Closed
Bug 942307
Opened 12 years ago
Closed 11 years ago
modal_dialog.js HTML/JS injection via innerHTML
Categories
(Firefox OS Graveyard :: Gaia::Browser, defect)
Firefox OS Graveyard
Gaia::Browser
Tracking
(Not tracked)
RESOLVED
FIXED
1.4 S5 (11apr)
People
(Reporter: rfletcher, Assigned: daleharvey)
Details
(Keywords: sec-high, Whiteboard: [systemsfe])
Attachments
(1 file)
apps/browser/js/modal_dialog.js is vulnerable to potential HTML/JS injection.
The following line takes the output of prompt.message and uses it with innerHTML
without an sanitization [1]:
129 elements.customPromptMessage.innerHTML = prompt.message;
The file sanitizes this is exact field in other case statements [2], indicating
this should be escaped as well.
[1] http://mxr.mozilla.org/gaia/source/apps/browser/js/modal_dialog.js#129
[2] http://mxr.mozilla.org/gaia/source/apps/browser/js/modal_dialog.js#108
|
||
Comment 1•12 years ago
|
||
This seems bad. Who generates these prompts? The JS executes in a privileged context, yes?
Rating sec-high at the moment.
Keywords: sec-high
|
Reporter | |
Comment 2•12 years ago
|
||
This is a certified app, so the JS executes as part of a certified application.
Still determining if we can control 'prompt.message' but thought I'd update with some notes so far:
The handleBrowserEvent inside browser/js/browser.js, if the evt.type is
'mozbrowsershowmodalprompt', calls ModalDialog.handleEvent(evt, tab.id).
inside modal_dialog.js, handleEvent then calls this.show(origin) where origin ==
tab.id
So we are esssentially calling md_show(tab.id). md_shop() grabs the event from
this.currentEvents[tab.id][0] and assigns it to 'evt'.
If evt.detail.promptType is 'custom-prompt', then evt.detail.message is assigned
to innerHTML.
|
||
Updated•12 years ago
|
Group: b2g-core-security
|
||
Comment 4•11 years ago
|
||
The content for the prompt can come from any web page, since it's basically what you set in alert("hello world!");
|
Assignee | |
Comment 5•11 years ago
|
||
I can take a look, its not the same data as in alert(), thats escaped and formatted seperately
Assignee: nobody → dale
Flags: needinfo?(dale)
|
||
Updated•11 years ago
|
Whiteboard: [systemsfe]
|
|
Assignee | |
Comment 6•11 years ago
|
||
I have been trying to find an exploit for this bug havent been able, its possible that a future browser dev could unknowingly use this api on unsafe user code, but for now most of the content comes from http://mxr.mozilla.org/mozilla-central/source/b2g/locales/en-US/chrome/overrides/appstrings.properties
The appstrings do use newlines, and to be on the safe side we should still escape and format that prompt however, PR on the way
|
|
Assignee | |
Comment 7•11 years ago
|
||
Attachment #8396680 -
Flags: review?(fabrice)
|
|
||
Comment 8•11 years ago
|
||
Comment on attachment 8396680 [details] [review]
Escape and newline custom browser prompts
Oh the irony to review on github security bugs... don't do that please.
Attachment #8396680 -
Flags: review?(fabrice) → review+
|
|
Assignee | |
Comment 9•11 years ago
|
||
Apologies, I figured since I couldnt find an exploit that it was ok, wont do in future
Green @ https://travis-ci.org/daleharvey/gaia/builds/21629056
Landed @ https://github.com/mozilla-b2g/gaia/commit/f8627656b0164cf7cfd435bcf08a11300cae29fb
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
|
||
Updated•11 years ago
|
Group: b2g-core-security
|
|
||
Updated•11 years ago
|
Target Milestone: --- → 1.4 S5 (11apr)
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•