Closed
Bug 476825
Opened 15 years ago
Closed 15 years ago
TwitterFox extension evaluates JSON data in an unsafe way
Categories
(addons.mozilla.org :: Security, defect)
addons.mozilla.org
Security
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jwkbugzilla, Unassigned)
References
()
Details
Looking at the method onLoad() in the file components/nsTwitterNotifier.js, I see the following handling for JSON data received from twitter.com:
case 200:
case 304:
default:
var resp = null;
if (!req.responseText.match(/^\s*$/)) {
req.responseText = req.responseText.replace(/Couldn\'t find Status with ID=\d+,/, '');
try {
var resp = eval('(' + req.responseText + ')');
}
catch (e) {
this.reportError("An error occurred while requesting " + req.__url);
this.log("Response text: " + e.message);
this.handleError(req, "Can't parse JSON. Twitter server responded with an error.");
}
}
At least all connections use HTTPS. Still, a malicious response from twitter.com (e.g. if the server is hacked) can take over user's browser. Similar JSON handling can also be found in the method rateLimitExceeded(). For
reference: https://developer.mozilla.org/en/JSON#Using_JSON
|
||
Comment 2•15 years ago
|
||
Thanks, I'll taking care of it and release fixed version ASAP.
|
|
||
Comment 3•15 years ago
|
||
Is there any safe way to decode JSON in Firefox 2.x? Or should I drop to support Fx2?
Thanks for the quick response Kazuho. This may help: https://developer.mozilla.org/En/Components.utils.evalInSandbox
|
||
Comment 5•15 years ago
|
||
You can also use the JSON parser script from http://json.org/js.html
|
|
||
Comment 6•15 years ago
|
||
I just want to make sure that this is correct to fix the issue.
I changed the code from:
var resp = eval('(' + req.responseText + ')');
to:
var s = Components.utils.Sandbox("https://twitter.com/");
var resp = Components.utils.evalInSandbox(req.responseText, s);
|
Reporter | |
Comment 7•15 years ago
|
||
This approach is a possibility but it won't prevent code execution, only move it to the sandbox. As a result, you will have to take quite some precautions when working with the resp variable, as outlined in the evalInSandbox documentation. I think using the code from JSON.jsm (correct link is http://mxr.mozilla.org/mozilla/source/js/src/xpconnect/loader/JSON.jsm, I changed it in the documentation as well) would be a better solution.
|
|
||
Comment 8•15 years ago
|
||
Thanks, I updated my extension, waiting reviewer's approval. https://addons.mozilla.org/en-US/firefox/addons/versions/5081#version-1.7.5 Source codef changes is here: http://www.naan.net/trac/changeset/1679/branches/TwitterFox/1.7.3/components/nsTwitterNotifier.js
|
|
Reporter | |
Comment 9•15 years ago
|
||
Thanks, these changes look good. There is another eval() call there but from what I can tell it is only used for data exchanged between different extension components.
|
||
Comment 10•15 years ago
|
||
This appears fixed
Status: NEW → RESOLVED
Closed: 15 years ago
Component: Administration → Add-on Security
Resolution: --- → FIXED
|
||
Updated•8 years ago
|
Group: client-services-security
Flags: needinfo?(jorge)
You need to log in
before you can comment on or make changes to this bug.
Description
•