Closed Bug 813758 Opened 12 years ago Closed 12 years ago

Need additional security checks for the "geolocation" permission

Categories

(Core :: DOM: Geolocation, defect, P1)

Product:
Core
Component:
DOM: Geolocation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
B2G C4 (2jan on)
Project Flags:
blocking-basecamp +
Tracking Flags:
Tracking Status
firefox18 --- wontfix
firefox19 --- wontfix
firefox20 --- fixed
b2g18 --- fixed

People

(Reporter: bent.mozilla, Assigned: dougt)

References

Details

Attachments

(1 file, 4 obsolete files)

patch v.4
5.53 KB, patch
sicking
: review+
Details | Diff | Splinter Review
geolocation: prompt in parent (nsIContentPermissionPrompt), can be bypassed thereafter no security checks at all Need some additional checks to ensure that geolocation data is not delivered to processes without the geolocation permission.
Summary: Need additional security checks for the "" permission → Need additional security checks for the "geolocation" permission
Assignee: nobody → doug.turner
blocking-basecamp: ? → +
Attached patch patch v.1 (obsolete) — Splinter Review
Attachment #685308 - Flags: review?(bent.mozilla)
Comment on attachment 685308 [details] [diff] [review] patch v.1 Review of attachment 685308 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/ipc/ContentParent.cpp @@ +1822,5 @@ > > bool > ContentParent::RecvAddGeolocationListener() > { > + AssertAppProcessPermission(this, "geolocation"); This (and the others below) should be: if (!AssertAppProcessPermission(...)) { return false; }
Attachment #685308 - Flags: review?(bent.mozilla) → review+
Backed out for Windows mochitest-other crashes due to: { 3717 INFO TEST-START | chrome://mochitests/content/chrome/dom/ipc/tests/test_process_error.xul Security problem: Content process does not have `geolocation' permission. It will be killed. } (and a few other variations on the theme) See: https://tbpl.mozilla.org/?tree=Mozilla-Inbound&jobname=mochitest-other&tochange=051d3e0fa048&fromchange=a6b604916694 Backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/051d3e0fa048
so, we call RecvRemoveGeolocationListener() from ContentParent::ActorDestroy. :(
Attached patch patch v.2 (obsolete) — Splinter Review
so, our IPC chrome tests basically do not have any permission bits set on them at all. This is expected. This patch protects RecvRemoveGeolocationListener from asserting if mGeolocationWatchID was never set.
Attachment #687149 - Flags: review?(bent.mozilla)
Attached patch patch v.2 (obsolete) — Splinter Review
Attachment #685308 - Attachment is obsolete: true
Attachment #687149 - Attachment is obsolete: true
Attachment #687149 - Flags: review?(bent.mozilla)
Attachment #687152 - Flags: review?(bent.mozilla)
Setting priority based on triage discussions. Feel free to decrease priority if you disagree.
Priority: -- → P1
Attachment #687152 - Flags: review?(bent.mozilla) → review+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/ebaa0a4d35a3
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Depends on: 817758
(Comment 12 was a backout due to bug 817758)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Depends on: 818167
Mass Modify: All un-milestoned, unresolved blocking-basecamp+ bugs are being moved into the C3 milestone. Note that the target milestone does not mean that these bugs can't be resolved prior to 12/10, rather C2 bugs should be prioritized ahead of C3 bugs.
Target Milestone: --- → B2G C3 (12dec-1jan)
What's the situation here? Stuck on the branches, but not on m-c?
No longer depends on: 818167
blocking-basecamp: + → ?
blocking-basecamp: ? → +
Attached patch patch v.3 (obsolete) — Splinter Review
Attachment #687152 - Attachment is obsolete: true
Attachment #694191 - Flags: review?(jonas)
Comment on attachment 694191 [details] [diff] [review] patch v.3 Review of attachment 694191 [details] [diff] [review]: ----------------------------------------------------------------- r=me with that fixed. ::: dom/ipc/ContentParent.cpp @@ +1873,5 @@ > { > +#ifdef MOZ_PERMISSIONS > + // We need to ensure that this permission has been set. > + // If it hasn't, just noop > + nsCOMPtr<nsIPermissionManager> pm = do_GetService(NS_PERMISSIONMANAGER_CONTRACTID); You need to verify that the received principal isn't a complete lie too. To do this you can use code similar to [1]. So call ManagedPBrowserParent to get a list of PBrowserParent. Then on each of them call GetOwnOrContainingApp on it to get an nsIApplication. Then call GetLocalId on each nsIApplication (localid is just a different name for appid :( ). The appid of the principal needs to match the localId of one of the apps, otherwise the principal is a lie! [1] http://mxr.mozilla.org/mozilla-central/source/dom/ipc/AppProcessPermissions.cpp#53
Attachment #694191 - Flags: review?(jonas) → review+
sicking/bent - maybe we should do this as part of the principal serialization?
Yes, I think we should! Originally I had thought of doing something similar, but more complicated, but I think doing these checks on the principal deserializer would work great!
Attached patch patch v.4Splinter Review
Attachment #694191 - Attachment is obsolete: true
Attachment #696121 - Flags: review?(jonas)
Comment on attachment 696121 [details] [diff] [review] patch v.4 Review of attachment 696121 [details] [diff] [review]: ----------------------------------------------------------------- r=me with that fixed. ::: dom/ipc/ContentParent.cpp @@ +1934,5 @@ > + } > + } > + > + if (!found) { > + return true; Call KillHard() here before returning.
Attachment #696121 - Flags: review?(jonas) → review+
Try run for 39536974b3dd is complete. Detailed breakdown of the results available here: https://tbpl.mozilla.org/?tree=Try&rev=39536974b3dd Results (out of 315 total builds): success: 287 warnings: 25 failure: 3 Builds (or logs if builds failed) available at: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/dougt@mozilla.com-39536974b3dd
Backed out due to X Orange. Good news -- the patches work. Bad news, some of the X tests need to be updated. https://hg.mozilla.org/mozilla-central/rev/33064e13c3fd https://hg.mozilla.org/releases/mozilla-aurora/rev/5652a8a40668 https://hg.mozilla.org/releases/mozilla-b2g18/rev/42aac34da660
Status: RESOLVED → REOPENED
status-b2g18: fixedaffected
status-firefox19: fixedaffected
status-firefox20: fixedaffected
Resolution: FIXED → ---
Try run for 39536974b3dd is complete. Detailed breakdown of the results available here: https://tbpl.mozilla.org/?tree=Try&rev=39536974b3dd Results (out of 316 total builds): success: 287 warnings: 26 failure: 3 Builds (or logs if builds failed) available at: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/dougt@mozilla.com-39536974b3dd
Target Milestone: B2G C3 (12dec-1jan) → B2G C4 (2jan on)
https://hg.mozilla.org/mozilla-central/rev/13c24710fbac https://hg.mozilla.org/releases/mozilla-b2g18/rev/a7088ed31774
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
status-b2g18: affectedfixed
status-firefox20: affectedfixed
Resolution: --- → FIXED
Keywords: checkin-needed
Try run for cc21ed6ca7e4 is complete. Detailed breakdown of the results available here: https://tbpl.mozilla.org/?tree=Try&rev=cc21ed6ca7e4 Results (out of 308 total builds): exception: 2 success: 287 warnings: 17 failure: 2 Builds (or logs if builds failed) available at: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/dougt@mozilla.com-cc21ed6ca7e4
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: