Closed
Bug 380994
(CVE-2007-3073)
Opened 17 years ago
Closed 16 years ago
Fix for bug 367428 lets through escaped slashes on Linux (windows too on trunk)
Categories
(Core :: Networking, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.9
People
(Reporter: bzbarsky, Assigned: dveditz)
References
(Blocks 1 open bug)
Details
(5 keywords, Whiteboard: [sg:dos])
Attachments
(3 files, 3 obsolete files)
(deleted),
patch
|
Biesinger
:
review+
samuel.sidler+old
:
approval1.8.1.17+
samuel.sidler+old
:
approval1.9.0.2+
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
Biesinger
:
review+
dveditz
:
approval1.8.1.17+
dveditz
:
approval1.9.0.2+
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
Biesinger
:
review+
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
STEPS TO REPRODUCE:
1) Open browser on Linux
2) Load resource:///..%2F..%2F..%2F in it
EXPECTED RESULTS: Don't see file list for an ancestor of the install directory
ACTUAL RESULTS: I'm looking at a listing of ~bzbarsky (since the browser is installed under ~bzbarsky/mozilla/nightly/install-dir).
Flags: blocking1.9?
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
Assignee | ||
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Keywords: privacy
Whiteboard: [sg:low]
Updated•17 years ago
|
Blocks: CVE-2007-3072
Reporter | ||
Comment 2•17 years ago
|
||
It was? Where?
Comment 3•17 years ago
|
||
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Comment 4•17 years ago
|
||
Taking for now, but biesi if you have time for this I'd much appreciate it.
Assignee: nobody → benjamin
Assignee | ||
Comment 6•17 years ago
|
||
On trunk it looks like windows can get fooled by ..%2f.. too.
Flags: blocking1.8.1.5+ → blocking1.8.1.6+
Summary: Fix for bug 367428 lets through escaped slashes on Linux → Fix for bug 367428 lets through escaped slashes on Linux (windows too on trunk)
Whiteboard: [sg:low] → [sg:low dos]
Target Milestone: --- → mozilla1.9beta1
Comment 7•17 years ago
|
||
resource:///..%2F..%2F..%2F..%2F/etc/host.conf
Assignee | ||
Updated•17 years ago
|
Flags: blocking1.8.0.13+ → blocking1.8.0.14+
Updated•17 years ago
|
Flags: in-testsuite?
Assignee | ||
Updated•17 years ago
|
Flags: blocking1.8.1.8+ → blocking1.8.1.9+
Target Milestone: mozilla1.9 M8 → mozilla1.9 M10
Updated•17 years ago
|
Priority: -- → P4
Assignee | ||
Updated•17 years ago
|
Flags: blocking1.8.0.14+
Assignee | ||
Updated•17 years ago
|
Flags: blocking1.8.1.12+ → blocking1.8.1.13+
Comment 8•17 years ago
|
||
macosx on ppc seems partially affected - can traverse up to /Volumes (when started from .dmg)
Updated•17 years ago
|
Whiteboard: [sg:low dos] → [sg:low dos][needs patch]
Target Milestone: mozilla1.9beta2 → mozilla1.9beta4
Comment 9•17 years ago
|
||
Moving bugs that aren't beta 4 blockers to target final release.
Target Milestone: mozilla1.9beta4 → mozilla1.9
Comment 10•17 years ago
|
||
Dan says this should block. It's blocking on branch as well.
Flags: blocking1.9?
Priority: P4 → P2
Updated•17 years ago
|
Flags: tracking1.9+
Flags: blocking1.9?
Flags: blocking1.9+
Assignee | ||
Updated•17 years ago
|
Flags: blocking1.8.1.13+ → blocking1.8.1.14+
Comment 11•17 years ago
|
||
Dveditz you on this?
Comment 12•17 years ago
|
||
Given this is sg:low/dos taking off the blocker list - we'd certainly take a patch..
Flags: blocking1.9+ → blocking1.9-
Updated•17 years ago
|
Flags: wanted1.9.0.x?
Reporter | ||
Comment 13•17 years ago
|
||
This isn't quite limited to a dos. It has potential for data leakage, since any website can link to resource: scripts and stylesheets and then try to glean data from the result. For example, if you happen to have any interesting data stored in JSON on your hard drive, you lose.
I agree that it's not stop-ship, but I think it should be a very high priority for fixing as soon as we possibly can....
Updated•17 years ago
|
Flags: blocking1.9- → blocking1.9?
Comment 14•17 years ago
|
||
Not blocking, but wanted1.9.0.x+, based on comment #13.
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9?
Flags: blocking1.9-
Assignee | ||
Updated•16 years ago
|
Flags: blocking1.8.1.15+ → blocking1.8.1.16+
Updated•16 years ago
|
Flags: wanted1.9.1?
Flags: blocking1.9.1?
Assignee | ||
Comment 15•16 years ago
|
||
The line numbers in the patch are for the 1.8 branch, but it applies cleanly to cvs trunk and mozilla-central
Attachment #335516 -
Flags: superreview?(benjamin)
Attachment #335516 -
Flags: review?(benjamin)
Comment 16•16 years ago
|
||
Comment on attachment 335516 [details] [diff] [review]
coalesce escaped slashes too
Well, this will work but will almost certainly cause multiple allocations for URIs over 40 chars... can you at least SetCapacity on spec before entering the loop?
Also, this needs a unit-test... you should be able to add a trivial one to http://mxr.mozilla.org/mozilla-central/source/netwerk/test/unit/test_bug337744.js or write a new test copying that code.
Attachment #335516 -
Flags: superreview?(benjamin)
Attachment #335516 -
Flags: review?(benjamin)
Attachment #335516 -
Flags: review-
Assignee | ||
Comment 17•16 years ago
|
||
Attachment #335516 -
Attachment is obsolete: true
Attachment #335650 -
Flags: superreview?(benjamin)
Attachment #335650 -
Flags: review?(benjamin)
Assignee | ||
Comment 18•16 years ago
|
||
Worked a fix for related bug 394075 into this patch.
Blocks: 394075
Comment 19•16 years ago
|
||
Comment on attachment 335650 [details] [diff] [review]
updated, with testcase
+ if (*src == '%' && *(src+1) == '2') {
*(src+1) mighht not be valid. You need to check that src+1 != end.
Similar on the next line
(an nsACString isn't necessarily nullterminated)
I also don't think that appending character-by-character is particularly efficient code... but that probably doesn't matter much. (other code keeps track of how many characters were left unchanged and append them in once call. cf. http://mxr.mozilla.org/mozilla-central/source/xpcom/io/nsEscape.cpp#516)
I'd suggest spaces around your + operators but this file doesn't really seem to do that
r+sr=biesi if you fix the src+1 thing
Comment 20•16 years ago
|
||
> *(src+1) mighht not be valid.
so may be:
char ch = *(src+2);
Assignee | ||
Comment 21•16 years ago
|
||
Attachment #335650 -
Attachment is obsolete: true
Attachment #335650 -
Flags: superreview?(benjamin)
Attachment #335650 -
Flags: review?(benjamin)
Updated•16 years ago
|
Whiteboard: [sg:low dos][needs patch] → [sg:low dos]
Comment 22•16 years ago
|
||
Comment on attachment 335671 [details] [diff] [review]
Address biesi's comments
Approved for 1.8.1.17. a=ss
Attachment #335671 -
Flags: approval1.8.1.17+
Comment 23•16 years ago
|
||
Comment on attachment 335671 [details] [diff] [review]
Address biesi's comments
And approved for 1.9.0.2 as well. a=ss
Attachment #335671 -
Flags: approval1.9.0.2+
Assignee | ||
Comment 24•16 years ago
|
||
Fix checked in to 1.8.1 and 1.9.0 branches. Will seek retroactive r= from biesi to make sure this is what he wanted
Keywords: fixed1.8.1.17,
fixed1.9.0.2
Assignee | ||
Updated•16 years ago
|
Attachment #335671 -
Flags: review?(cbiesinger)
Comment 25•16 years ago
|
||
+ if (*(src+2) == 'f' || *(src+***1***) == 'F')
+ ch = '/';
+ else if (*(src+2) == 'e' || *(src+2) == 'E')
is the only |+1| on purpose ?
Comment 26•16 years ago
|
||
Comment on attachment 335671 [details] [diff] [review]
Address biesi's comments
+ if (*(src+2) == 'f' || *(src+1) == 'F')
I agree with georgi, that should be +2
maybe the test should verify the final URL's spec, instead of just verifying that it doesn't contain ..?
Attachment #335671 -
Flags: review?(cbiesinger) → review+
Assignee | ||
Comment 27•16 years ago
|
||
Attachment #335741 -
Flags: review?(cbiesinger)
Attachment #335741 -
Flags: approval1.9.0.2+
Attachment #335741 -
Flags: approval1.8.1.17+
Updated•16 years ago
|
Attachment #335741 -
Flags: review?(cbiesinger) → review+
Comment 28•16 years ago
|
||
This needs to land both on the branch and on the GECKO190_20080827_RELBRANCH
Comment 29•16 years ago
|
||
Er, make that both branches (1.8.1 and 1.9) and GECKO190_20080827_RELBRANCH
Assignee | ||
Comment 30•16 years ago
|
||
incremental fix checked into 1.8, 1.9 and _RELBRANCH. Filed bug 452470 for improving the testcase.
Assignee | ||
Updated•16 years ago
|
Keywords: fixed1.9.0.3
Comment 31•16 years ago
|
||
Verified on latest build candidates for 20017 and 3.0.2. When I load resource:///..%2F..%2F..%2F I see the contents of these directories:
On 20016
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/../../../
Index of file:///home/mozilla/Desktop/firefox/../../../
WinXP/Vista (nothing happens)
On 20017
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/
Index of file:///home/mozilla/Desktop/firefox/
Index of file:///C:/Program Files/Mozilla Firefox/
On 3.0.1
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/../../../
Index of file:///home/mozilla/Desktop/firefox/../../../
WinXP/Vista (nothing happens)
On 3.0.2
Index of file:///Users/user/Desktop/Firefox.app/Contents/MacOS/
Index of file:///home/mozilla/Desktop/firefox/
Index of file:///C:/Program Files/Mozilla Firefox/
Comment 32•16 years ago
|
||
Comment on attachment 335671 [details] [diff] [review]
Address biesi's comments
a=asac for 1.8.0.15 (with attachment 335741 [details] [diff] [review])
Attachment #335671 -
Flags: approval1.8.0.15+
Updated•16 years ago
|
Attachment #335741 -
Flags: approval1.8.0.15+
Comment 33•16 years ago
|
||
Comment on attachment 335741 [details] [diff] [review]
incremental patch on top of what's checked in
a=asac for 1.8.0.15 (with attachment 335741 [details] [diff] [review] and iterator backport patch)
Comment 34•16 years ago
|
||
biesi, you think this 1.8.0 fix is too ugly for the sake of keeping the other patches the unmodified?
Attachment #336249 -
Flags: review?(cbiesinger)
Updated•16 years ago
|
Flags: blocking1.8.0.15+
Comment 35•16 years ago
|
||
err, here the one that was meant to be attached :)
Attachment #336249 -
Attachment is obsolete: true
Attachment #336251 -
Flags: review?(cbiesinger)
Attachment #336249 -
Flags: review?(cbiesinger)
Updated•16 years ago
|
Attachment #336251 -
Flags: review?(cbiesinger) → review+
Comment 36•16 years ago
|
||
Comment on attachment 336251 [details] [diff] [review]
iterator hack (on top) for 1.8.0
this is for 180 only? fine with me :)
Updated•16 years ago
|
Attachment #336251 -
Flags: approval1.8.0.15+
Comment 37•16 years ago
|
||
Comment on attachment 336251 [details] [diff] [review]
iterator hack (on top) for 1.8.0
a=asac for 1.8.0.15
thanks biesi!
Comment 38•16 years ago
|
||
can't we resolve this as fixed, now?
Assignee | ||
Comment 39•16 years ago
|
||
I need someone to check this into mozilla-central to call it "fixed"
Keywords: checkin-needed
Comment 40•16 years ago
|
||
Updated•16 years ago
|
Flags: in-testsuite? → in-testsuite+
Comment 42•16 years ago
|
||
Verified for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102304 GranParadiso/3.0.4pre.
Keywords: fixed1.9.0.4 → verified1.9.0.4
Comment 43•16 years ago
|
||
This landed before 1.9.1 branched
Flags: wanted1.9.1?
Flags: blocking1.9.1?
Flags: blocking1.9.1+
Priority: P2 → P1
Comment 44•16 years ago
|
||
(In reply to comment #43)
> This landed before 1.9.1 branched
Adding fixed1.9.1
Keywords: fixed1.9.1
Assignee | ||
Updated•16 years ago
|
Alias: CVE-2007-3073
Assignee | ||
Updated•16 years ago
|
Whiteboard: [sg:low dos] → [sg:dos]
You need to log in
before you can comment on or make changes to this bug.
Description
•