Last Comment Bug 552090 - (CVE-2010-2764) XHR Cross Site Status leak from xhr.statusText
(CVE-2010-2764)
: XHR Cross Site Status leak from xhr.statusText
Status: RESOLVED FIXED
[sg:low]
: verified1.9.1, verified1.9.2
Product: Core
Classification: Components
Component: DOM (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
:
: Andrew Overholt [:overholt]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-12 15:11 PST by Matt
Modified: 2010-09-27 18:25 PDT (History)
12 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
final+
.9+
.9-fixed
.12+
.12-fixed


Attachments
Fix (11.11 KB, patch)
2010-03-12 16:16 PST, Blake Kaplan (:mrbkap)
jonas: review+
jst: superreview+
dveditz: approval1.9.2.9+
dveditz: approval1.9.1.12+
Details | Diff | Splinter Review

Description Matt 2010-03-12 15:11:33 PST
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8

content/base/src/nsXMLHttpRequest.cpp

GetStatus() checks for a leak of status information from denied cross-site requests but GetStatusText() does not

nsXMLHttpRequest::GetStatus(PRUint32 *aStatus)
{
  *aStatus = 0;

  if (mState & XML_HTTP_REQUEST_USE_XSITE_AC) {
    // Make sure we don't leak status information from denied cross-site
    // requests.
    if (mChannel) {
      nsresult status;
      mChannel->GetStatus(&status);
      if (NS_FAILED(status)) {
        return NS_OK;
      }
    }
  }

nsXMLHttpRequest::GetStatusText(nsACString& aStatusText)
{
  nsCOMPtr<nsIHttpChannel> httpChannel = GetCurrentHttpChannel();

  aStatusText.Truncate();

  nsresult rv = NS_OK;

  if (httpChannel) {
    rv = httpChannel->GetResponseStatusText(aStatusText);
  }

  return rv;
}

Reproducible: Always
Comment 1 Blake Kaplan (:mrbkap) 2010-03-12 16:16:52 PST
Created attachment 432251 [details] [diff] [review]
Fix

The fix here is pretty trivial. sicking asked me to not throw if we didn't have an http channel because we currently don't throw at all in that case.
Comment 2 Jonas Sicking (:sicking) No longer reading bugmail consistently 2010-03-12 16:21:32 PST
Comment on attachment 432251 [details] [diff] [review]
Fix

Thanks!
Comment 3 Johnathan Nightingale [:johnath] 2010-03-15 10:08:31 PDT
This should block the next branch release - please request patch approval once it's baked.
Comment 4 Blake Kaplan (:mrbkap) 2010-03-16 16:39:50 PDT
http://hg.mozilla.org/mozilla-central/rev/637a23219852

I'm also lowering the severity of this. The statusText field only exposes whether or not a server exists, and there exist timing based attacks to expose the same information.

dveditz, bsterne, please tell me if I'm off base here.
Comment 5 Reed Loden [:reed] (use needinfo?) 2010-07-16 21:32:25 PDT
This issue was separately reported to security@ by Nicholas B. <nberthaume@gmail.com>.

Nominating for branches.
Comment 6 Boris Zbarsky [:bz] (still a bit busy) 2010-07-16 21:40:09 PDT
> The statusText field only exposes whether or not a server exists

Not quite; it can expose some details of the server's setup too.
Comment 7 Daniel Veditz [:dveditz] 2010-07-21 10:28:01 PDT
Comment on attachment 432251 [details] [diff] [review]
Fix

Approved for 1.9.2.8 and 1.9.1.12, a=dveditz for release-drivers
Comment 8 Blake Kaplan (:mrbkap) 2010-08-13 13:29:48 PDT
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/b80930b974b0
Comment 9 Blake Kaplan (:mrbkap) 2010-08-16 13:55:45 PDT
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/5e36cfa5f256
Comment 10 Al Billings [:abillings] 2010-08-18 17:28:30 PDT
Verified for 1.9.1 and 1.9.2 based on updated checked in tests.

Note You need to log in before you can comment on or make changes to this bug.