Closed
Bug 770429
(CVE-2012-3978)
Opened 12 years ago
Closed 12 years ago
Bypassing security checks for nsLocation::CheckURL
Categories
(Core :: Security, defect)
Tracking
()
People
(Reporter: moz_bug_r_a4, Assigned: smaug)
Details
(Keywords: sec-high, Whiteboard: [advisory-tracking+])
Attachments
(2 files)
|
1.95 KB,
patch
|
Details | Diff | Splinter Review | |
|
1.79 KB,
patch
|
mrbkap
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
akeybl
:
approval-mozilla-esr10+
|
Details | Diff | Splinter Review |
GetContextFromStack ignores JSContext for ContentFrameMessageManager. If GetContextFromStack ends up not getting a JSContext, nsLocation::CheckURL does not do security checks. This could allow content to load restricted URLs.
|
Reporter | |
Comment 1•12 years ago
|
||
This works on fx10-16.
|
Assignee | |
Comment 2•12 years ago
|
||
Blake, jst, why bug 307983 was ok? I don't quite understand the
if (nsJSUtils::GetDynamicScriptContext(*aContext)) {
part.
|
|
Assignee | |
Comment 3•12 years ago
|
||
Does this really need message manager? Couldn't some JS component do the same thing.
|
|
Assignee | |
Comment 5•12 years ago
|
||
But I'm not quite happy with this approach, since setting href may still not
get the right base uri.
|
|
Assignee | |
Comment 6•12 years ago
|
||
Or, hmm, perhaps the we don't want the base uri handling after all...
|
|
Assignee | |
Comment 7•12 years ago
|
||
Perhaps we actually want this kind of super simple approach, at least
for ESR. Changing GetContextFromStack handling could be regression risky.
|
|
Assignee | |
Comment 8•12 years ago
|
||
Comment on attachment 638840 [details] [diff] [review]
WIP2
Blake, what do you think of this?
I really want the safest possible option for ESR. We can
clean up the JSContext stack handling on trunk
(GetContextFromStack is odd).
Attachment #638840 -
Flags: review?(mrbkap)
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → affected
status-firefox14:
--- → affected
status-firefox15:
--- → affected
status-firefox16:
--- → affected
tracking-firefox-esr10:
--- → ?
tracking-firefox15:
--- → +
tracking-firefox16:
--- → +
|
|
||
Comment 9•12 years ago
|
||
See bug 770431 which combines this with another bug to get remote code execution
Keywords: sec-high
|
||
Comment 10•12 years ago
|
||
Comment on attachment 638840 [details] [diff] [review]
WIP2
Review of attachment 638840 [details] [diff] [review]:
-----------------------------------------------------------------
Yeah, this is probably the best we can do here. Hopefully this will get cleaner once we go to one context per thread... It seems like the split here is that we want to know both "can the currently running code load this URI" and then separately do stuff based on the "entry script".
Attachment #638840 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 11•12 years ago
|
||
Comment on attachment 638840 [details] [diff] [review]
WIP2
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
part of an sg:crit problem
User impact if declined: security problem
Fix Landed on Version: NA
Risk to taking this patch (and alternatives if risky): Should be low-risk
String or UUID changes made by this patch: N/A
Attachment #638840 -
Flags: approval-mozilla-esr10?
Attachment #638840 -
Flags: approval-mozilla-beta?
Attachment #638840 -
Flags: approval-mozilla-aurora?
|
|
||
Updated•12 years ago
|
status-firefox17:
--- → affected
tracking-firefox17:
--- → +
|
||
Comment 12•12 years ago
|
||
Comment on attachment 638840 [details] [diff] [review]
WIP2
[Triage Comment]
Low-risk, sg:high fix. Approving for all branches.
Attachment #638840 -
Flags: approval-mozilla-esr10?
Attachment #638840 -
Flags: approval-mozilla-esr10+
Attachment #638840 -
Flags: approval-mozilla-beta?
Attachment #638840 -
Flags: approval-mozilla-beta+
Attachment #638840 -
Flags: approval-mozilla-aurora?
Attachment #638840 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 13•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Comment 14•12 years ago
|
||
Olli, this still needs to get landed on branches. :)
|
|
Assignee | |
Comment 15•12 years ago
|
||
Indeed.
|
|
Assignee | |
Comment 16•12 years ago
|
||
|
|
Assignee | |
Comment 17•12 years ago
|
||
|
|
Assignee | |
Comment 18•12 years ago
|
||
|
||
Updated•12 years ago
|
Whiteboard: [advisory-tracking+]
|
||
Comment 19•12 years ago
|
||
Does this need a test in test-suite?
Whiteboard: [advisory-tracking+] → [advisory-tracking+][qa?]
|
|
Assignee | |
Comment 20•12 years ago
|
||
I think yes, this does.
|
|
Assignee | |
Comment 21•12 years ago
|
||
Though making the testcase automatic can be a bit tricky.
|
|
||
Comment 22•12 years ago
|
||
Okay, we'll have to verify this manually before release then. What is the expected results with the attached testcase?
|
|
Assignee | |
Comment 23•12 years ago
|
||
The testcase has good instructions in it.
|
|
||
Comment 24•12 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #23)
> The testcase has good instructions in it.
Heh, I should have opened it before asking. Thanks.
Whiteboard: [advisory-tracking+][qa?] → [advisory-tracking+][qa+]
|
|
||
Updated•12 years ago
|
Alias: CVE-2012-3978
Keywords: verifyme
Whiteboard: [advisory-tracking+][qa+] → [advisory-tracking+]
|
|
||
Comment 25•12 years ago
|
||
Confirmed reproducible with Firefox 14.0.1.
Verified fixed with:
* 2012-08-27 Firefox 17.0a1
* 2012-08-27 Firefox 16.0a2
* Firefox 15.0 build1
* Firefox 10.0.7esr build1
|
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•