Closed
Bug 985135
(CVE-2014-1552)
Opened 11 years ago
Closed 11 years ago
Iframe sandboxing doesn't work if the load is redirected
Categories
(Core :: Security, defect)
Tracking
()
People
(Reporter: bzbarsky, Assigned: bobowen)
References
Details
(Keywords: sec-moderate, Whiteboard: [adv-main31+])
Attachments
(2 files, 2 obsolete files)
(deleted),
patch
|
bzbarsky
:
review+
Sylvestre
:
approval-mozilla-aurora+
bajaj
:
approval-mozilla-b2g28-
bajaj
:
approval-mozilla-b2g30-
|
Details | Diff | Splinter Review |
(deleted),
patch
|
bobowen
:
review+
Sylvestre
:
approval-mozilla-aurora+
bajaj
:
approval-mozilla-b2g28-
bajaj
:
approval-mozilla-b2g30-
|
Details | Diff | Splinter Review |
<iframe sandbox src="something-that-redirects"> doesn't sandbox because we do sandboxing via setting a nullprincipal owner and redirects don't propagate it. I'll attach a mochitest that shows the bug....
Properly fixing bug 965413 will automagically fix this, but we may want some sort of branch backports.
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Updated•11 years ago
|
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Comment 3•11 years ago
|
||
Boris, can you please answer this separately for these items?
- HTTP redirects (301, 302, ..)
- META tag redirects
- JavaScript redirects (assignments to location)
Flags: needinfo?(bzbarsky)
Comment 4•11 years ago
|
||
Bob is our new Sandboxing wizard. Bob, can you have a look at this, possibly after Boris lands bug 965413?
Flags: needinfo?(bobowencode)
Reporter | ||
Comment 5•11 years ago
|
||
This is specific to redirects on the necko level. So this affects HTTP redirects, but also as far as I can tell proxy stuff (!) and a few other esoteric cases that shouldn't come up much in practice (.url files for file:// loads, say).
For the branch backports, I think we basically need to propagate the .owner in SetupReplacementChannel (perhaps only if it's a null principal?).
Flags: needinfo?(bzbarsky)
Reporter | ||
Comment 6•11 years ago
|
||
Oh, and to be clear, <meta> and location sets aren't redirects of an existing load. They're new loads. This bug only affects redirects of existing loads.
Assignee | ||
Comment 7•11 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #4)
> Bob is our new Sandboxing wizard. Bob, can you have a look at this, possibly
> after Boris lands bug 965413?
Sure, I'll add it to the list (although perhaps not at the bottom :-) ).
Just for clarity, I think it is the allow-same-origin part of the sandbox that is broken, as this is what relies on the nullprincipal (possibly some of the other flags as well).
Did a quick test and the navigation and script restrictions still seem to be in place, which makes sense.
Of course that's not much comfort, because if allow-scripts is there, then this issue would allow someone to remove the sandbox completely.
Assignee: nobody → bobowencode
Flags: needinfo?(bobowencode)
Reporter | ||
Comment 8•11 years ago
|
||
> Just for clarity, I think it is the allow-same-origin part of the sandbox that is broken,
Correct.
Updated•11 years ago
|
Keywords: sec-moderate
Assignee | ||
Comment 9•11 years ago
|
||
Assignee | ||
Comment 10•11 years ago
|
||
This is bz's original test, with just the bug numbers in the main test file changed to this one.
Attachment #8393129 -
Attachment is obsolete: true
Assignee | ||
Comment 11•11 years ago
|
||
This just propagates the owner, when it is a null principal, as per Boris's suggestion in comment 5.
I think it is safest to only do this for null principals, as if we always propagate then it might have unforeseen consequences.
Attachment #8430063 -
Flags: review?(bzbarsky)
Reporter | ||
Comment 12•11 years ago
|
||
Comment on attachment 8430063 [details] [diff] [review]
When owner is a null principal, propagate to replacement channel on redirect v1
r=me
Attachment #8430063 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 13•11 years ago
|
||
Comment on attachment 8430057 [details] [diff] [review]
Test that sandboxed origin flag is honoured across redirects.
Review of attachment 8430057 [details] [diff] [review]:
-----------------------------------------------------------------
I doubt that you meant this to be the actual checked-in test for this bug, but I thought, why reinvent the cliché. :)
The comments below are all very minor, but I thought I ought to look at it fairly critically, it being my first review.
::: content/html/content/test/file_sandbox_redirect.html^headers^
@@ +1,2 @@
> +HTTP 301 Moved Permanently
> +Location: http://mochi.test:8888/tests/content/html/content/test/file_sandbox_redirect_target.html
Would it be better to use a relative URL, in case the origin and path ever change?
Although doing a quick search for mochi.test:8888 on dxr reveals that whole swathes of tests would fail, were this ever to change.
::: content/html/content/test/mochitest.ini
@@ +146,5 @@
> file_iframe_sandbox_worker.js
> file_imports_basics.html
> + file_sandbox_redirect.html
> + file_sandbox_redirect.html^headers^
> + file_sandbox_redirect_target.html
nit: I think, for consistency with other tests, these (and the test file below) should be called *_iframe_sandbox_redirect_*
::: content/html/content/test/test_sandbox_redirect.html
@@ +15,5 @@
> + addLoadEvent(function() {
> + try {
> + var doc = frames[0].document;
> + ok(false, "Should not be able to get the document");
> + isnot(doc.body.textContent, "I have been redirected\n", "Should not happen");
nit: this |\n| causes the message in the log to bleed onto the next line.
We could slice the last character off to avoid this.
Attachment #8430057 -
Flags: review+
Assignee | ||
Comment 14•11 years ago
|
||
I should have pointed out in comment 13, that Boris (on IRC) asked me to review the test, as it was originally written by him, although I'd made a cosmetic change to the bug number.
Reporter | ||
Comment 15•11 years ago
|
||
> I doubt that you meant this to be the actual checked-in test for this bug
I actually did; that's why I wrote it up as a mochitest. ;)
> Would it be better to use a relative URL, in case the origin and path ever change?
Per spec, the value of a Location header is an absolute URI... I guess we do make it relative to the channel URI, so we could do that here.
> should be called *_iframe_sandbox_redirect_*
Makes sense.
> We could slice the last character off to avoid this.
Also makes sense.
Are you going to update the test to those comments, or do you want me to?
Assignee | ||
Comment 16•11 years ago
|
||
Updated on behalf of Boris as per comment 15 and r+ed again by me.
(In reply to Boris Zbarsky [:bz] from comment #15)
> Per spec, the value of a Location header is an absolute URI...
Well, I didn't know that ... every day's a school day. :)
I did check that my suggestion worked before I made it though.
Attachment #8430057 -
Attachment is obsolete: true
Attachment #8430990 -
Flags: review+
Assignee | ||
Comment 17•11 years ago
|
||
Full Linux try push with this patch and the previous version of the test:
https://tbpl.mozilla.org/?tree=Try&rev=61be6ab794e8
I also did another quick try push, with just the relevant tests, for my changes in comment 16, just to make sure I hadn't broken things:
https://tbpl.mozilla.org/?tree=Try&rev=0df0ee7604c3
It makes sense to land the fix before the test.
Thanks.
Keywords: checkin-needed
Comment 18•11 years ago
|
||
Landed minus the test for now (though for a sec-moderate, we probably could have just gone ahead and landed it).
https://hg.mozilla.org/integration/mozilla-inbound/rev/734a7a31ee9c
Flags: in-testsuite?
Keywords: checkin-needed
Comment 19•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/734a7a31ee9c
Per IRC, setting checkin-needed for the test. How far back does this issue go, Bob?
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-b2g-v2.0:
--- → fixed
status-firefox30:
--- → wontfix
status-firefox31:
--- → affected
status-firefox32:
--- → fixed
Flags: needinfo?(bobowencode)
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Comment 20•11 years ago
|
||
Flags: in-testsuite? → in-testsuite+
Keywords: checkin-needed
Assignee | ||
Comment 21•11 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #19)
> https://hg.mozilla.org/mozilla-central/rev/734a7a31ee9c
>
> Per IRC, setting checkin-needed for the test. How far back does this issue
> go, Bob?
Thanks Ryan, and sorry for the confusion.
I don't think anything has changed in the channel / redirection code recently to cause this, so I think this has probably been there since iframe sandbox landed (FF17 if my memory serves me well).
Flags: needinfo?(bobowencode)
Comment 22•11 years ago
|
||
Thanks for the reply. It's unlikely this will be taken for esr24 since it is only sec-moderate. You can try to argue for it if you feel strongly about it, though. Otherwise, please nominate this for Aurora/b2g30/b2g28 approval when you get a chance.
status-b2g-v1.2:
--- → wontfix
status-b2g-v1.3:
--- → affected
status-b2g-v1.3T:
--- → affected
status-b2g-v1.4:
--- → affected
status-firefox-esr24:
--- → wontfix
Assignee | ||
Comment 23•11 years ago
|
||
Comment on attachment 8430063 [details] [diff] [review]
When owner is a null principal, propagate to replacement channel on redirect v1
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #22)
> Thanks for the reply. It's unlikely this will be taken for esr24 since it is
> only sec-moderate. You can try to argue for it if you feel strongly about
> it, though. Otherwise, please nominate this for Aurora/b2g30/b2g28 approval
> when you get a chance.
No problem.
There's at least one other bug, that allowed you to escape the sandbox completely, that didn't get uplifted to esr24.
So, unless they were all uplifted it doesn't really make sense to do this one on its own.
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 341604, as I believe this issue will have existed since the feature was landed.
User impact if declined: Can be used to remove the unique origin enforced on sandboxes without the allow-same-origin keyword. This normally prevents the sandboxed content from accessing other content from the same origin. Also, if the allow-scripts keyword is present, would allow same origin sandboxed content to remove the sandbox altogether.
Testing completed (on m-c, etc.): Automated mochitest, no QA testing as yet.
Risk to taking this patch (and alternatives if risky): Low risk - it is a small single area patch and the propagation of the owner is only being done when it is a null principal.
String or IDL/UUID changes made by this patch: None
Attachment #8430063 -
Flags: approval-mozilla-b2g30?
Attachment #8430063 -
Flags: approval-mozilla-b2g28?
Attachment #8430063 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 24•11 years ago
|
||
Comment on attachment 8430990 [details] [diff] [review]
Test that sandboxed origin flag is honoured across redirects. v3
This is just the automated test for the uplift requested in comment 23.
Attachment #8430990 -
Flags: approval-mozilla-b2g30?
Attachment #8430990 -
Flags: approval-mozilla-b2g28?
Attachment #8430990 -
Flags: approval-mozilla-aurora?
Comment 25•11 years ago
|
||
Updated•11 years ago
|
Attachment #8430063 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•11 years ago
|
Attachment #8430990 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 26•11 years ago
|
||
Comment 27•11 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #22)
> Thanks for the reply. It's unlikely this will be taken for esr24 since it is
> only sec-moderate. You can try to argue for it if you feel strongly about
> it, though. Otherwise, please nominate this for Aurora/b2g30/b2g28 approval
> when you get a chance.
Given this is a sec-moderate only and an old regression, we can let this ride the trains and get naturally fixed in 2.0 (gecko base 32) without uplifting on b2g branches.. If anyone disagrees and I missed any context why this would be neeeded for B2G, please NI me.
Updated•11 years ago
|
Attachment #8430063 -
Flags: approval-mozilla-b2g30?
Attachment #8430063 -
Flags: approval-mozilla-b2g30-
Attachment #8430063 -
Flags: approval-mozilla-b2g28?
Attachment #8430063 -
Flags: approval-mozilla-b2g28-
Updated•11 years ago
|
Attachment #8430990 -
Flags: approval-mozilla-b2g30?
Attachment #8430990 -
Flags: approval-mozilla-b2g30-
Attachment #8430990 -
Flags: approval-mozilla-b2g28?
Attachment #8430990 -
Flags: approval-mozilla-b2g28-
Updated•11 years ago
|
Updated•10 years ago
|
Whiteboard: [adv-main31+]
Updated•10 years ago
|
Alias: CVE-2014-1552
Comment 28•10 years ago
|
||
I used the tests within to observe the issue on Fx30, as well as pre-fix builds of Fx31.
I verified fixed on builds of Fx31 and Fx32, 2014-07-07.
Updated•10 years ago
|
Updated•10 years ago
|
Group: core-security
Updated•10 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•