Closed
Bug 94551
Opened 23 years ago
Closed 23 years ago
Need to escape content in about:cache-entry
Categories
(Core :: Security, defect, P2)
Core
Security
Tracking
()
VERIFIED
FIXED
mozilla0.9.7
People
(Reporter: security-bugs, Assigned: security-bugs)
Details
Attachments
(1 file, 1 obsolete file)
(deleted),
patch
|
bbaetz
:
review+
gagan
:
superreview+
|
Details | Diff | Splinter Review |
There is potential problem with about:cache-entry - though not serious it may allow tracking whether the user has visited a particular URL. The problem is that about:cache-entry does not escape "response-head:" and the web server may embed javascript in it which may check for cache-entry: urls. The good news is about:cache-entry seems to not be executed in chrome. It is possible to open about:cache-entry?* by playing with "about:blank" documents. I have tested this with netcat (nc) which emulates malicous web server. Think that fixing this is easy - just escape everything in about:cache-entry
Assignee | ||
Comment 1•23 years ago
|
||
(The above is from Georgi.) We should look at other about: content for similar problems. By itself there's not much you can do with this, but combined with 91714 this becomes a moderately serious vulnerability.
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla0.9.4
Assignee | ||
Comment 2•23 years ago
|
||
With 91714 fixed this is not currently exploitable, so moving it to 0.9.5. We should have a nonspoofable way of escaping content to keep it from being interpreted as HTML; this could be used in a number of places.
Priority: P1 → P2
Target Milestone: mozilla0.9.4 → mozilla0.9.5
Comment 3•23 years ago
|
||
See bug 90386 for another place where a non-spoofable htmlEscape might be useful. (Wouldn't it make more sense to use DOM2 createTextNode instead, though, so the results aren't parsed at all?)
Assignee | ||
Comment 4•23 years ago
|
||
time marches on. Retargeting to 0.9.6.
Group: netscapeconfidential?
Target Milestone: mozilla0.9.5 → mozilla0.9.6
Assignee | ||
Comment 5•23 years ago
|
||
Moving the most time-critical bugs and minor security fixes to 0.9.7
Target Milestone: mozilla0.9.6 → mozilla0.9.7
Comment 6•23 years ago
|
||
A fix for this could be using text/plain instead of text/html to display about:cache-entry. However that would remove such formatting as link, bold fields and <hr>. Another alternative is creating an text/plain <object> inside of this page and putting the response header in there. Is that possible? And yet another (and probably most preferable) way would be inserting a Text node into DOM after the page is created. However this would have to be done not through JavaScript, but from C++. Is that possible?
Assignee | ||
Comment 7•23 years ago
|
||
Setting security-sensitive flag again; it was cleared because of bug 107718.
Group: security?
Assignee | ||
Comment 8•23 years ago
|
||
Assignee | ||
Comment 9•23 years ago
|
||
Still need to test this fix, and for that I need to configure a web server to serve some bogus headers. Also, what alternate representations of <, >, and & do I need to worry about? What about characters with the high bit set? Or Unicode characters? CCing darin, who appears to have written the about:cache code.
Comment 10•23 years ago
|
||
Your patch leaks the return val, doesn't it? Those three are all you have to worry about, I think. It may be possible for unicode chars to cause teh charset to be incorrectly detected, I guess. I don't think there are any security ramifications, though. However, you should probably use nsEscapeHTML, defined in nsEscape.h. That also escapes " - not sure why.
Assignee | ||
Comment 11•23 years ago
|
||
Whoops - it sure does. I'll try nsEscape.
Assignee | ||
Comment 12•23 years ago
|
||
Attachment #58181 -
Attachment is obsolete: true
Comment 13•23 years ago
|
||
Oh, and adding the cclist to the can-see-this-bug group, since you wanted darin's comment, but he can't see this as is...
assignee_accessible: 0 → 1
CC list accessible: true
qacontact_accessible: 0 → 1
Accessible to reporter
Comment 14•23 years ago
|
||
Comment on attachment 58612 [details] [diff] [review] Patch take 2 - use existing escape function r=bbaetz
Attachment #58612 -
Flags: review+
Assignee | ||
Updated•23 years ago
|
Group: security?
Comment 15•23 years ago
|
||
Comment on attachment 58612 [details] [diff] [review] Patch take 2 - use existing escape function r=gagan as well...
Comment 16•23 years ago
|
||
Comment on attachment 58612 [details] [diff] [review] Patch take 2 - use existing escape function sr=darin
Attachment #58612 -
Flags: superreview+
Comment 17•23 years ago
|
||
this looks fine to me... just too bad that escaping html requires a strdup even when escaping isn't really required :(
Comment 18•23 years ago
|
||
darin: I think theres a bug somewhere on moving these functions to Real String APIs. I don't know if that could help, though, although I guess with COW you could do some short circuiting.
Assignee | ||
Comment 19•23 years ago
|
||
checked in.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 20•23 years ago
|
||
To verify this, visit http://grey:4321/bad, and then visit about:cache, click Disk Cache, and click the link for http://grey:4321/bad. The resulting page should not generate an alert.
Comment 21•23 years ago
|
||
Verified on build: 2001-12-11-o3-Trunk platform: Win NT Performed the above steps and did not see the alert dialog.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•