Closed Bug 95735 Opened 23 years ago Closed 21 years ago

Node.attributes.getNamedItem bypasses capability policy check (NamedNodeMap)

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: security-bugs)

References

Details

Attachments

(2 files)

testcase
1.53 KB, text/html
Details
Patch - protect a couple more properties of mail documents
959 bytes, patch
security-bugs
: review+
hjtoi-bugzilla
: superreview+
Details | Diff | Splinter Review 
Node.attributes.getNamedItem("attrname") returns an attribute node.  I can read 
and modify the attribute node's value even if I couldn't access Node.attrname 
directly.

Impact: blocks bug 84545, "Review message pane DOM for exploits", by allowing 
scripts to get around noAccess on baseURI, innerHTML, etc.
Attached file testcase 

    
  
Blocks: 84545
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.6

    
    

    
  
Moving from NS-Confidential to the security group.
assignee_accessible: 0 → 1
Group: netscapeconfidential? → security?
CC list accessible: true
qacontact_accessible: 0 → 1
Accessible to reporter

    
    

    
  
Moving the most time-critical bugs and minor security fixes to 0.9.7
Group: security?
Target Milestone: mozilla0.9.6 → mozilla0.9.7

    
    

    
  
Mass change: It appears that several bugs got accidentally opened up as part of
a mass change - see bug 107718 (now fixed). Moving back to security-sensitive
group. These were open for about 10 days.
Group: security?
Target Milestone: mozilla0.9.7 → mozilla0.9.9

    
    

    
  
Mozilla1.0

Target Milestone: mozilla0.9.9 → mozilla1.0

    
    

    
  
Mozilla1.1
Target Milestone: mozilla1.0 → mozilla1.1

    
    

    
  
Dan, gifting to you, not sure how bad this is (can an evil hidden frame script
get a credit card # or SSN if it knows the form layout?), but if we need to hold
1.0 for it, let drivers know ASAP.

/be
Assignee: mstoltz → dveditz
Status: ASSIGNED → NEW

    
    

    
  
> (can an evil hidden frame script
> get a credit card # or SSN if it knows the form layout?)

No. The same-origin policy will still apply. This bug could allow bypassing some
of the DOM restrictions in MailNews which were put in because of the "wiretap"
bug, but this cannot be used to steal data from 3rd-party web pages, so I don't
consider it a 1.0 stopper.

    
    

    
  
I think this should be a 1.2beta blocker. Holes like this have a tendency to
suddenly become important in unexpected ways. We should fix it now before we
have to do a firedrill.
Target Milestone: mozilla1.1alpha → mozilla1.2beta

    
    

    
  
No work on this bug yet?

    
    

    
  
I'll take this back for 1.3.
Assignee: dveditz → mstoltz
Target Milestone: mozilla1.2beta → mozilla1.3beta

    
    

    
  
Why is this pushed out to 1.3?  This is on the 1.2 list.  We're likely to hold
for this since it's a security bug.

    
    

    
  
This bug is minor; I don't recommend holding 1.2 for it. I put it to 1.3 because
that's when I'll have time to work on it.

    
  
No longer blocks: 1.2

    
    

    
  
Clearing milestone for now.
Target Milestone: mozilla1.3beta → ---

    
    

    
  
OK, turns out we fixed this for mailnews by blocking the "attribute" property of
all objects, so scripts can't use NamedNodeMap functions to read attributes of
mailed documents. We also need to protect GetAttributeNS and GetNamedItemNS.

The more general problem only comes into play when configurable security
policies are used. The problem is that there's more than one path to getting at
the attributes of an element. In Jesse's testcase, blocking access to
HTMLAnchorElement.href is insufficient, because the HREF attribute can still be
accessed using attributes.getNamedItem('href').

We could fix this in code by adding additional security checks to tie the
multiple pathcs to an attribute together under a single security pref. However,
jst suggests that we don't do this. The functions of the attributes object are
used extensively by chrome; adding security checks to them would have a
detrimental effect on performance. Degrading performance for everyone to protect
a few people using configurable security policies in a particular way is not a
good trade-off when a simple alternative is available: in order to protect
HTMLImageElement.src, for example you need to protect .src, .getAttribute,
.getAttributeNS, and .attributes by setting "noAccess" prefs for each one of
those. I will add a note about that to the Configurable Policies instruction page.
Status: NEW → ASSIGNED
QA Contact: ckritzer → carosendahl
Whiteboard: [sg:blocker]

    
    

    
  
Comment on attachment 115815 [details] [diff] [review]
Patch - protect a couple more properties of mail documents

r=mstoltz (patch is by jst)

        Attachment #115815 -
        Flags: review+

        Attachment #115815 -
        Flags: superreview?(heikki)

        Attachment #115815 -
        Flags: superreview?(heikki) → superreview+

    
    

    
  
Fix checked in.

    
    

    
  
.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED

    
  
Group: security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: