The default bug view has changed. See this FAQ.
Bug 765527 (CVE-2012-3994)

Object.defineProperty can shadow |top|

RESOLVED FIXED in Firefox 16

Status

()

Core
DOM
RESOLVED FIXED
5 years ago
3 years ago

People

(Reporter: Mariusz Mlynski, Assigned: mccr8)

Tracking

({sec-high})

13 Branch
mozilla17
sec-high
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +
in-testsuite ?

Firefox Tracking Flags

(firefox13 wontfix, firefox14+ wontfix, firefox15+ wontfix, firefox16+ fixed, firefox17+ fixed, firefox18 fixed, firefox-esr1016+ fixed)

Details

(Whiteboard: [advisory-tracking+])

Attachments

(5 attachments, 1 obsolete attachment)

(Reporter)

Description

5 years ago
Created attachment 633854 [details]
shadow top.location test

Filing a new bug, as requested by Boris in Bug 756719 comment 10.

With bug 750307 fixed, the location property itself seems to be hardened well enough, but plugins may try to access it through |top.location| -- for instance, Adobe Flash Player opens javascript:top.location+"__flashplugin_unique__" to determine the page origin. And it is possible to shadow |top| using Object.defineProperty.

Incidentally, Google Chrome seems to disallow redefining |top|.
(Reporter)

Updated

5 years ago
Attachment #633854 - Attachment mime type: text/plain → text/html
Status: UNCONFIRMED → NEW
Ever confirmed: true
Can we give the flash player Xray wrappers by default or something?
(In reply to Blake Kaplan (:mrbkap) from comment #2)
> Can we give the flash player Xray wrappers by default or something?

That would involve running NPAPI JS in a separate compartment. Which would be great, but I'm not signing up for that...
Even before we get that far: does flash JS need to see things like global variables by default? If so, we're sunk before we start.
Can we simply disallow mucking with top (and parent/owner while you're at it?).
Keywords: sec-high
status-firefox-esr10: --- → affected
status-firefox13: --- → wontfix
status-firefox14: --- → affected
status-firefox15: --- → affected
status-firefox16: --- → affected
tracking-firefox-esr10: --- → ?
tracking-firefox14: --- → +
tracking-firefox15: --- → +
tracking-firefox16: --- → +
status-firefox14: affected → wontfix
status-firefox17: --- → affected
tracking-firefox-esr10: ? → 15+
tracking-firefox17: --- → +
Andrew says he can look into this, and yes, I think the answer here is to make window.top permanent so it can't be mucked with.
Assignee: nobody → continuation
(Assignee)

Comment 7

5 years ago
Created attachment 650340 [details] [diff] [review]
cargo culted patch

Per jst's suggestion, I just copied what is done for sNavigator_id. I'm going to try to understand what it actually is doing...

Anyways, with this patch, the test produces this error:

JavaScript error: file:///Users/amccreight/mz/tests/765527.html, line 3: can't redefine non-configurable property 'top'

and does not produce a pop alert.
(Assignee)

Comment 8

5 years ago
Created attachment 650351 [details]
friendlier version of the original test

The original test seemed to hang my browser. This does the same thing, it just checks top.location.toString() directly instead of using a plugin. Without the patch, it evaluates to the bogus string, with it, it produces the correct URL.
(Assignee)

Comment 9

5 years ago
Created attachment 650991 [details] [diff] [review]
v2, cargo culted patch

I was getting some browser element failures, but jlebar pointed out GetScriptableTop(), and switching to that fixed the problem with those tests.
Attachment #650340 - Attachment is obsolete: true
(Assignee)

Comment 10

5 years ago
Comment on attachment 650991 [details] [diff] [review]
v2, cargo culted patch

I don't know this code very well.  If top changes, this isn't going to be right because we're caching the result, but I think that's not possible, unless it is possible for the weird scripted stuff.  If you could give feedback on the scripted top stuff, Justin (eg can it change) that would be good...
Attachment #650991 - Flags: review?(mrbkap)
Attachment #650991 - Flags: feedback?(justin.lebar+bug)
(Assignee)

Comment 11

5 years ago
Comment on attachment 650991 [details] [diff] [review]
v2, cargo culted patch

If Justin says that we can't just cache the top value, we'll need a different approach that replaces the getter or something, so I'm clearing the review flag for now.
Attachment #650991 - Flags: review?(mrbkap)
Suppose I move an iframe from one document to another.  Does the iframe's contentWindow's outer window survive the re-parenting?  That is, if I do

  var w = iframe.contentWindow;
  [move iframe from one document to another]
  w.src = "http://google.com";

does that have any effect?  If so, then the outer window's .top changes, so GetScriptableTop should change to match.

If not, then the only other circumstance I can think of which would cause GetScriptableTop to change is if you change a docshell's is-browser or is-app property, which you shouldn't do, and will likely break all sorts of other things.
(In reply to Justin Lebar [:jlebar] from comment #12)
> Suppose I move an iframe from one document to another.
In that case we reload the iframe.
... and in fact re-create docshell too.
If we re-create the docshell, then this should be fine.
Attachment #650991 - Flags: feedback?(justin.lebar+bug) → feedback+
(Assignee)

Comment 16

5 years ago
Comment on attachment 650991 [details] [diff] [review]
v2, cargo culted patch

Thanks for the analysis!
Attachment #650991 - Flags: review?(mrbkap)
Comment on attachment 650991 [details] [diff] [review]
v2, cargo culted patch

Who knows what evil lurks in the hearts of men?
Attachment #650991 - Flags: review?(mrbkap) → review+
Let's wait for this to be fixed on trunk before tracking for a specific ESR version again.
status-firefox15: affected → wontfix
tracking-firefox-esr10: 15+ → ---
(In reply to Andrew McCreight [:mccr8] from comment #16)
> Comment on attachment 650991 [details] [diff] [review]
> v2, cargo culted patch
> 
> Thanks for the analysis!

Let's get this landed on m-c for possible aurora/beta 16 uplift.
(Assignee)

Comment 20

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/573c753b7bc8
https://hg.mozilla.org/mozilla-central/rev/573c753b7bc8
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
(Assignee)

Comment 22

5 years ago
This should get a testcase checked in, once it is made public.
status-firefox17: affected → fixed
status-firefox18: --- → fixed
tracking-firefox-esr10: --- → 16+
Keywords: verifyme
(Assignee)

Comment 23

5 years ago
Comment on attachment 650351 [details]
friendlier version of the original test

[Approval Request Comment]
User impact if declined: possible security risks with Flash
Bug caused by (feature/regressing bug #): none
Fix Landed on Version: it has been on 17 for a few days
Risk to taking this patch (and alternatives if risky): This changes web-exposed behavior which could potentially be bad, but Chrome already does this, so jst doesn't think it should be too bad. No real alternatives. I could leave it on Aurora and Nightly for another week or two to see if anything pops up.
String or UUID changes made by this patch: none
Attachment #650351 - Flags: approval-mozilla-esr10?
Attachment #650351 - Flags: approval-mozilla-beta?
(Assignee)

Updated

5 years ago
Attachment #650351 - Flags: approval-mozilla-esr10?
Attachment #650351 - Flags: approval-mozilla-beta?
(Assignee)

Comment 24

5 years ago
Comment on attachment 650991 [details] [diff] [review]
v2, cargo culted patch

Err, that message was for this attachment, not the other one...
Attachment #650991 - Flags: approval-mozilla-esr10?
Attachment #650991 - Flags: approval-mozilla-beta?
(Assignee)

Comment 25

5 years ago
The test will have "GOOD!" in it twice if it passes, in the popup, otherwise one or both will be "BAD!" instead.
(In reply to Andrew McCreight [:mccr8] from comment #23)
> Risk to taking this patch (and alternatives if risky): This changes
> web-exposed behavior which could potentially be bad, but Chrome already does
> this, so jst doesn't think it should be too bad. No real alternatives. I
> could leave it on Aurora and Nightly for another week or two to see if
> anything pops up.

Let's target this fix for Beta 3, so that we can have a week on Aurora 17 of bake time. Normally I'd approve a change like this as early as possible to find regressions, but I'm concerned that if we land it on Beta and then find regressions, we'll be committed to still fixing in 16.
Attachment #650991 - Flags: approval-mozilla-esr10?
Attachment #650991 - Flags: approval-mozilla-esr10+
Attachment #650991 - Flags: approval-mozilla-beta?
Attachment #650991 - Flags: approval-mozilla-beta+
(Assignee)

Comment 27

5 years ago
Created attachment 659796 [details] [diff] [review]
ESR 10 version

It works fine for beta, with minor adjustments. On ESR10, I had to change GetScriptedTop to GetTop, but even with that the test still fails with the patch applied, even though we are hitting the code I added. I'm not sure why that is.
(Assignee)

Comment 28

5 years ago
Ah, so, this isn't working on ESR10 because bug 756719 never landed on ESR10.
(Assignee)

Comment 29

5 years ago
I'll wait until that other bug lands on ESR10 to land this one there.
https://hg.mozilla.org/releases/mozilla-beta/rev/e7bcf3d49761
status-firefox16: affected → fixed
Blocks: 792405
(Assignee)

Updated

5 years ago
Depends on: 756719
Whiteboard: [advisory-tracking+]
Alias: CVE-2012-3994
(Assignee)

Comment 30

5 years ago
I confirmed that it worked on ESR10 with bug 756719, but it ended up getting backed out, so I'll wait until that sorts itself out before landing.
(Assignee)

Comment 31

5 years ago
https://hg.mozilla.org/releases/mozilla-esr10/rev/913caf5a7cf0
status-firefox-esr10: affected → fixed
(Assignee)

Comment 32

5 years ago
Backed out because bug 756719 (née bug 750307) was backed out:
  https://hg.mozilla.org/releases/mozilla-esr10/rev/96931ca23431
status-firefox-esr10: fixed → affected
(Assignee)

Comment 33

5 years ago
Once more, with feeling.

https://hg.mozilla.org/releases/mozilla-esr10/rev/d3922c1c120e
status-firefox-esr10: affected → fixed
(Assignee)

Updated

4 years ago
Depends on: 808404
Group: core-security
Flags: sec-bounty+
mass remove verifyme requests greater than 4 months old
Keywords: verifyme
(Assignee)

Comment 36

3 years ago
Created attachment 8462846 [details] [diff] [review]
Add test for shadowing window.top.

I don't really know what I'm doing here, so I'd appreciate a review. I'm not sure how useful this test really is, as this will be much harder to mess up in the WebIDL world, but it is probably useful.
Attachment #8462846 - Flags: review?(bugs)
(Assignee)

Comment 37

3 years ago
Comment on attachment 8462846 [details] [diff] [review]
Add test for shadowing window.top.

test fails on try
Attachment #8462846 - Flags: review?(bugs)
You need to log in before you can comment on or make changes to this bug.