FTPChannelParent::RecvDivertOnDataAvailable - Chrome Process Info Leak
Categories
(Core :: Networking: FTP, defect, P3)
Tracking
()
People
(Reporter: stephen, Assigned: Alex_Gaynor)
References
Details
(Keywords: sec-moderate, Whiteboard: [necko-triaged][adv-main66+])
Attachments
(1 file)
(deleted),
text/x-phabricator-request
|
lizzard
:
approval-mozilla-beta+
|
Details |
Updated•7 years ago
|
Updated•7 years ago
|
Comment 1•7 years ago
|
||
Assignee | ||
Comment 2•7 years ago
|
||
Assignee | ||
Comment 3•6 years ago
|
||
Assignee | ||
Comment 4•6 years ago
|
||
Paul, I think this patch also fixes bug 1505678. On that bug you suggest there are other unsafe callsites, can you verify this patch fixes all of them?
Assignee | ||
Updated•6 years ago
|
The query I ran was something like "find all the places we recieve a nsCString arg in the parent which has a name which contains the substring "data". That yeilds this list:
RecvSetCustomCursor aCursorData TabParent.cpp#1748 - original bug, fixed.
RecvOnDataAvailable data PSMContentListener.cpp#232 - just calls data.append() so i think its ok?
RecvDivertOnDataAvailable data FTPChannelParent.cpp#272 - this bug
RecvWriteData data AltDataOutputStreamParent.cpp#30 - mOutputStream->Write(... data.Length() so I think this is safe?
RecvDivertOnDataAvailable data HttpChannelParent.cpp#1118 - fixed by your patch
RecvOnDataAvailable data ExternalHelperAppParent.cpp#15 - fixed by your patch
So I think you got all the cases. I'm leaving the need-info for me to remind me to look at this issue more broadly (ie without the filter on "data" but you got all the specific cases I had).
PS Live query is here if you want to view/edit it yourself: https://mozilla.demo.semmle.com/query/437877786200575246/
Updated•6 years ago
|
Updated•6 years ago
|
Assignee | ||
Updated•6 years ago
|
Comment 7•6 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/7bffd747d54a
I'm not sure if we want this on ESR60 or not (I'm inclined towards no unless there's a strong reason for doing so), but this at least grafts cleanly to Beta if we want it there.
Comment 8•6 years ago
|
||
Is this something you would like to uplift? We are kind of late in beta but if you would like, we can give it a try.
Assignee | ||
Comment 10•6 years ago
|
||
Comment on attachment 9045680 [details]
Bug 1415508 - use Span in constructing a byte input stream; r?mayhemer
Beta/Release Uplift Approval Request
- Feature/Bug causing the regression: None
- User impact if declined: Family of security bugs
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Code is well covered, fix was a mostly straightforward refactor.
- String changes made/needed:
Comment on attachment 9045680 [details]
Bug 1415508 - use Span in constructing a byte input stream; r?mayhemer
Fix for several sec issues, may be a little risky but seems worth it.
OK to uplift for beta 13.
Comment 12•6 years ago
|
||
Comment 13•6 years ago
|
||
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #10)
- Is this code covered by automated tests?: Yes
- Needs manual test from QE?: No
Setting qe-verify- per comment 10.
Updated•6 years ago
|
Updated•6 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
Description
•