Bug 842255 (CVE-2013-1671)

It's possible to get the full path from a file control

RESOLVED FIXED in Firefox 21

Status

()

Core
Layout: Form Controls
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: moz_bug_r_a4, Assigned: bholley)

Tracking

(Blocks: 1 bug, {csectype-disclosure, sec-moderate, testcase})

Trunk
mozilla22
csectype-disclosure, sec-moderate, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox19 affected, firefox20+ wontfix, firefox21- fixed, firefox22- fixed, firefox-esr17- wontfix, b2g18- wontfix)

Details

(Whiteboard: [adv-main21+] embargo until ESR-17 EOL)

(Reporter)

Description

4 years ago
By using XBL bugs discussed in bug 816071 and bug 817922, it's possible to get the full path from a file control.
(Reporter)

Comment 1

4 years ago
Created attachment 715075 [details]
testcase

This works on fx10,17-21.

Bug 821850 and bug 834697 are fixed on trunk, but this still works on trunk because currently IsCallerXBL checks the XBL bit regardless of the pref.
Flags: sec-bounty?
Bug 838675 is going to introduce a lot of changes in <input type='file'> and I just tested locally: those changes will just fix this (we no longer show the file path). We are waiting to fix an a11y issue to land them.
Depends on: 838675
OS: Windows XP → All
Hardware: x86 → All
Version: unspecified → Trunk
Keywords: csec-disclosure, sec-moderate, testcase
assigning to Mounir to take care of after he lands bug 838675
Assignee: nobody → mounir

Comment 4

4 years ago
Changing to sec-bounty- since moz_bug works for us.
Blocks: 835618
Flags: sec-bounty? → sec-bounty-
I'm digging through the testcase.
Depends on: 843829
Depends on: 844211
status-b2g18: --- → wontfix
status-firefox19: --- → affected
status-firefox20: --- → affected
status-firefox21: --- → affected
status-firefox22: --- → affected
status-firefox-esr17: --- → affected
tracking-firefox20: --- → ?
tracking-firefox21: --- → ?
tracking-firefox-esr17: --- → ?

Comment 6

4 years ago
We'll track for a specific ESR release once resolved.
tracking-firefox20: ? → +
tracking-firefox21: ? → +
tracking-firefox22: --- → +
tracking-firefox-esr17: ? → ---
status-firefox20: affected → wontfix
Given that this is sec-moderate and has now been around for a couple of releases we'll untrack and look at nominations for uplift if a low risk fix is found and verified.
tracking-firefox21: + → -
tracking-firefox22: + → -
Mounir, how close are we with fixing the dependencies of bug 838675? If something is stuck there I'm happy to help nudge things along...
Component: Security → Layout: Form Controls
I can't reproduce this in Nightly 22.0a1 (2013-03-23) on Linux64 using a fresh
profile.  When I click "test" in the attached testcase I get:

native anonymous content:

TypeError: Value does not implement interface Node.
Probably because of Bobby's fixes?
Yeah, XBL scopes + bug 844211 should have fixed this on Nightly and Aurora.

We still need to figure out what we're doing for esr17 and b2g18 though.
Fixed on trunk (22) and Aurora (21) per comment 11.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
status-firefox21: affected → fixed
status-firefox22: affected → fixed
tracking-b2g18: --- → ?
tracking-firefox-esr17: --- → ?
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
(In reply to Bobby Holley (:bholley) from comment #11)
> Yeah, XBL scopes + bug 844211 should have fixed this on Nightly and Aurora.
> 
> We still need to figure out what we're doing for esr17 and b2g18 though.

It's sec-moderate, so it's not a required fix on support branches. Sounds like the level of effort, and the risk introduced, may be too high to find ESR/B2G-specific fixes. What do you think Bobby?
Assignee: mounir → bobbyholley+bmo
(In reply to Alex Keybl [:akeybl] from comment #13)
> (In reply to Bobby Holley (:bholley) from comment #11)
> > Yeah, XBL scopes + bug 844211 should have fixed this on Nightly and Aurora.
> > 
> > We still need to figure out what we're doing for esr17 and b2g18 though.
> 
> It's sec-moderate, so it's not a required fix on support branches. Sounds
> like the level of effort, and the risk introduced, may be too high to find
> ESR/B2G-specific fixes. What do you think Bobby?

Well, XBL scopes fix a number of known sg-crits, but are probably too big to backport. Our best hope is probably to just embargo all these bugs until esr17 / b2g18 EOL.
status-firefox-esr17: affected → wontfix
tracking-b2g18: ? → -
tracking-firefox-esr17: ? → -
Whiteboard: [adv-main21+]
Alias: CVE-2013-1671
Whiteboard: [adv-main21+] → [adv-main21+] embargo until ESR-17 EOL
Flags: sec-bounty-
Flags: in-testsuite? → in-testsuite-
Group: core-security
You need to log in before you can comment on or make changes to this bug.