Closed
Bug 94551
Opened 24 years ago
Closed 23 years ago
Need to escape content in about:cache-entry
Categories
(Core :: Security, defect, P2)
Core
Security
Tracking
()
VERIFIED
FIXED
mozilla0.9.7
People
(Reporter: security-bugs, Assigned: security-bugs)
Details
Attachments
(1 file, 1 obsolete file)
|
949 bytes,
patch
|
bbaetz
:
review+
gagan
:
superreview+
|
Details | Diff | Splinter Review |
There is potential problem with about:cache-entry - though not serious it may allow
tracking whether the user has visited a particular URL.
The problem is that about:cache-entry does not escape "response-head:"
and the web server may embed javascript in it which may check for cache-entry: urls.
The good news is about:cache-entry seems to not be executed in chrome.
It is possible to open about:cache-entry?* by playing with "about:blank" documents.
I have tested this with netcat (nc) which emulates malicous web server.
Think that fixing this is easy - just escape everything in about:cache-entry
|
Assignee | |
Comment 1•24 years ago
|
||
(The above is from Georgi.)
We should look at other about: content for similar problems. By itself there's
not much you can do with this, but combined with 91714 this becomes a moderately
serious vulnerability.
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla0.9.4
|
|
Assignee | |
Comment 2•23 years ago
|
||
With 91714 fixed this is not currently exploitable, so moving it to 0.9.5. We
should have a nonspoofable way of escaping content to keep it from being
interpreted as HTML; this could be used in a number of places.
Priority: P1 → P2
Target Milestone: mozilla0.9.4 → mozilla0.9.5
|
||
Comment 3•23 years ago
|
||
See bug 90386 for another place where a non-spoofable htmlEscape might be
useful. (Wouldn't it make more sense to use DOM2 createTextNode instead,
though, so the results aren't parsed at all?)
|
|
Assignee | |
Comment 4•23 years ago
|
||
time marches on. Retargeting to 0.9.6.
Group: netscapeconfidential?
Target Milestone: mozilla0.9.5 → mozilla0.9.6
|
|
Assignee | |
Comment 5•23 years ago
|
||
Moving the most time-critical bugs and minor security fixes to 0.9.7
Target Milestone: mozilla0.9.6 → mozilla0.9.7
|
||
Comment 6•23 years ago
|
||
A fix for this could be using text/plain instead of text/html to display
about:cache-entry. However that would remove such formatting as link, bold
fields and <hr>.
Another alternative is creating an text/plain <object> inside of this page and
putting the response header in there. Is that possible?
And yet another (and probably most preferable) way would be inserting a Text
node into DOM after the page is created. However this would have to be done not
through JavaScript, but from C++. Is that possible?
|
|
Assignee | |
Comment 7•23 years ago
|
||
Setting security-sensitive flag again; it was cleared because of bug 107718.
Group: security?
|
|
Assignee | |
Comment 8•23 years ago
|
||
|
|
Assignee | |
Comment 9•23 years ago
|
||
Still need to test this fix, and for that I need to configure a web server to
serve some bogus headers.
Also, what alternate representations of <, >, and & do I need to worry about?
What about characters with the high bit set? Or Unicode characters?
CCing darin, who appears to have written the about:cache code.
|
||
Comment 10•23 years ago
|
||
Your patch leaks the return val, doesn't it?
Those three are all you have to worry about, I think. It may be possible for
unicode chars to cause teh charset to be incorrectly detected, I guess. I don't
think there are any security ramifications, though.
However, you should probably use nsEscapeHTML, defined in nsEscape.h. That also
escapes " - not sure why.
|
|
Assignee | |
Comment 11•23 years ago
|
||
Whoops - it sure does. I'll try nsEscape.
|
|
Assignee | |
Comment 12•23 years ago
|
||
Attachment #58181 -
Attachment is obsolete: true
|
|
||
Comment 13•23 years ago
|
||
Oh, and adding the cclist to the can-see-this-bug group, since you wanted
darin's comment, but he can't see this as is...
assignee_accessible: 0 → 1
CC list accessible: true
qacontact_accessible: 0 → 1
Accessible to reporter
|
|
||
Comment 14•23 years ago
|
||
Comment on attachment 58612 [details] [diff] [review]
Patch take 2 - use existing escape function
r=bbaetz
Attachment #58612 -
Flags: review+
|
|
Assignee | |
Updated•23 years ago
|
Group: security?
|
||
Comment 15•23 years ago
|
||
Comment on attachment 58612 [details] [diff] [review]
Patch take 2 - use existing escape function
r=gagan as well...
|
|
||
Comment 16•23 years ago
|
||
Comment on attachment 58612 [details] [diff] [review]
Patch take 2 - use existing escape function
sr=darin
Attachment #58612 -
Flags: superreview+
|
||
Comment 17•23 years ago
|
||
this looks fine to me... just too bad that escaping html requires a strdup even
when escaping isn't really required :(
|
|
||
Comment 18•23 years ago
|
||
darin: I think theres a bug somewhere on moving these functions to Real String
APIs. I don't know if that could help, though, although I guess with COW you
could do some short circuiting.
|
|
Assignee | |
Comment 19•23 years ago
|
||
checked in.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 20•23 years ago
|
||
To verify this, visit http://grey:4321/bad, and then visit about:cache, click
Disk Cache, and click the link for http://grey:4321/bad. The resulting page
should not generate an alert.
|
||
Comment 21•23 years ago
|
||
Verified on
build: 2001-12-11-o3-Trunk
platform: Win NT
Performed the above steps and did not see the alert dialog.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•