Last Comment Bug 626775 - (CVE-2013-0794) Tab modal dialog spoofing (DOMWillOpenModalDialog + navigation)
(CVE-2013-0794)
: Tab modal dialog spoofing (DOMWillOpenModalDialog + navigation)
Status: RESOLVED FIXED
[sg:moderate][fixed-in-bug-611553][ad...
: csectype-spoof, sec-moderate
Product: Toolkit
Classification: Components
Component: General (show other bugs)
: Trunk
: All All
: -- normal (vote)
: mozilla21
Assigned To: Frank Yan (:fryn)
:
Mentors:
Depends on: 611553 830858
Blocks:
  Show dependency treegraph
 
Reported: 2011-01-18 13:28 PST by shutdown
Modified: 2014-11-19 19:37 PST (History)
10 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
wontfix
+
fixed
+
fixed
wontfix
19+
wontfix
19+
wontfix


Attachments
testcase (836 bytes, text/html)
2011-01-18 13:28 PST, shutdown
no flags Details
testcase that simply breaks the tab altogether (95 bytes, text/html)
2011-12-13 16:31 PST, Frank Yan (:fryn)
no flags Details

Description shutdown 2011-01-18 13:28:19 PST
Created attachment 504834 [details]
testcase

bug 625187 without iframes.
Comment 1 Daniel Veditz [:dveditz] 2011-01-18 13:43:50 PST
Even in 3.6.x the timing here is pretty spooftastic -- the dialog title says the name of the other site but it overlays the Google content that's built behind it.

We could do all kinds of things differently (if not easily)
 - don't layout a new page while a modal dialog is open
 - auto-cancel the modal dialog on navigation
 - leave the dialog open, but break the connection to the
   calling page and just give them a "cancel" response.
Comment 2 Justin Dolske [:Dolske] 2011-01-18 14:22:26 PST
A check for something like |callingWindow.top == windowForPrompt.top| would probably be good to have (and just throw if that's the case, because we never want that to happen anyway).
Comment 3 Justin Dolske [:Dolske] 2011-11-16 19:43:00 PST
Hmm, I wonder if this and bug 383382 are the same thing.
Comment 4 Frank Yan (:fryn) 2011-12-13 16:31:27 PST
Created attachment 581476 [details]
testcase that simply breaks the tab altogether

While investigating this bug, I discovered that the prompter code can be completely broken with the following.

addEventListener('DOMWillOpenModalDialog', function() confirm(0));
alert(0);

Once this runs, if a user tries to navigate the tab to another address, it won't be displayed to the user and only the blank confirm dialog will be visible.

The check that Dolske suggests might be sufficient for the security part, but would completely disallowing prompts inside DOMWillOpenModalDialog handlers make sense?
Comment 5 :Gavin Sharp [email: gavin@gavinsharp.com] 2011-12-14 18:35:23 PST
DOMWillOpenModalDialog shouldn't be visible to content scripts at all - we just need to fix that, AFAICT.
Comment 6 Frank Yan (:fryn) 2011-12-15 19:00:34 PST
(In reply to Gavin Sharp (use gavin@gavinsharp.com for email) from comment #5)
> DOMWillOpenModalDialog shouldn't be visible to content scripts at all - we
> just need to fix that, AFAICT.

Okay, fixing bug 611553 should do it then.
I just attached a patch to that bug.
Comment 7 Frank Yan (:fryn) 2013-01-17 03:06:17 PST
I just fixed this by making DOMWillOpenModalDialog chrome-only in bug 611553.
Comment 8 Daniel Veditz [:dveditz] 2013-01-17 16:37:21 PST
We should land this on the branches... does b2g use this code? we maybe want to fix it there as well.
Comment 9 Daniel Veditz [:dveditz] 2013-01-17 16:41:21 PST
the fix in bug 611553 builds on bug 830858, and that changes the nsIDOMWindowUtils API -- pretty internal-ish but still might be used by add-ons so I'm not sure we could actually take this on stable branches. At least not without creating nsIDOMWindowUtils2 or something.
Comment 10 Daniel Veditz [:dveditz] 2013-01-17 17:08:42 PST
This affects the b2g browser as well.
Comment 11 Frank Yan (:fryn) 2013-01-17 17:20:07 PST
(In reply to Daniel Veditz [:dveditz] from comment #10)
> This affects the b2g browser as well.

If they forked Firefox desktop or Fennec (XUL and Java), then they may need to patch their code, since the DOMWillOpenModalDialog event is also dispatched from the front end for those code bases.
I can take a look.
Where does their front-end b2g browser code live?
Comment 12 Frank Yan (:fryn) 2013-01-17 17:46:03 PST
A quick Github search turned up nothing:
https://github.com/search?q=repo%3Amozilla-b2g%2Fgaia+DOMWIllOpenModalDialog&p=1&ref=searchbar&type=Code&l=
Comment 13 Alex Keybl [:akeybl] 2013-01-23 13:26:21 PST
Frank - can you prepare patches for Aurora 20? Given the fact that bug 830858 changes interfaces and this is sec-moderate, we've decided to wontfix for FF19, B2G18 and ESR17.
Comment 14 Frank Yan (:fryn) 2013-01-24 02:30:06 PST
(In reply to Alex Keybl [:akeybl] from comment #13)
> Frank - can you prepare patches for Aurora 20? Given the fact that bug
> 830858 changes interfaces and this is sec-moderate, we've decided to wontfix
> for FF19, B2G18 and ESR17.

Sure. Given that the patches that fixed this bug are in two public bugs, should I simply use the same commit messages? If so, should I simply flag the patches in those bugs for aurora 20 approval? If not, do you want me to upload a copy of those patches combined into one to this bug with a different commit message?
Comment 15 Alex Keybl [:akeybl] 2013-02-01 16:05:27 PST
Yeah let's nominate the two separate bugs, and just put in a private comment reminding us of the security implications. Thanks!

Note You need to log in before you can comment on or make changes to this bug.