Closed Bug 829619 Opened 12 years ago Closed 8 years ago

Validate "Webapps:RegisterForMessages/UnregisterForMessages" in the parent process

Categories

(Core Graveyard :: DOM: Apps, defect)

Product:
Core Graveyard
Component:
DOM: Apps
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: airpingu, Unassigned)

References

Details

(quoting Paul from bug 820206, comment #1) -------------------------------------------------- Webapps:RegisterForMessages Webapps.js uses this to register for specific messages, but there is no check in the parent as to what messages are being listened for. I am not sure if this is an issue - would there be any benefit to the child to be able add itself as a listener for arbitrary messages (perhaps to intercept sensitive messages?) (quoting Jonas from bug 820206, comment #45) -------------------------------------------------- Ah, now I see what's going on here. I *think* that we are fine here as long as all message listening is managed on a per-childprocess basis (or per-application basis).
koi? since it blocks bug 820202 but we don't usually block on meta bugs.
blocking-b2g: --- → koi?
Gene, would we hold 1.2 for this?
Flags: needinfo?(gene.lian)
Looks like it's something related to comms team?
Flags: needinfo?(jcheng)
No, it's a platform issue. It's not even obvious that we have something to fix here.
+1 with Fabrice. This bug just highlight a potential security issue instead of a critical blocker. I'd suggest it's not really necessary to put it in the V1.2. I think an easy solution is to let the 'Webapps:RegisterForMessages' message carry manifestURL and do the following check in the parent: receiveMessage: function receiveMessage(aMessage) { if (aMessage.name == Webapps:RegisterForMessages && !aMessage.target.assertContainApp(aMessage.json.manifestURL)) { debug("Got message from a child process containing illegal manifest URL."); return null; } } In this way, if any bad child wants to hack the 'Webapps:RegisterForMessages' message for other good child, the parent will stop that. However, the bad child can still have chance to register messages for itself. Just like Jonas mentioned at comment #0, if side-effects would just happen on the bad child, then we don't need to worry about that. The current messages a bad child can register for are: "Webapps:Install:Return:OK" "Webapps:Uninstall:Return:OK" "Webapps:Uninstall:Broadcast:Return:OK "Webapps:OfflineCache" "Webapps:PackageEvent" "Webapps:CheckForUpdate:Return:OK" Do they really sound dangerous?
Flags: needinfo?(gene.lian)
(In reply to Gene Lian [:gene] from comment #5) > "Webapps:Install:Return:OK" > "Webapps:Uninstall:Return:OK" > "Webapps:Uninstall:Broadcast:Return:OK > "Webapps:OfflineCache" > "Webapps:PackageEvent" > "Webapps:CheckForUpdate:Return:OK" > > Do they really sound dangerous? They can all be used to know which apps the user has installed, so there can be privacy issues. Your mitigation sounds reasonable though even if not perfect.
(In reply to Gene Lian [:gene] from comment #5) > +1 with Fabrice. This bug just highlight a potential security issue instead > of a critical blocker. I'd suggest it's not really necessary to put it in > the V1.2. Okay, I'll remove koi?. Please feel free to re-nom for whatever release is appropriate.
blocking-b2g: koi? → ---
Flags: needinfo?(jcheng)
Product: Core → Core Graveyard
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.