Closed
Bug 828958
Opened 11 years ago
Closed 11 years ago
audit uses of DeserializeURI
Categories
(Core :: Networking, defect)
Core
Networking
Tracking
()
People
(Reporter: jduell.mcbugs, Assigned: jduell.mcbugs)
References
(Blocks 1 open bug)
Details
(Keywords: sec-high)
Attachments
(1 file, 1 obsolete file)
|
1.98 KB,
patch
|
bent.mozilla
:
review+
milan
:
approval-mozilla-b2g18+
|
Details | Diff | Splinter Review |
Make sure there's no way child process can cause parent to crash by passing a null URI to IPDL.
Attachment #700353 -
Flags: review?(bent.mozilla)
|
Assignee | |
Comment 1•11 years ago
|
||
meet my friend hg qref
Assignee: nobody → jduell.mcbugs
Attachment #700353 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #700353 -
Flags: review?(bent.mozilla)
Attachment #700354 -
Flags: review?(bent.mozilla)
Comment on attachment 700354 [details] [diff] [review] v2 Review of attachment 700354 [details] [diff] [review]: ----------------------------------------------------------------- ::: netwerk/protocol/http/HttpChannelParent.cpp @@ +133,5 @@ > nsCOMPtr<nsIURI> uri = DeserializeURI(aURI); > + if (!uri) { > + // URIParams does MOZ_ASSERT if null, but we need to protect opt builds from > + // null deref here. > + return SendFailedAsyncOpen(NS_ERROR_ILLEGAL_VALUE); Let's just return false here.
Attachment #700354 -
Flags: review?(bent.mozilla) → review+
|
|
Assignee | |
Comment 3•11 years ago
|
||
Comment on attachment 700354 [details] [diff] [review] v2 https://hg.mozilla.org/integration/mozilla-inbound/rev/a3582dcf09df [Approval Request Comment] User impact if declined: compromised child process could make parent crash Risk to taking this patch (and alternatives if risky): none: 2 safe one liners String or UUID changes made by this patch: no
Attachment #700354 -
Flags: approval-mozilla-b2g18?
|
||
Comment 4•11 years ago
|
||
Comment on attachment 700354 [details] [diff] [review] v2 Looks like safe and necessary.
Attachment #700354 -
Flags: approval-mozilla-b2g18? → approval-mozilla-b2g18+
|
|
Assignee | |
Comment 5•11 years ago
|
||
I'm assuming approval-b2g+ means v1.0.1 only unless otherwise specified. Do we want this on 1.0.0 too? https://hg.mozilla.org/releases/mozilla-b2g18/rev/b8a407f4e857
|
||
Comment 6•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a3582dcf09df
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
|
||
Updated•11 years ago
|
|
|
Assignee | |
Comment 7•11 years ago
|
||
>> Do we want this on 1.0.0 too? > > tracking-b2g18: + I'm not clear if that's a "yes". Doesn't sound like it?
|
|
Assignee | |
Updated•11 years ago
|
blocking-b2g: --- → tef?
|
|
||
Comment 8•11 years ago
|
||
This is low risk, is an sec-high issue, and will prevent child processes from crashing the parent. Let's take it on v1.0.0 as well.
blocking-b2g: tef? → tef+
Keywords: sec-high
|
|
Assignee | |
Comment 9•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g18_v1_0_0/rev/5253c6b83f3e Also updated fix on 1.0.1 to use exact same logic (return false instead of return SendFailedAsyncOpen) just to keep branches in sync: https://hg.mozilla.org/releases/mozilla-b2g18/rev/c6a4a3d1ec69
|
|
||
Updated•11 years ago
|
status-b2g18-v1.0.1:
--- → fixed
status-firefox19:
--- → wontfix
status-firefox20:
--- → wontfix
status-firefox21:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•