Closed Bug 842255 (CVE-2013-1671) Opened 8 years ago Closed 8 years ago

It's possible to get the full path from a file control

Categories

(Core :: Layout: Form Controls, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla22
Tracking Status
firefox19 --- affected
firefox20 + wontfix
firefox21 - fixed
firefox22 - fixed
firefox-esr17 - wontfix
b2g18 - wontfix

People

(Reporter: moz_bug_r_a4, Assigned: bholley)

References

Details

(Keywords: csectype-disclosure, sec-moderate, testcase, Whiteboard: [adv-main21+] embargo until ESR-17 EOL)

By using XBL bugs discussed in bug 816071 and bug 817922, it's possible to get the full path from a file control.
Attached file testcase
This works on fx10,17-21.

Bug 821850 and bug 834697 are fixed on trunk, but this still works on trunk because currently IsCallerXBL checks the XBL bit regardless of the pref.
Bug 838675 is going to introduce a lot of changes in <input type='file'> and I just tested locally: those changes will just fix this (we no longer show the file path). We are waiting to fix an a11y issue to land them.
Depends on: 838675
OS: Windows XP → All
Hardware: x86 → All
Version: unspecified → Trunk
assigning to Mounir to take care of after he lands bug 838675
Assignee: nobody → mounir
Changing to sec-bounty- since moz_bug works for us.
Flags: sec-bounty? → sec-bounty-
I'm digging through the testcase.
Depends on: CVE-2013-1711
Depends on: 844211
We'll track for a specific ESR release once resolved.
Given that this is sec-moderate and has now been around for a couple of releases we'll untrack and look at nominations for uplift if a low risk fix is found and verified.
Mounir, how close are we with fixing the dependencies of bug 838675? If something is stuck there I'm happy to help nudge things along...
Component: Security → Layout: Form Controls
I can't reproduce this in Nightly 22.0a1 (2013-03-23) on Linux64 using a fresh
profile.  When I click "test" in the attached testcase I get:

native anonymous content:

TypeError: Value does not implement interface Node.
Probably because of Bobby's fixes?
Yeah, XBL scopes + bug 844211 should have fixed this on Nightly and Aurora.

We still need to figure out what we're doing for esr17 and b2g18 though.
Fixed on trunk (22) and Aurora (21) per comment 11.
Status: NEW → RESOLVED
Closed: 8 years ago
tracking-b2g18: --- → ?
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
(In reply to Bobby Holley (:bholley) from comment #11)
> Yeah, XBL scopes + bug 844211 should have fixed this on Nightly and Aurora.
> 
> We still need to figure out what we're doing for esr17 and b2g18 though.

It's sec-moderate, so it's not a required fix on support branches. Sounds like the level of effort, and the risk introduced, may be too high to find ESR/B2G-specific fixes. What do you think Bobby?
Assignee: mounir → bobbyholley+bmo
(In reply to Alex Keybl [:akeybl] from comment #13)
> (In reply to Bobby Holley (:bholley) from comment #11)
> > Yeah, XBL scopes + bug 844211 should have fixed this on Nightly and Aurora.
> > 
> > We still need to figure out what we're doing for esr17 and b2g18 though.
> 
> It's sec-moderate, so it's not a required fix on support branches. Sounds
> like the level of effort, and the risk introduced, may be too high to find
> ESR/B2G-specific fixes. What do you think Bobby?

Well, XBL scopes fix a number of known sg-crits, but are probably too big to backport. Our best hope is probably to just embargo all these bugs until esr17 / b2g18 EOL.
Whiteboard: [adv-main21+]
Alias: CVE-2013-1671
Whiteboard: [adv-main21+] → [adv-main21+] embargo until ESR-17 EOL
Flags: sec-bounty-
Flags: in-testsuite? → in-testsuite-
Group: core-security
You need to log in before you can comment on or make changes to this bug.