz, please approve blocking1.8.1.next if you come to it.
Comment 17 Dietrich Ayala (:dietrich) 2008-12-16 11:27:07 PST
checked into 1.9.1:

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/b9c4584c3fc2
Comment 18 Dietrich Ayala (:dietrich) 2008-12-16 21:20:28 PST
checked into 1.9.0 branch:

Checking in browser/components/sessionstore/src/nsSessionStore.js;
/cvsroot/mozilla/browser/components/sessionstore/src/nsSessionStore.js,v  <--  nsSessionStore.js
new revision: 1.108; previous revision: 1.107
done
Comment 19 Reed Loden [:reed] (use needinfo?) 2009-01-01 23:07:40 PST
Removing checkin-needed keyword, as I think this has been completely landed, but please correct me if I'm wrong.
Comment 20 Simon Bünzli 2009-01-02 11:01:45 PST
This hasn't landed on the 1.8.1 branch yet. Needs approval first, though.
Comment 21 Alexander Sack 2009-01-06 05:14:56 PST
yep. we are waiting for approval1.8.1.next? from comment 16 ... drivers please support us!
Comment 22 [On PTO until 6/29] 2009-01-06 16:01:22 PST
Verified for 1.9.0.6 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6pre) Gecko/2009010606 GranParadiso/3.0.6pre.
Comment 23 Daniel Veditz [:dveditz] 2009-01-09 09:59:29 PST
Comment on attachment 350382 [details] [diff] [review]
1.8.1 branch patch

Approved for 1.8 branch, a=dveditz
Comment 24 Reed Loden [:reed] (use needinfo?) 2009-01-10 13:30:48 PST
MOZILLA_1_8_BRANCH:

Checking in browser/components/sessionstore/src/nsSessionStore.js;
/cvsroot/mozilla/browser/components/sessionstore/src/nsSessionStore.js,v  <--  nsSessionStore.js
new revision: 1.5.2.55; previous revision: 1.5.2.54
done

Note You need to log in before you can comment on or make changes to this bug.