range.createContextualFragment calls onerror handler in the tagString if it exists

RESOLVED WONTFIX

Status

()

Core
DOM: Core & HTML
--
critical
RESOLVED WONTFIX
8 years ago
5 years ago

People

(Reporter: SAKAI, Kazuaki, Unassigned)

Tracking

1.9.2 Branch
x86
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; ja-JP-mac; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; ja-JP-mac; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

range.createContextualFragment calls img.onerror handler in the tagString if it exists, when reading some specific documents like ow.ly.


Reproducible: Always

Steps to Reproduce:
A reproduciable code is here: http://mozilla:vul@send.sh/vulnerablility/01_onerror/
Actual Results:  
called img.onerror handler.

Expected Results:  
range.createContexualFragment must not call img.onerror handlers in the tagString.
(Reporter)

Updated

8 years ago
(In reply to comment #0)
> range.createContexualFragment must not call img.onerror handlers in the
> tagString.

Why not?
Component: Security → DOM: Traversal-Range
Product: Firefox → Core
QA Contact: firefox → traversal-range
Version: 3.6 Branch → 1.9.2 Branch
(Reporter)

Comment 2

8 years ago
1. range.createContextualFragment should not evaluate any scripts because it causes some security risk (see section 2) and it does. 
But only img.oneror and img.onload are evaluated expectionally.

sample code:
> var tagString = <>
>   <script type="text/javascript" src="test.js"></script>
>   <script type="text/javascript"><![CDATA[
>     function foo() { alert("foo"); }
>   ]]></script>
>   <img src="not_found.jpg" onerror="javascript:foo()" />
>   <img src="not_found.jpg" onerror="javascript:alert(1)" />
>   <img src="found.jpg" onload="javascript:bar()" />
> </>.toString();
> 
> var range = document.createRange();
> range.selectNodeContents(document.documentElement);
> range.createContextualFragment(tagString);

test.js:
> function bar() {
>   alert('bar');
> }

Function foo and bar are not evaluated. But onerror and onload handlers are evaluated.
So errors occurred that foo and bar are not defined, and alert(1) is called.


2. This implementation has a potential security risk.
If we want to create a Document from string for the purpose of DOM manipulations,
sometimes we write codes to using document.createDocument and range.createContextualFragment
like this: http://gist.github.com/198443 .
This snipet expected any scripts may not be executed before adding to an actual document.
Safari and Google Chrome do not evaluate on running createContextualFragment.
But Firefox do not act like these.
This looks invalid to me.  If you do this:

  var img = document.createElement("img");
  img.setAttribute("onerror", "alert(1)");
  img.src = "not_found.jpg";

I would expect that Firefox fires the onerror handler.  Wouldn't you?  Certainly Safari/Chrome do so.

The createContextualFragment case is no different.  It creates the exact same DOM, so should have the same behavior.

> This snipet expected any scripts may not be executed before adding to an
> actual document.

This seems like a bogus assumption in general for in-memory DOM trees.  See above createElement example.

> Safari and Google Chrome do not evaluate on running createContextualFragment.

They both show the "XSS" alert for me on your testcase from comment 0, as expected.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → WONTFIX

Updated

8 years ago
Blocks: 301375
(Reporter)

Comment 4

8 years ago
> > Safari and Google Chrome do not evaluate on running createContextualFragment.
> 
> They both show the "XSS" alert for me on your testcase from comment 0, as
> expected.

I'm sorry. I had tried to execute sample codes on comment 2, and misunderstood
they do not execute handlers on running range.createContextualFragment.
it is the cause of a syntax error using E4X.

And now I understood createContextualFragment and createElement behave same way.

But I know many addons and userscripts using createContextualFragment without
any validations against input parameter via XMLHttpRequest.
They have potentally vulnerabilities. I think most of them should remove onerror
and onload handlers before using createContextualFragment or use other safe 
ways of getting HTMLDocument from string.

Thanks.
Well, in this case if you had used |doc| instead of |document| to create the range and as the context there would be no script execution, since scripting is disabled in data documents....
(Assignee)

Updated

5 years ago
Component: DOM: Traversal-Range → DOM: Core & HTML
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.