Audit and validate (when possible) strings across the sandboxed libexpat boundary
Categories
(Core :: Security: RLBox, enhancement, P5)
Tracking
()
People
(Reporter: deian, Unassigned)
References
Details
Our sandboxed libexpat doesn't validate strings transferred across the sandbox boundary. This gives us memory safety, but it's possible for an attacker-crafted string to be used in a security-critical decision. This is a follow up on:
https://phabricator.services.mozilla.com/D104658#inline-587734
It's not clear that we'll know exactly what to check at this layer, but we should look at where the expat driver is used and if we can bubble any of the invariants down. Some invariants may be easy enough to get right (e.g., encoding).
|
Reporter | |
Comment 1•4 years ago
|
||
Same goes with the expat use in the Html5StreamParser https://phabricator.services.mozilla.com/D102851#inline-587634
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
|
Reporter | |
Comment 2•3 years ago
|
||
Now that we moved to a model where we are not copying strings, we should (e.g., via static analysis):
- Make sure the pointers are never used for writing.
- Make sure there is no re-entry into the sandbox.
|
||
Comment 3•2 years ago
|
||
The bug assignee is inactive on Bugzilla, so the assignee is being reset.
Description
•