516336 - Fail to compress "%2e%2e" in URLs if used just before some special characters

Status: RESOLVED DUPLICATE of bug 1042347

(Core :: Networking, defect)

Description

[tokuji_akamine]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)

If Firefox finds "%2e%2e" in the url, FF processes it before making a request. For instance, if I use the following code, FF generates a request to "http://somehost.com/test.html". This is a normal and not vulnerable behavior.

window.open("http://somehost.com/somedir/%2e%2e/test.html");

But, in the following cases, Firefox doesn't process "%2e%2e" before making requests. As a result, "%2e%2e" can be contained in the Request-URI of the request.

window.open("http://somehost.com/somedir/%2e%2e\x00");
window.open("http://somehost.com/somedir/%2e%2e?");

If the default index file (for instance http://somehost/index.php) has a XSS problem, attackers can steal a cookie which is set and restricted under the "somedir" directory.

http://somehost.com/somedir/%2e%2e?x=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%3c%2f%73%63%72%69%70%74%3e





Reproducible: Always

Steps to Reproduce:
1. make a default index file under "http://somehost.com/" as below.

<?php
echo "$_GET['x']";
?>

2. visit the content which contains a script like below.

document.cookie="testsession=1234; path=/somedir";
window.open("http://somehost.com/somedir/%2e%2e?x=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%3c%2f%73%63%72%69%70%74%3e");
Actual Results:  
An alert window pops up and shows a cookie which shouldn't be readable from other directories.

Expected Results:  
Firefox should processes "%2e%2e" before making a request and shouldn't contain "%2e%2e" in the Request-URI.

Comment 1

[Benjamin Smedberg]

Per-directory cookies are not intended as a security device: it's pretty trivial to attack them by loading a page out of the directory in an iframe and then scripting it. Although I do think we should fix this bug, it doesn't look like a security or XSS hazard to me.

Comment 2

[Boris Zbarsky [:bzbarsky]]

Yeah, I'm with comment 1 here.

Comment 3

[tokuji_akamine]

(In reply to comment #1)
> Per-directory cookies are not intended as a security device: it's pretty
> trivial to attack them by loading a page out of the directory in an iframe and
> then scripting it. Although I do think we should fix this bug, it doesn't look
> like a security or XSS hazard to me.

Yeah, I got a wrong idea. This doesn't look like a security vulnerability, but should be fixed.

Comment 4

[Daniel Veditz [:dveditz]]

This is going to be in our general URL-handling code, we're only coalescing 2e2e if it's followed by a slash.

Two literal dots in the same location we will eliminate from the URL before using it or sending it over the wire.

Comment 5

[Daniel Veditz [:dveditz]]

At first glance net_CoalesceDirs() appears to be doing the right thing, turning %2e into '.' before coalescing, so %2e%2e and .. should be treated exactly the same.
http://mxr.mozilla.org/mozilla-central/source/netwerk/base/src/nsURLHelper.cpp#209

but I don't think that's what I'm seeing.

Comment 6

[Valentin Gosu [:valentin] (he/him)]

Seems to be the same as bug 1042347.
I have a patch for that, and the spec issues have been resolved, so we should be able to fix it right away.