Last Comment Bug 842255 - (CVE-2013-1671) It's possible to get the full path from a file control
(CVE-2013-1671)
: It's possible to get the full path from a file control
Status: RESOLVED FIXED
[adv-main21+] embargo until ESR-17 EOL
: csectype-disclosure, sec-moderate, testcase
Product: Core
Classification: Components
Component: Layout: Form Controls (show other bugs)
: Trunk
: All All
: -- normal (vote)
: mozilla22
Assigned To: Bobby Holley (:bholley) (busy with Stylo)
:
: Jet Villegas (:jet)
Mentors:
Depends on: 838675 CVE-2013-1711 844211
Blocks: 835618
  Show dependency treegraph
 
Reported: 2013-02-18 02:08 PST by moz_bug_r_a4
Modified: 2014-11-19 19:39 PST (History)
10 users (show)
bobbyholley: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
affected
+
wontfix
-
fixed
-
fixed
-
wontfix
-
wontfix


Attachments

Description moz_bug_r_a4 2013-02-18 02:08:52 PST
By using XBL bugs discussed in bug 816071 and bug 817922, it's possible to get the full path from a file control.
Comment 1 moz_bug_r_a4 2013-02-18 02:11:05 PST
Created attachment 715075 [details]
testcase

This works on fx10,17-21.

Bug 821850 and bug 834697 are fixed on trunk, but this still works on trunk because currently IsCallerXBL checks the XBL bit regardless of the pref.
Comment 2 Mounir Lamouri (:mounir) 2013-02-19 11:15:00 PST
Bug 838675 is going to introduce a lot of changes in <input type='file'> and I just tested locally: those changes will just fix this (we no longer show the file path). We are waiting to fix an a11y issue to land them.
Comment 3 Daniel Veditz [:dveditz] 2013-02-20 10:10:24 PST
assigning to Mounir to take care of after he lands bug 838675
Comment 4 David Chan [:dchan] 2013-02-20 11:44:57 PST
Changing to sec-bounty- since moz_bug works for us.
Comment 5 Bobby Holley (:bholley) (busy with Stylo) 2013-02-20 13:28:53 PST
I'm digging through the testcase.
Comment 6 Alex Keybl [:akeybl] 2013-03-07 17:06:01 PST
We'll track for a specific ESR release once resolved.
Comment 7 Lukas Blakk [:lsblakk] use ?needinfo 2013-03-18 16:09:58 PDT
Given that this is sec-moderate and has now been around for a couple of releases we'll untrack and look at nominations for uplift if a low risk fix is found and verified.
Comment 8 Johnny Stenback (:jst, jst@mozilla.com) 2013-03-21 16:29:53 PDT
Mounir, how close are we with fixing the dependencies of bug 838675? If something is stuck there I'm happy to help nudge things along...
Comment 9 Mats Palmgren (:mats) 2013-03-24 10:34:00 PDT
I can't reproduce this in Nightly 22.0a1 (2013-03-23) on Linux64 using a fresh
profile.  When I click "test" in the attached testcase I get:

native anonymous content:

TypeError: Value does not implement interface Node.
Comment 10 Boris Zbarsky [:bz] (still a bit busy) 2013-03-25 07:10:01 PDT
Probably because of Bobby's fixes?
Comment 11 Bobby Holley (:bholley) (busy with Stylo) 2013-03-25 09:51:10 PDT
Yeah, XBL scopes + bug 844211 should have fixed this on Nightly and Aurora.

We still need to figure out what we're doing for esr17 and b2g18 though.
Comment 12 Mats Palmgren (:mats) 2013-03-25 15:50:14 PDT
Fixed on trunk (22) and Aurora (21) per comment 11.
Comment 13 Alex Keybl [:akeybl] 2013-03-27 09:49:41 PDT
(In reply to Bobby Holley (:bholley) from comment #11)
> Yeah, XBL scopes + bug 844211 should have fixed this on Nightly and Aurora.
> 
> We still need to figure out what we're doing for esr17 and b2g18 though.

It's sec-moderate, so it's not a required fix on support branches. Sounds like the level of effort, and the risk introduced, may be too high to find ESR/B2G-specific fixes. What do you think Bobby?
Comment 14 Bobby Holley (:bholley) (busy with Stylo) 2013-03-27 16:15:02 PDT
(In reply to Alex Keybl [:akeybl] from comment #13)
> (In reply to Bobby Holley (:bholley) from comment #11)
> > Yeah, XBL scopes + bug 844211 should have fixed this on Nightly and Aurora.
> > 
> > We still need to figure out what we're doing for esr17 and b2g18 though.
> 
> It's sec-moderate, so it's not a required fix on support branches. Sounds
> like the level of effort, and the risk introduced, may be too high to find
> ESR/B2G-specific fixes. What do you think Bobby?

Well, XBL scopes fix a number of known sg-crits, but are probably too big to backport. Our best hope is probably to just embargo all these bugs until esr17 / b2g18 EOL.

Note You need to log in before you can comment on or make changes to this bug.