The default bug view has changed. See this FAQ.
Bug 490790 (CVE-2010-0182)

XMLDocument::load() doesn't check nsIContentPolicy

VERIFIED FIXED

Status

()

Core
XML
VERIFIED FIXED
8 years ago
3 years ago

People

(Reporter: Wladimir Palant, Assigned: sicking)

Tracking

(Blocks: 2 bugs, {verified1.9.1, verified1.9.2})

Trunk
verified1.9.1, verified1.9.2
Points:
---
Dependency tree / graph
Bug Flags:
wanted1.9.0.x +

Firefox Tracking Flags

(blocking2.0 final+, status1.9.2 .2-fixed, status1.9.1 .9-fixed)

Details

(Whiteboard: [sg:low+])

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

8 years ago
nsXMLDocument::load() will do same-origin checks on the URL to be loaded but won't check content policies. I think it should call content policies with TYPE_XMLHTTPREQUEST and use calling document as context.
All kinds of things use content policies, and some of them are security related.
Blocks: 493857
Whiteboard: [sg:low+]
I guess I can take this. Not sure if using TYPE_XMLHTTPREQUEST is ok. I agree it's conceptually the same, i just worry that people expect to be able to get to an XHR object.
Assignee: nobody → jonas
blocking2.0: --- → final
Summary: XMLDocument::load() doesn't check content policies → XMLDocument::load() doesn't check nsIContentPolicy
Created attachment 429031 [details] [diff] [review]
Patch to fix

Wladimir, it would be great if you wanna try to run with this patch to see if things work properly.
Attachment #429031 - Flags: review?(dveditz)
Comment on attachment 429031 [details] [diff] [review]
Patch to fix

r=dveditz

In the old code, lack of codebase is not equal to system principal!
Attachment #429031 - Flags: review?(dveditz) → review+
(Reporter)

Comment 5

7 years ago
I don't think I will be able to test before the patch lands.
Created attachment 429272 [details] [diff] [review]
Patch v2

Turns out that the first patch breaks a bunch of mochitests. The problem is that if we use the document itself as context, the nsDataDocumentContentPolicy content policy blocks the load. Instead we should using the *calling* document as the context.

This patch does that.
Attachment #429031 - Attachment is obsolete: true
Attachment #429272 - Flags: review?(dveditz)
Comment on attachment 429272 [details] [diff] [review]
Patch v2

r=dveditz
Attachment #429272 - Flags: review?(dveditz) → review+
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Checked in. Thanks for finding this!

http://hg.mozilla.org/mozilla-central/rev/ed1612a1ffa8
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Attachment #429272 - Flags: approval1.9.2.2?
Attachment #429272 - Flags: approval1.9.1.9?
Comment on attachment 429272 [details] [diff] [review]
Patch v2

Approved for 1.9.2.2, and 1.9.1.9, a=dveditz for release-drivers
Attachment #429272 - Flags: approval1.9.2.2?
Attachment #429272 - Flags: approval1.9.2.2+
Attachment #429272 - Flags: approval1.9.1.9?
Attachment #429272 - Flags: approval1.9.1.9+
Checked in to 1.9.1 branch for 1.9.1.9
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/4d4f3726d884

And to 1.9.2 branch for 1.9.2.2
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/46d94cbc195f
status1.9.1: wanted → .9-fixed
status1.9.2: wanted → .2-fixed
Is there a testcase or some sort of manual reproduction steps for this?
I don't think we have any tests for contentpolicies. The best thing would be if Wladimir could check as I believe he has good tests for contentpolicies.
(Reporter)

Comment 13

7 years ago
I added this test to my test suite: https://hg.adblockplus.org/adblockplus/rev/235e750203cb (tested without the version check however, will remove it in the test suite once the releases are out).

Fails in:

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.9pre) Gecko/20100307 Shiretoko/3.5.9pre
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.2pre) Gecko/20100307 Namoroka/3.6.2pre
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a3pre) Gecko/20100301 Minefield/3.7a3pre

Succeeds in:

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.9pre) Gecko/20100315 Shiretoko/3.5.9pre
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.2pre) Gecko/20100315 Namoroka/3.6.2pre
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a3pre) Gecko/20100312 Minefield/3.7a3pre

Marking as verified.
Status: RESOLVED → VERIFIED
Thanks Wladimir!
Adding verified1.9.1 and verified1.9.2 keywords.
Keywords: verified1.9.1, verified1.9.2
Flags: wanted1.9.0.x+
Alias: CVE-2010-0182
Group: core-security
See Also: → bug 1057518
You need to log in before you can comment on or make changes to this bug.