2.58 KB, patch
Neil Deakin (mostly unavailable until September): review-
|Details | Diff | Splinter Review|
2.32 KB, patch
|Details | Diff | Splinter Review|
2.45 KB, patch
|Details | Diff | Splinter Review|
If a user drag a browser's tab element and drop it on the content area, a content-registered drop event listener can access the tab element and its properties including privileged functions. Only drop event listeners can access privileged objects without the security check. http://hg.mozilla.org/mozilla-central/file/2348611d0230/content/events/src/nsDOMDataTransfer.cpp#l455
Created attachment 451291 [details] testcase - Arbitrary code execution This works on Firefox trunk, 3.6.* and 3.5.*. (SeaMonkey does not store a tab element in a dataTransfer when a tab is dragged.)
There are two bugs here: * XPCConvert::NativeInterface2JSObject does not create COWs automatically. IMO we should fix this in another bug. * nsDOMDataTransfer::MozGetDataAt doesn't do anything to censor chrome objects from content getting at them. While having COWs would fix this bug, IMO it would be better to avoid exposing chrome objects to content at all from this API. Does that sound reasonable to people?
(and the first reason there means that bug 572130 can't save us here.)
Sounds very reasonable, and that is what I was thinking too; we shouldn't expose chrome objects to content. I'm not quite sure how to filter out chrome objects. The first reason is the most important, though.
Ah, we have principal for the TransferItems. We could use those. And content shouldn't even know if there are items which it can't access.
Though, perhaps there are cases like string data drop when content should be able to access the data even if the principal is system principal. ...need to investigate.
> * nsDOMDataTransfer::MozGetDataAt doesn't do anything to censor chrome > objects from content getting at them. While having COWs would fix this bug, IMO > it would be better to avoid exposing chrome objects to content at all from this > API. Does that sound reasonable to people? What are 'chrome objects'? The only thing that should be prevented is dom objects that aren't accessible from the page the drop listener is in. I assumed that was already happening. Is that not the case?
(In reply to comment #7) > What are 'chrome objects'? Objects that are implicitly associated with a chrome "context." In the testcase here, the chrome object is the XUL tab element that is being dropped. > The only thing that should be prevented is dom objects that aren't accessible > from the page the drop listener is in. I assumed that was already happening. Is > that not the case? It is not, unfortunately. Bug 572647 will help, though.
(In reply to comment #8) > (In reply to comment #7) > > What are 'chrome objects'? > > Objects that are implicitly associated with a chrome "context." But what objects are associated with chrome context? All nsPIDOMEventTargets, sure, but what else? All the JS implemented (implemented in chrome JS) objects?
So it is not clear to me what to do with this. Bug 572647 would fix the security problem.
Is it more likely to get a fix for bug 572647 than this bug? If so we'll track the other one for the branches
We're punting this out of .7/.11 for now, please let me know if it should be pulled back (or if bug 572647 should be on the branches instead)
So the testcase doesn't seem to work on trunk, but does on branches.
Marcia, can you confirm comment 13? If it's no longer repro on trunk, let's remove blocking status.
I can reproduce the testcase on trunk fx-4.0b7pre-2010-10-06-04.
Yes, I can repro as well using Mozilla/5.0 (Windows NT 5.1; rv:2.0b7pre) Gecko/20101006 Firefox/4.0b7pre.
If compartments fixes this then it should be fixed on tracemonkey by now. Need to verify that before we mark this one FIXED. However we still need a different fix for branches.
Compartments might not have fixed it due to default-unsafe exposedProps...
The testcase works on tracemonkey 2010-10-13-04.
What do you mean by "works"? Do you mean that you can still successfully get elevated privileges? Or do you mean that the browser successfully stops you?
The testcase can still successfully get elevated privileges.
This will actually be fixed by mrbkap's fix in bug 611485 (fixed in tracemonkey). Bug 572647 has been fixed for some time now, but it, as filed, wasn't quite enough to fix this issue as well.
The old testcase was fixed. But, this bug's problem is not fixed. Content code can still access a tab element and abuse its functions.
I can certainly reproduce the problem using testcase 2.
Blake, can we do a spot fix for this issue until COW's are default safe?
Not for FF4. The best I could come up with would be to try to flip "default safe" based on how content code got its hands on the chrome object in question.
Although, I guess we could try to avoid handing out chrome-compartment stuff to content from the drag/drop API... Not sure how hard that would be though or if it'd have other effects.
Created attachment 512386 [details] [diff] [review] Possible fix Neil, do you remember why this check was here? It seems to date all the way back to the original implementation.
Comment on attachment 512386 [details] [diff] [review] Possible fix The line is there so that you can drop something from one source to another. Drag and drop wouldn't be particularly useful without this.
Should we have some way to mark chrome only DataTransfer data items? Or perhaps other way, if chrome wants to allow content to access the data, it should mark the data somehow. This all at least with "uncommon" data transfer formats.
Blake said he's got a patch in progress for limiting where chrome objects are handed out from drag n drop code. Blake, please provide an ETA for the patch.
Created attachment 514366 [details] [diff] [review] Possible fix v2 So, the bug here is really that chrome objects don't behave according to the same origin model. This patch preserves the original behavior for content objects, but denies access to chrome objects that have been dropped. A second thought: would it make sense in the future to return null instead of throwing here? This seems like a case where the API really means "give me what I asked for if I have access to it, otherwise I don't want to know."
Comment on attachment 514366 [details] [diff] [review] Possible fix v2 But this patch has the same problem. 1. Open a page which listens for the drop event: data:text/html,<body ondragover="return false" ondrop="event.preventDefault(); alert(event.dataTransfer.getData('text/plain'));">Drop here</body> 2. Drag text from the url field or another application onto it. Actual: Security Exception Expected: An alert with the dropped text. Note that the mPrincipal isn't the principal of the thing being dragged, it's the principal of the caller that put it in the dataTransfer (although a native caller could theoretically use any principal). You actually want to be checking the thing being dragged (stored in mData) to check if it can be accessed. For this specific bug about dropping tabs, that thing will be a <tab> element from chrome.
I'm not really interested in playing whack-a-mole like that. I give up.
(In reply to comment #35) > I'm not really interested in playing whack-a-mole like that. I give up. Where does that put us then, gents?
So if we end up blacklisting, do we know what all should be blacklisted. Or, hmm, could we whilelist things which can be dropped using system principal?
What would happen if the drag started in the content page and script there sets some data using application/x-moz-tabbrowser-tab?
Enn, Gavin, do you happen to know what all drag formats chrome uses?
Created attachment 514555 [details] [diff] [review] Be very strict when handling common DOM objects as transfer data This is not yet tested properly, but at least dropping files from desktop to content works, d&d tabs works, d&d text from location bar to content page works etc.
So the patch prevents dragging EventTarget objects from content to chrome and vise versa. Are there cases when we would want to enable that?
Comment on attachment 514555 [details] [diff] [review] Be very strict when handling common DOM objects as transfer data I really need feedback from those who know Firefox UI code.
Why is the mExplicitlySet flag needed? > So the patch prevents dragging EventTarget objects from content to chrome > and vise versa. Are there cases when we would want to enable that? I don't think there is currently. Don't we want to prevent access if the caller cannot access the node no matter whether it is chrome or not? For instance, a drag from one page to another?
(In reply to comment #43) > Don't we want to prevent access if the caller cannot access the node no matter > whether it is chrome or not? For instance, a drag from one page to another? Ah, probably. So not only currentIsSystem == dataIsSystem check, but also principal subsumes check. and ok, mExplicitlySet isn't probably needed after all...
Created attachment 514576 [details] [diff] [review] v2
Over to Olli who's working on the alternate fix here!
Comment on attachment 514819 [details] [diff] [review] a bit simpler per bz's comments on IRC r=me
Comment on attachment 514819 [details] [diff] [review] a bit simpler per bz's comments on IRC Approved for 184.108.40.206 and 220.127.116.11, a=dveditz for release-drivers
Comment on attachment 514819 [details] [diff] [review] a bit simpler per bz's comments on IRC Not sure why this didn't make it, but moving approvals forward since it missed.
Comment on attachment 514819 [details] [diff] [review] a bit simpler per bz's comments on IRC Doesn't compile on 1.9.2, will need a new patch. error: ‘class nsIScriptContext’ has no member named ‘GetObjectPrincipal’
Olli: still need that new patch.
Created attachment 549940 [details] [diff] [review] GetObjectPrincipal method from trunk inline
Comment on attachment 549940 [details] [diff] [review] GetObjectPrincipal method from trunk inline Approved for 18.104.22.168, a=dveditz