Can't log in to Entrust Certificate Management Service

VERIFIED FIXED in mozilla1.9.2a1

Status

()

P1
major
VERIFIED FIXED
10 years ago
9 years ago

People

(Reporter: wgianopoulos, Assigned: mrbkap)

Tracking

({regression, verified1.9.0.12, verified1.9.1})

Trunk
mozilla1.9.2a1
regression, verified1.9.0.12, verified1.9.1
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.1 +
blocking1.9.0.12 +
wanted1.9.0.x +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low] regression from 460882, URL)

Attachments

(1 attachment, 5 obsolete attachments)

(Reporter)

Description

10 years ago
Since the landing of the code for bug 460882, it is no longer possible to log into the Entrust Certificate management service.

Steps to reproduce:

1) Navigate to https://managed.entrust.net/
2) Try to login (what you enter for username/password is irrelevant)

You end up with an error page saying "Firefox can't establish a connection to the server at 0.0.0.0."
Flags: blocking1.9.2?
(Reporter)

Comment 1

10 years ago
Error console reports:

Error: NPMethod called on non-NPObject wrapped JSObject!
Source file: https://managed.entrust.net/javascript/EntrustTruePassClientPrivate.js
Line: 5
(Reporter)

Updated

10 years ago
Flags: blocking1.9.1?
Ugh, and we wanted to take bug 460882 on the 1.9.0 branch as well.
Blocks: 460882
Flags: wanted1.9.0.x?
Flags: blocking1.9.0.8?
Whiteboard: [sg:nse] regression from 460882
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.8?
Assignee: nobody → bent.mozilla
mrbkap and I both failed to reproduce this bug on Friday... Any other steps we need to try?
(Reporter)

Comment 4

10 years ago
Well I don't get it.  This fails for me every time, but works with builds without bug 460882.

It definitely fails if I navigate tot he login page and enter guest for both the unique ID and password fields and then click on the Login button.
This might be Mac Java vs. Windows Java, FWIW. I'm trying to find a Windows box to test (and maybe debug) on.
(Reporter)

Comment 6

10 years ago
I was about to say that.  I am using SUN JAVA SE6 U11 (6.0.110.3) with the new style plug-in.
(Reporter)

Comment 7

10 years ago
If it helps you at all, this fails under Linux also using Sun JAVA.
Yeah, I just reproduced on Linux.
Assignee: bent.mozilla → mrbkap
This actually points out a problem that is sg:low -- if a site sets document.domain, references to DOM objects from other scopes won't throw security errors when accessed, like they technically should.

A site really has to work at this to make it an XSS attack.
Whiteboard: [sg:nse] regression from 460882 → [sg:low] regression from 460882
(That is, websites need to do a lot of work to allow an evil attacker perform an XSS on them using this bug.)

Updated

10 years ago
Flags: blocking1.9.1? → blocking1.9.1+
We need this fixed for beta3, this regression could hurt lots of users. Blake will likely have a fix later today.
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b3
Created attachment 365093 [details] [diff] [review]
Proposed fix

So, this fixes this bug by not wrapping same-origin different scope. We decided that it isn't really worth trying to defend against the attack in comment 9 because it's trivial to inject script from one scope the other (could even be a setInterval) and there is literally *nothing* we can do about that. I need to run this under Dromaeo to make sure this doesn't regress performance (which it shouldn't, really).
Attachment #365093 - Flags: superreview?(bzbarsky)
Attachment #365093 - Flags: review?(jst)
Created attachment 365094 [details] [diff] [review]
Proposed fix

Sorry, forgot to refresh after I made some changes.
Attachment #365093 - Attachment is obsolete: true
Attachment #365094 - Flags: superreview?(bzbarsky)
Attachment #365094 - Flags: review?(jst)
Attachment #365093 - Flags: superreview?(bzbarsky)
Attachment #365093 - Flags: review?(jst)
Created attachment 365095 [details] [diff] [review]
Once more

Sorry -- the last patch was missing some parentheses.
Attachment #365094 - Attachment is obsolete: true
Attachment #365095 - Flags: superreview?(bzbarsky)
Attachment #365095 - Flags: review?(jst)
Attachment #365094 - Flags: superreview?(bzbarsky)
Attachment #365094 - Flags: review?(jst)
Comment on attachment 365095 [details] [diff] [review]
Once more

Looks good to me.
Attachment #365095 - Flags: review?(jst) → review+
Attachment #365095 - Flags: superreview?(bzbarsky) → superreview+
Comment on attachment 365095 [details] [diff] [review]
Once more

Looks ok, but can we just have a ScopesSameOrigin inline function somewhere that both places can just call?
Created attachment 365104 [details] [diff] [review]
With that
Attachment #365095 - Attachment is obsolete: true
Attachment #365104 - Flags: superreview?(bzbarsky)
Attachment #365104 - Flags: review+
Comment on attachment 365104 [details] [diff] [review]
With that

>+++ b/js/src/xpconnect/src/xpcconvert.cpp
>-            if (allowNativeWrapper && wrapper->GetScope() != xpcscope)

Could just change this to:

  if (allowNativeWrapper &&
      !xpc_SameOrigin(wrapper->GetScope(), xpcscope)

instead of the if/else thing you do.

sr=me with that.
Created attachment 365107 [details] [diff] [review]
And that

This change was trivial enough that I'm just going to stamp r+sr.
Attachment #365104 - Attachment is obsolete: true
Attachment #365107 - Flags: superreview+
Attachment #365107 - Flags: review+
Attachment #365104 - Flags: superreview?(bzbarsky)
Except that last diff doesn't have that change.
Whiteboard: [sg:low] regression from 460882 → [needs landing][sg:low] regression from 460882
Created attachment 365291 [details] [diff] [review]
And that

Sigh.
Attachment #365107 - Attachment is obsolete: true
Attachment #365291 - Flags: superreview+
Attachment #365291 - Flags: review+
Whiteboard: [needs landing][sg:low] regression from 460882 → [fixed?][sg:low] regression from 460882
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Whiteboard: [fixed?][sg:low] regression from 460882 → [sg:low] regression from 460882
Whiteboard: [sg:low] regression from 460882 → [needs 1.9.1 landing][sg:low] regression from 460882
(Reporter)

Comment 24

10 years ago
Verifying that the original problem I described is fixed under both Linux and Windows using 20090304 nightly builds.
Status: RESOLVED → VERIFIED
Blocks: 480430
Bill, could you also please check with Shiretoko? I'm not able to see the problem with older builds. Thanks!
Flags: blocking1.9.2?
(Reporter)

Comment 26

10 years ago
(In reply to comment #25)
> Bill, could you also please check with Shiretoko? I'm not able to see the
> problem with older builds. Thanks!

I verified this now works correctly under both Windows and Linux using the Firefox 3.1b3 candidate builds.
Thanks Bill. Setting verified1.9.1 based on comment 26.
Keywords: fixed1.9.1 → verified1.9.1
Target Milestone: mozilla1.9.1b3 → mozilla1.9.2a1

Updated

10 years ago
Depends on: 481548
Flags: blocking1.9.0.12?
Flags: blocking1.9.0.12? → blocking1.9.0.12+
Keywords: fixed1.9.0.12
Is there another site to test this with? Entrust.net notes:

"As of April 6th, 2009 Entrust has implemented a new authentication system."
This patch also fixed gmail's multiple file upload feature.
I've verified that the multiple file upload feature is working with the 1.9.0.12pre bits.
Keywords: fixed1.9.0.12 → verified1.9.0.12
Group: core-security
You need to log in before you can comment on or make changes to this bug.