Closed Bug 813758 Opened 12 years ago Closed 12 years ago

Need additional security checks for the "geolocation" permission

Categories

(Core :: DOM: Geolocation, defect, P1)

Product:
Core
Component:
DOM: Geolocation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
B2G C4 (2jan on)
Project Flags:
blocking-basecamp +
Tracking Flags:
Tracking Status
firefox18 --- wontfix
firefox19 --- wontfix
firefox20 --- fixed
b2g18 --- fixed

People

(Reporter: bent.mozilla, Assigned: dougt)

References

Details

Attachments

(1 file, 4 obsolete files)

patch v.4
5.53 KB, patch
sicking
: review+
Details | Diff | Splinter Review 
geolocation:
  prompt in parent (nsIContentPermissionPrompt), can be bypassed
  thereafter no security checks at all

Need some additional checks to ensure that geolocation data is not delivered to processes without the geolocation permission.
Summary: Need additional security checks for the "" permission → Need additional security checks for the "geolocation" permission
Assignee: nobody → doug.turner
blocking-basecamp: ? → +
Attached patch patch v.1 (obsolete) — Splinter Review 

        Attachment #685308 -
        Flags: review?(bent.mozilla)

    
    

    
  
Comment on attachment 685308 [details] [diff] [review]
patch v.1

Review of attachment 685308 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/ipc/ContentParent.cpp
@@ +1822,5 @@
>  
>  bool
>  ContentParent::RecvAddGeolocationListener()
>  {
> +  AssertAppProcessPermission(this, "geolocation");

This (and the others below) should be:

  if (!AssertAppProcessPermission(...)) {
    return false;
  }

        Attachment #685308 -
        Flags: review?(bent.mozilla) → review+

    
    

    
  
Backed out for Windows mochitest-other crashes due to:
{
3717 INFO TEST-START | chrome://mochitests/content/chrome/dom/ipc/tests/test_process_error.xul
Security problem: Content process does not have `geolocation' permission.  It will be killed.
}
(and a few other variations on the theme)

See:
https://tbpl.mozilla.org/?tree=Mozilla-Inbound&jobname=mochitest-other&tochange=051d3e0fa048&fromchange=a6b604916694

Backout:
https://hg.mozilla.org/integration/mozilla-inbound/rev/051d3e0fa048

    
    

    
  
so, we call RecvRemoveGeolocationListener() from ContentParent::ActorDestroy.  :(

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch v.2 (obsolete)
        — Splinter Review
      

    


  
so, our IPC chrome tests basically do not have any permission bits set on them at all.  This is expected.

This patch protects RecvRemoveGeolocationListener from asserting if mGeolocationWatchID was never set.

        Attachment #687149 -
        Flags: review?(bent.mozilla)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch v.2 (obsolete)
        — Splinter Review
      

    


  

        Attachment #685308 -
        Attachment is obsolete: true

        Attachment #687149 -
        Attachment is obsolete: true

        Attachment #687149 -
        Flags: review?(bent.mozilla)

        Attachment #687152 -
        Flags: review?(bent.mozilla)

    
    

    
  
Setting priority based on triage discussions.  Feel free to decrease priority if you disagree.
Priority: -- → P1

        Attachment #687152 -
        Flags: review?(bent.mozilla) → review+

    
  
Keywords: checkin-needed

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/ebaa0a4d35a3
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Depends on: 817758

    
    

    
  
(Comment 12 was a backout due to bug 817758)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Depends on: 818167

    
    

    
  
Mass Modify: All un-milestoned, unresolved blocking-basecamp+ bugs are being moved into the C3 milestone. Note that the target milestone does not mean that these bugs can't be resolved prior to 12/10, rather C2 bugs should be prioritized ahead of C3 bugs.
Target Milestone: --- → B2G C3 (12dec-1jan)

    
    

    
  
What's the situation here? Stuck on the branches, but not on m-c?

    
  
No longer depends on: 818167

    
  
blocking-basecamp: + → ?

    
  
blocking-basecamp: ? → +

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch v.3 (obsolete)
        — Splinter Review
      

    


  

        Attachment #687152 -
        Attachment is obsolete: true

        Attachment #694191 -
        Flags: review?(jonas)

    
    

    
  
Comment on attachment 694191 [details] [diff] [review]
patch v.3

Review of attachment 694191 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with that fixed.

::: dom/ipc/ContentParent.cpp
@@ +1873,5 @@
>  {
> +#ifdef MOZ_PERMISSIONS
> +  // We need to ensure that this permission has been set.
> +  // If it hasn't, just noop
> +  nsCOMPtr<nsIPermissionManager> pm = do_GetService(NS_PERMISSIONMANAGER_CONTRACTID);

You need to verify that the received principal isn't a complete lie too. To do this you can use code similar to [1].

So call ManagedPBrowserParent to get a list of PBrowserParent. Then on each of them call GetOwnOrContainingApp on it to get an nsIApplication. Then call GetLocalId on each nsIApplication (localid is just a different name for appid :( ). The appid of the principal needs to match the localId of one of the apps, otherwise the principal is a lie!

[1] http://mxr.mozilla.org/mozilla-central/source/dom/ipc/AppProcessPermissions.cpp#53

        Attachment #694191 -
        Flags: review?(jonas) → review+

    
    

    
  
sicking/bent - maybe we should do this as part of the principal serialization?

    
    

    
  
Yes, I think we should!

Originally I had thought of doing something similar, but more complicated, but I think doing these checks on the principal deserializer would work great!

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch v.4Splinter Review
      

    


  

        Attachment #694191 -
        Attachment is obsolete: true

        Attachment #696121 -
        Flags: review?(jonas)

    
    

    
  
Comment on attachment 696121 [details] [diff] [review]
patch v.4

Review of attachment 696121 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with that fixed.

::: dom/ipc/ContentParent.cpp
@@ +1934,5 @@
> +      }
> +  }
> +
> +  if (!found) {
> +    return true;

Call KillHard() here before returning.

        Attachment #696121 -
        Flags: review?(jonas) → review+

    
    

    
  
Try run for 39536974b3dd is complete.
Detailed breakdown of the results available here:
    https://tbpl.mozilla.org/?tree=Try&rev=39536974b3dd
Results (out of 315 total builds):
    success: 287
    warnings: 25
    failure: 3
Builds (or logs if builds failed) available at:
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/dougt@mozilla.com-39536974b3dd

    
    

    
  
Backed out due to X Orange.  Good news -- the patches work.  Bad news, some of the X tests need to be updated.

https://hg.mozilla.org/mozilla-central/rev/33064e13c3fd
https://hg.mozilla.org/releases/mozilla-aurora/rev/5652a8a40668
https://hg.mozilla.org/releases/mozilla-b2g18/rev/42aac34da660
Status: RESOLVED → REOPENED

          status-b2g18:
          fixedaffected

          status-firefox19:
          fixedaffected

          status-firefox20:
          fixedaffected
Resolution: FIXED → ---

    
    

    
  
Try run for 39536974b3dd is complete.
Detailed breakdown of the results available here:
    https://tbpl.mozilla.org/?tree=Try&rev=39536974b3dd
Results (out of 316 total builds):
    success: 287
    warnings: 26
    failure: 3
Builds (or logs if builds failed) available at:
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/dougt@mozilla.com-39536974b3dd

    
  
Target Milestone: B2G C3 (12dec-1jan) → B2G C4 (2jan on)

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/13c24710fbac
https://hg.mozilla.org/releases/mozilla-b2g18/rev/a7088ed31774
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago

          status-b2g18:
          affectedfixed

          status-firefox20:
          affectedfixed
Resolution: --- → FIXED

    
  
Keywords: checkin-needed

    
    

    
  
Try run for cc21ed6ca7e4 is complete.
Detailed breakdown of the results available here:
    https://tbpl.mozilla.org/?tree=Try&rev=cc21ed6ca7e4
Results (out of 308 total builds):
    exception: 2
    success: 287
    warnings: 17
    failure: 2
Builds (or logs if builds failed) available at:
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/dougt@mozilla.com-cc21ed6ca7e4

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: