Closed Bug 765527 (CVE-2012-3994) Opened 7 years ago Closed 7 years ago

Object.defineProperty can shadow |top|

Categories

(Core :: DOM: Core & HTML, defect)

13 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla17
Tracking Status
firefox13 --- wontfix
firefox14 + wontfix
firefox15 + wontfix
firefox16 + fixed
firefox17 + fixed
firefox18 --- fixed
firefox-esr10 16+ fixed

People

(Reporter: marius.mlynski, Assigned: mccr8)

References

Details

(Keywords: sec-high, Whiteboard: [advisory-tracking+])

Attachments

(5 files, 1 obsolete file)

Filing a new bug, as requested by Boris in Bug 756719 comment 10.

With bug 750307 fixed, the location property itself seems to be hardened well enough, but plugins may try to access it through |top.location| -- for instance, Adobe Flash Player opens javascript:top.location+"__flashplugin_unique__" to determine the page origin. And it is possible to shadow |top| using Object.defineProperty.

Incidentally, Google Chrome seems to disallow redefining |top|.
Attachment #633854 - Attachment mime type: text/plain → text/html
Status: UNCONFIRMED → NEW
Ever confirmed: true
Can we give the flash player Xray wrappers by default or something?
(In reply to Blake Kaplan (:mrbkap) from comment #2)
> Can we give the flash player Xray wrappers by default or something?

That would involve running NPAPI JS in a separate compartment. Which would be great, but I'm not signing up for that...
Even before we get that far: does flash JS need to see things like global variables by default? If so, we're sunk before we start.
Can we simply disallow mucking with top (and parent/owner while you're at it?).
Keywords: sec-high
Andrew says he can look into this, and yes, I think the answer here is to make window.top permanent so it can't be mucked with.
Assignee: nobody → continuation
Attached patch cargo culted patch (obsolete) — Splinter Review
Per jst's suggestion, I just copied what is done for sNavigator_id. I'm going to try to understand what it actually is doing...

Anyways, with this patch, the test produces this error:

JavaScript error: file:///Users/amccreight/mz/tests/765527.html, line 3: can't redefine non-configurable property 'top'

and does not produce a pop alert.
The original test seemed to hang my browser. This does the same thing, it just checks top.location.toString() directly instead of using a plugin. Without the patch, it evaluates to the bogus string, with it, it produces the correct URL.
I was getting some browser element failures, but jlebar pointed out GetScriptableTop(), and switching to that fixed the problem with those tests.
Attachment #650340 - Attachment is obsolete: true
Comment on attachment 650991 [details] [diff] [review]
v2, cargo culted patch

I don't know this code very well.  If top changes, this isn't going to be right because we're caching the result, but I think that's not possible, unless it is possible for the weird scripted stuff.  If you could give feedback on the scripted top stuff, Justin (eg can it change) that would be good...
Attachment #650991 - Flags: review?(mrbkap)
Attachment #650991 - Flags: feedback?(justin.lebar+bug)
Comment on attachment 650991 [details] [diff] [review]
v2, cargo culted patch

If Justin says that we can't just cache the top value, we'll need a different approach that replaces the getter or something, so I'm clearing the review flag for now.
Attachment #650991 - Flags: review?(mrbkap)
Suppose I move an iframe from one document to another.  Does the iframe's contentWindow's outer window survive the re-parenting?  That is, if I do

  var w = iframe.contentWindow;
  [move iframe from one document to another]
  w.src = "http://google.com";

does that have any effect?  If so, then the outer window's .top changes, so GetScriptableTop should change to match.

If not, then the only other circumstance I can think of which would cause GetScriptableTop to change is if you change a docshell's is-browser or is-app property, which you shouldn't do, and will likely break all sorts of other things.
(In reply to Justin Lebar [:jlebar] from comment #12)
> Suppose I move an iframe from one document to another.
In that case we reload the iframe.
... and in fact re-create docshell too.
If we re-create the docshell, then this should be fine.
Attachment #650991 - Flags: feedback?(justin.lebar+bug) → feedback+
Comment on attachment 650991 [details] [diff] [review]
v2, cargo culted patch

Thanks for the analysis!
Attachment #650991 - Flags: review?(mrbkap)
Comment on attachment 650991 [details] [diff] [review]
v2, cargo culted patch

Who knows what evil lurks in the hearts of men?
Attachment #650991 - Flags: review?(mrbkap) → review+
Let's wait for this to be fixed on trunk before tracking for a specific ESR version again.
(In reply to Andrew McCreight [:mccr8] from comment #16)
> Comment on attachment 650991 [details] [diff] [review]
> v2, cargo culted patch
> 
> Thanks for the analysis!

Let's get this landed on m-c for possible aurora/beta 16 uplift.
https://hg.mozilla.org/mozilla-central/rev/573c753b7bc8
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
This should get a testcase checked in, once it is made public.
Comment on attachment 650351 [details]
friendlier version of the original test

[Approval Request Comment]
User impact if declined: possible security risks with Flash
Bug caused by (feature/regressing bug #): none
Fix Landed on Version: it has been on 17 for a few days
Risk to taking this patch (and alternatives if risky): This changes web-exposed behavior which could potentially be bad, but Chrome already does this, so jst doesn't think it should be too bad. No real alternatives. I could leave it on Aurora and Nightly for another week or two to see if anything pops up.
String or UUID changes made by this patch: none
Attachment #650351 - Flags: approval-mozilla-esr10?
Attachment #650351 - Flags: approval-mozilla-beta?
Attachment #650351 - Flags: approval-mozilla-esr10?
Attachment #650351 - Flags: approval-mozilla-beta?
Comment on attachment 650991 [details] [diff] [review]
v2, cargo culted patch

Err, that message was for this attachment, not the other one...
Attachment #650991 - Flags: approval-mozilla-esr10?
Attachment #650991 - Flags: approval-mozilla-beta?
The test will have "GOOD!" in it twice if it passes, in the popup, otherwise one or both will be "BAD!" instead.
(In reply to Andrew McCreight [:mccr8] from comment #23)
> Risk to taking this patch (and alternatives if risky): This changes
> web-exposed behavior which could potentially be bad, but Chrome already does
> this, so jst doesn't think it should be too bad. No real alternatives. I
> could leave it on Aurora and Nightly for another week or two to see if
> anything pops up.

Let's target this fix for Beta 3, so that we can have a week on Aurora 17 of bake time. Normally I'd approve a change like this as early as possible to find regressions, but I'm concerned that if we land it on Beta and then find regressions, we'll be committed to still fixing in 16.
Attachment #650991 - Flags: approval-mozilla-esr10?
Attachment #650991 - Flags: approval-mozilla-esr10+
Attachment #650991 - Flags: approval-mozilla-beta?
Attachment #650991 - Flags: approval-mozilla-beta+
Attached patch ESR 10 versionSplinter Review
It works fine for beta, with minor adjustments. On ESR10, I had to change GetScriptedTop to GetTop, but even with that the test still fails with the patch applied, even though we are hitting the code I added. I'm not sure why that is.
Ah, so, this isn't working on ESR10 because bug 756719 never landed on ESR10.
I'll wait until that other bug lands on ESR10 to land this one there.
https://hg.mozilla.org/releases/mozilla-beta/rev/e7bcf3d49761
Depends on: CVE-2012-1956
Whiteboard: [advisory-tracking+]
Alias: CVE-2012-3994
I confirmed that it worked on ESR10 with bug 756719, but it ended up getting backed out, so I'll wait until that sorts itself out before landing.
Depends on: 808404
Group: core-security
Flags: sec-bounty+
mass remove verifyme requests greater than 4 months old
Keywords: verifyme
I don't really know what I'm doing here, so I'd appreciate a review. I'm not sure how useful this test really is, as this will be much harder to mess up in the WebIDL world, but it is probably useful.
Attachment #8462846 - Flags: review?(bugs)
Comment on attachment 8462846 [details] [diff] [review]
Add test for shadowing window.top.

test fails on try
Attachment #8462846 - Flags: review?(bugs)
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.