Closed Bug 498897 (CVE-2009-2665) Opened 11 years ago Closed 11 years ago
Web code gets "permission denied" error if a content policy is present
1.74 KB, text/plain
231 bytes, text/html
6.44 KB, text/plain
5.08 KB, patch
|Details | Diff | Splinter Review|
2.06 KB, patch
|Details | Diff | Splinter Review|
I traced it back to the http://bs.yandex.ru/resource/watch.js script - having only this script on the page already causes the issue. So not related to jQuery after all.
(Basically, I'm trying to figure out what the effect of this bug is in terms of how many sites/users it will hit. So far it sounds very very niche)
Assignee: dveditz → general
QA Contact: caps → general
And what's the effect on users?
createComment is not quickstubbed, while createElement is. So createElement doesn't do a call-time security check, while createComment does. Wladimir, I'm not going to be able to look into this until tomorrow; not sure about Blake. Do you think you can hunt down a regression range in the meantime? This sounds like something goes wrong with our wrapperization to me.
Yeah, doubt this is a JS engine problem proper.
Assignee: general → nobody
QA Contact: general → xpconnect
I'm still having trouble understanding what the practical impact of this is. Can someone tell me about an add-on / website pair that has broken functionality, and how that brokenness manifests itself?
Attaching testcase. New steps to reproduce: 1. Download nsTestPolicy.js from attachment 383707 [details] and put it into "c:\Program files\Mozilla Firefox\components" directory (adjust the path if the Firefox installation directory is different for you). 2. Put an .autoreg file into your Firefox profile. 3. Start Firefox. 4. Open the testcase. Observe an error message - document.createComment() couldn't be called. Will show "Success" in Firefox 3.0.11, that's the correct behavior. I'm not sure any more that the code before the try..catch block is even needed to reproduce the problem. It seems that document.createComment() is broken most of the time but might work eventually - I simply don't understand under which conditions it is working. I originally thought about some kind of persistence but starting Firefox with an empty profile didn't change anything.
The testcase gives me "Success" from Bugzilla but "Error" from localhost. I can only guess that the bug manifests on plain HTTP.
Regression range is 925fe560ecce to dc0e07e3d380: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=925fe560ecce&tochange=dc0e07e3d380 Looks like this was caused by bug 457022.
So, to be clear, this is something that's been broken since before we branched, and we're only noticing now? To me that's a pretty strong indicator that it needn't block, though should likely be fixed in a stability increase. bz/jonas/jst: agree?
One thing that may have made it harder for people to run into this is that you need a scripted contentpolicy installed. So you need to have something like adblockplus or noscript installed. Have those been working for a long time on the 1.9.1 branch?
I'm very concerned that this is a security problem. If we're handing back some sort of wrapper here, then it's quite likely that this can be exploited by the page.
Adblock Plus was always compatible with Firefox nightlies, same with NoScript from what I can tell. So it is very surprising that I got the first report about this issue only yesterday (less so that this went unnoticed on NoScript's side - breaking websites is the expected side-effect there).
I, too, am very concerned about the possibility for exploits here. In particular, we're handing back an XPCWrappedNative for the document that is parented to a chrome scope. We don't know of any current exploits for this, but it's scary...
(In reply to comment #15) > One thing that may have made it harder for people to run into this is that you > need a scripted contentpolicy installed. So you need to have something like > adblockplus or noscript installed. Have those been working for a long time on > the 1.9.1 branch? This also requires a "link" HTTP header that links to something requiring a call to the content policy.
(In reply to comment #19) > This also requires a "link" HTTP header that links to something requiring a > call to the content policy. While I agree that that should be the case, the attached testcase doesn't seem need this. But I can't reproduce on the attached testcase, possibly due to it being https (according to comment 12), though not sure why that would be. Wladimir, you can for sure reproduce with the testcase as attached when loaded through http, right?
(In reply to comment #19) > This also requires a "link" HTTP header that links to something requiring a > call to the content policy. Ouch, things suddenly start to make sense. Yes, I have a Link HTTP header on localhost, left-over from testing something else. This explains why the problem isn't reproducible in Bugzilla. Not blocking then. However, if web content gets a cached wrapper meant for chrome code (content policy), this might have security implications.
What's happening is that we create a wrapper for the document at a point where it doesn't have a mScopeObject yet, so nsNodeSH::PreCreate just returns the global object that it gets passed in as the parent. In this case that's the content policy component's global object. The first backtrace is where we create the wrapper for the document, the second is where it gets its mScopeObject set.
We could do this, it seems to fix the problem for me. Blake, what do you think? The old wrapper will stick around in the hash for the wrong scope, but that was already the case before. If we want to fix that we'll need to somehow get the right parent from the start in the PreCreate hook.
Attachment #383906 - Flags: review?(mrbkap)
Yandex "fixed" the problem on their side by removing the "Link" header, their site won't work as a testcase any more.
Leaving on the blocking list for a 1.9.1.x release.
Comment on attachment 383906 [details] [diff] [review] v1 This sometimes triggers the "There's a wrapper in the hashtable but it wasn't cached?" assertion.
Attachment #383906 - Flags: review?(mrbkap) → review-
Marking security sensitive since it probably is.
Attachment #383901 - Attachment is private: false
Attachment #383906 - Attachment is private: false
Attachment #383939 - Attachment is private: false
(In reply to comment #23) > The old wrapper will stick around in the hash for the wrong scope, but that was > already the case before. We might need to just remove the "There's a wrapper in the hashtable but it wasn't cached?" assertion. :-/ > If we want to fix that we'll need to somehow get the > right parent from the start in the PreCreate hook. This won't work since we need the inner window, which probably doesn't exist yet when we call the content policy.
Another option, as I suggested to Blake, is to do those Link loads later...
Thanks to blake for the idea. I also think it might be good to move the loading of those links to a later point, maybe we should file a bug for that?
Comment on attachment 383995 [details] [diff] [review] v2 Can you use nsContentUtils::GetContextAndScopes? r+sr=mrbkap either way.
(In reply to comment #32) > Can you use nsContentUtils::GetContextAndScopes? r+sr=mrbkap either way. Not really, there's only one document (which might not have an "old" scope object either).
http://hg.mozilla.org/mozilla-central/rev/dca035c2bb32 Still working on the testcase, it works when running only this test but not when running all mochitests.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.2a1
Landed a corrected mochitest: http://hg.mozilla.org/mozilla-central/rev/628ac996f472
Flags: in-testsuite? → in-testsuite+
(In reply to comment #28) > Marking security sensitive since it probably is. proven true in bug 499910
Whiteboard: [sg:critical?] → [sg:critical?] testcase in bug 499910
mrbkap says that we can wait until 126.96.36.199 if that's coming in the next few weeks, which it is!
blocking1.9.1: --- → .2+
Flags: blocking188.8.131.52? → blocking184.108.40.206-
Blake: Is this patch ready for 1.9.1? Please request approval on it.
And when I say "Blake", I mean "Peter". :)
We won't be taking this patch for 1.9.1, we're going with the patch in bug 499910 which also fixes this bug.
Whiteboard: [sg:critical?] testcase in bug 499910 → [sg:critical?][1.9.1 fix in bug 499910] testcase in bug 499910
I tried reproducing the problem using the test case in comment #11 on 3.5, loading the test case from bugzilla and localhost. In both I got "Success." The same thing happens on 3.5.2. Wladimir, or anyone, could you help us verify this?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:220.127.116.11) Gecko/20090729 Firefox/3.5.2 Original test case works for me. Don't want to step on Juan's toes here...verified1.9.1?
See comment 11 and comment 24, Yandex fixed the issue on their side, it seems you need to find a site with a "Link" header that triggers the content policy.
You need to log in before you can comment on or make changes to this bug.