Note: There are a few cases of duplicates in user autocompletion which are being worked on.
Bug 802026 (CVE-2013-0759)

URL spoofing with credentials info of URL & 204

VERIFIED FIXED in Firefox 18



Location Bar
5 years ago
3 years ago


(Reporter: Masato Kinugawa, Assigned: Gavin)


({csectype-spoof, sec-high})

16 Branch
Firefox 20
csectype-spoof, sec-high
Bug Flags:
sec-bounty +
in-testsuite ?

Firefox Tracking Flags

(firefox17 wontfix, firefox18+ verified, firefox19+ verified, firefox20+ verified, firefox-esr1018+ verified, firefox-esr1718+ verified, b2g18 fixed)


(Whiteboard: [adv-main18+][adv-esr17+][adv-esr10+])


(6 attachments, 1 obsolete attachment)



5 years ago
Created attachment 671741 [details]

User Agent: Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20100101 Firefox/16.0
Build ID: 20121010144125

Steps to reproduce:

1. Go to attachment file and click "go" button.
2. Address bar points "". But in fact, it is not "".

Expected results:

Firefox should display URL correctly.


5 years ago
Attachment #671741 - Attachment mime type: text/plain → text/html;charset=utf-8


5 years ago
Component: Untriaged → Location Bar
Ever confirmed: true
We've had problems with navigation, 204's and the address bar in the past. Is the old bug back or is this new?
Keywords: csec-ui-redress, sec-high
(In reply to Daniel Veditz [:dveditz] from comment #3)
> We've had problems with navigation, 204's and the address bar in the past.
> Is the old bug back or is this new?

I don't know if the UI redress issue is new; I also don't know if the technique for suppressing the warning dialog is known.
Component: Location Bar → Document Navigation
Product: Firefox → Core

Comment 5

5 years ago
So isn't this more like an UI issue. What I see is location bar which has ...lots of white space...

Comment 6

5 years ago
Daniel, you moved this from LocationBar component to DocumentNavigation. Any reason why?


5 years ago
Component: Document Navigation → Location Bar
Product: Core → Firefox
Created attachment 691245 [details] [diff] [review]

There's a simpler way to reproduce:
1) Load "http://spoof   " (copy/paste from here, those are some fancy unicode spaces).
2) (Accept the warning)
3) Focus URL bar, press Esc.

Expected: URL stays the same
Actual: URL switches to the "spoofy" value

The underlying issue is that we're not calling createExposableURI when URLBarSetURI reverts the URL to the current URI. This happens in the case above, but also when finishing toolbar customization and, since bug 724599, when a load fails, as in this bug's testcase.

I searched the addons MXR for users of XULBrowserWindow._uriFixup - edilee's addon is the only one I found find:
Assignee: nobody →
Attachment #691245 - Flags: review?(dao)
Mardak: see the last part of comment 7. You'll need to stop using XULBrowserWindow._uriFixup in AwesomeBar HD. I recommend just retrieving the service  yourself rather than using a random Firefox property.
OS: Windows Vista → All
Hardware: x86 → All


5 years ago
Attachment #691245 - Flags: review?(dao) → review+
Comment on attachment 691245 [details] [diff] [review]

[Security approval request comment]
How easily can the security issue be deduced from the patch?

Fairly easily, given the test. It's clear that we're touching spoofing-related functionality (display of the URL in the URL bar, stripping of the user/pass).

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

It's clear what we're fixing, but probably not that clear how you would exploit this in practice.

Which older supported branches are affected by this flaw?


If not all supported branches, which bug introduced the flaw?


Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Patch applies pretty much as-is to beta/aurora, very little uplift risk.

How likely is this patch to cause regressions; how much testing does it need?

I think it's unlikely to cause regressions - we're just being more consistent and applying existing URL bar display behavior to more cases. For beta/aurora, I can avoid the property removal that could potentially affect add-ons.
Attachment #691245 - Flags: sec-approval?
Adding Alex so we can discuss when we want to take this given that it affects branches and we're in the middle of the cycle.
status-firefox-esr10: --- → affected
status-firefox17: --- → affected
status-firefox18: --- → affected
status-firefox19: --- → affected
status-firefox20: --- → affected
status-firefox-esr17: --- → affected
tracking-firefox-esr10: --- → ?
tracking-firefox18: --- → ?
tracking-firefox19: --- → ?
tracking-firefox20: --- → ?
tracking-firefox-esr17: --- → ?
Comment on attachment 691245 [details] [diff] [review]


For the branches--especially ESRs--we need a patch without the _uriFixup removal.
Attachment #691245 - Flags: sec-approval? → sec-approval+
status-firefox17: affected → wontfix
tracking-firefox-esr10: ? → 18+
tracking-firefox18: ? → +
tracking-firefox19: ? → +
tracking-firefox20: ? → +
tracking-firefox-esr17: ? → 18+
Created attachment 692103 [details] [diff] [review]
beta/aurora patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): n/a
User impact if declined: URL bar vulnerable to spoofing
Testing completed (on m-c, etc.): none yet
Risk to taking this patch (and alternatives if risky): relatively low risk. No add-on impact, and we're just making existing code used for displaying URLs in the URL bar apply more broadly.
String or UUID changes made by this patch: none
Attachment #692103 - Flags: approval-mozilla-esr17?
Attachment #692103 - Flags: approval-mozilla-beta?
Attachment #692103 - Flags: approval-mozilla-aurora?
Created attachment 692106 [details] [diff] [review]
esr10 patch

[Approval Request Comment]
(see comment 12)
Attachment #692106 - Flags: approval-mozilla-esr10?
Comment on attachment 692103 [details] [diff] [review]
beta/aurora patch

Approving on branches as its a low risk patch for a sec high bug and unlikely to cause regressions.
Attachment #692103 - Flags: approval-mozilla-esr17?
Attachment #692103 - Flags: approval-mozilla-esr17+
Attachment #692103 - Flags: approval-mozilla-beta?
Attachment #692103 - Flags: approval-mozilla-beta+
Attachment #692103 - Flags: approval-mozilla-aurora?
Attachment #692103 - Flags: approval-mozilla-aurora+


5 years ago
Attachment #692106 - Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
status-firefox18: affected → fixed
Target Milestone: --- → Firefox 20
Comment on attachment 692106 [details] [diff] [review]
esr10 patch

This patch is going to need an update, the test won't work as-is on ESR10.
Attachment #692106 - Attachment is obsolete: true
Comment on attachment 692103 [details] [diff] [review]
beta/aurora patch

This patch will also need a test update for ESR17. Notes to self:
- whenNewWindowLoaded doesn't exist on the ESRs
- whenDelayedStartupFinished doesn't exist in the right head.js on ESR10
- openToolbarCustomizationUI/closeToolbarCustomizationUI don't exist on ESR10
- pageloaderror may not be a valid test on esr10 (since it's pre-bug 724599)
Followup to fix some test bustage:
status-firefox19: affected → fixed
Created attachment 692664 [details] [diff] [review]
updated ESR10 patch

I just removed the two non-working sub-tests ("customization" and "loading a new page)", leaving just the handleRevert test for ESR10.
Attachment #692664 - Flags: approval-mozilla-esr10+
Created attachment 692665 [details] [diff] [review]
ESR17 patch

For ESR17, I just added whenNewWindowLoaded to head.js.
Attachment #692665 - Flags: approval-mozilla-esr17+
Attachment #692103 - Attachment description: beta/aurora/esr17 patch → beta/aurora patch
Created attachment 692666 [details] [diff] [review]
followup fix for trunk/beta

This is the followup I landed in comment 19 to work around bug 822056 (which I didn't catch locally, because I was testing before per-window PB got turned on).
(In reply to :Gavin Sharp (use for email) from comment #23)
> Created attachment 692666 [details] [diff] [review]
> followup fix for trunk/beta

(I also rolled this in when I pushed the original patch to Aurora)
status-firefox-esr10: affected → fixed
status-firefox-esr17: affected → fixed
Sigh, the beta bustage was the same as the ESR bustage - whenNewWindowLoaded was not defined. I added it as with ESR-17:
This is still broken on Aurora.
Oops, somehow managed to forget to open an Aurora TBPL tab :( Too many branches.
status-b2g18: --- → fixed
Last Resolved: 5 years ago
status-firefox20: affected → fixed
Resolution: --- → FIXED
Keywords: verifyme
Whiteboard: [adv-main18+][adv-esr17+][adv-esr10+]
Alias: CVE-2013-0759
Confirmed reproducible with Firefox 16.0.

Verified fixed with:
* Firefox 20.0a1 2013-01-04
* Firefox 19.0a2 2013-01-04
* Firefox 18.0b7
* Firefox 10.0.12esr build1
* Firefox 17.0.1esrpre 2013-01-03

Is this something we can put in testsuite?
status-firefox-esr10: fixed → verified
status-firefox18: fixed → verified
status-firefox19: fixed → verified
status-firefox20: fixed → verified
status-firefox-esr17: fixed → verified
Flags: in-testsuite?
Keywords: verifyme
QA Contact:
Group: core-security

Comment 32

5 years ago
Comment on attachment 671741 [details]

><!DOCTYPE html>
><meta charset="utf-8">
>function a(){
>'                                                                                                                                                                          ', 'x');
>	setTimeout(function(){
>'', 'x');
>	}, 500);
><input type="button" value="go" onclick="a()">
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.