Closed Bug 1144398 Opened 11 years ago Closed 11 years ago

URL with embedded null: crash [@ _platform_strncmp | nsStandardURL::SegmentIs | nsStandardURL::EqualsInternal]

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla39
Tracking Flags:
Tracking Status
firefox37 --- unaffected
firefox38 + fixed
firefox39 + fixed
firefox-esr31 --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected
b2g-master --- fixed

People

(Reporter: jruderman, Assigned: valentin)

References

Details

(Keywords: crash, sec-high, testcase)

Crash Data

Attachments

(4 files, 1 obsolete file)

testcase (crashes Firefox when loaded or on shutdown)
253 bytes, text/html
Details
stack (lldb)
8.33 KB, text/plain
Details
stack (minidump_stackwalk)
8.03 KB, text/plain
Details
Restrict charcters which are allowed in the URL hash (ref)
3.83 KB, patch
mcmanus
: review+
abillings
: approval-mozilla-aurora+
abillings
: sec-approval+
Details | Diff | Splinter Review
No description provided.
Attached file stack (lldb)
First stack: * Crash on load * Frame #10 is mozilla::places::History::RegisterVisitedCallback Second stack: * Crash on unload * Frame #5 is mozilla::places::History::UnregisterVisitedCallback
Assignee: nobody → valentin.gosu
Status: NEW → ASSIGNED
Marking sec-high because the dupe is sec-high.
Keywords: sec-high
Comment on attachment 8579391 [details] [diff] [review] Restrict charcters which are allowed in the URL hash (ref) I removed the percent decoding bit, because of a web-platform regression: https://treeherder.mozilla.org/#/jobs?repo=try&revision=f8605f9110db
Attachment #8579391 - Attachment is obsolete: true
Attachment #8579391 - Flags: review?(mcmanus)
Comment on attachment 8579434 [details] [diff] [review] Restrict charcters which are allowed in the URL hash (ref) Review of attachment 8579434 [details] [diff] [review]: ----------------------------------------------------------------- this adds another linear scan of the whole url.. but valentin convinced me its the only way to do it safely without massively ripping things up and the url parser engages in far too many copies and scans already so this change doesn't significantly change the complexity of a url parse. since a stale version of this has already gone to try once, please send it again and get a green run before committing.
Attachment #8579434 - Flags: review?(mcmanus) → review+
Comment on attachment 8579434 [details] [diff] [review] Restrict charcters which are allowed in the URL hash (ref) [Security approval request comment] How easily could an exploit be constructed based on the patch? - Easily. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? - Yes, it is fairly obvious what the patch does. It restricts several characters from appearing in the ref part of the URL. Which older supported branches are affected by this flaw? - Nightly and Aurora If not all supported branches, which bug introduced the flaw? - Introduced by bug 1093611. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? - This patch should be easy to apply on all affected branches (nightly + aurora) How likely is this patch to cause regressions; how much testing does it need? - Unlikely. It introduces an extra check which should have been there from the beginning.
Attachment #8579434 - Flags: sec-approval?
Comment on attachment 8579434 [details] [diff] [review] Restrict charcters which are allowed in the URL hash (ref) sec-approval+ for trunk. Let's get a patch nominated for aurora as well.
Attachment #8579434 - Flags: sec-approval? → sec-approval+
Keywords: checkin-needed
Comment on attachment 8579434 [details] [diff] [review] Restrict charcters which are allowed in the URL hash (ref) Approval Request Comment [Feature/regressing bug #]: Introduced by bug 1093611. [User impact if declined]: Possible security concerns. [Describe test coverage new/current, TreeHerder]: Green on try. Pushed to m-c. Manual testing. [Risks and why]: Low risk patch. It introduces a check for invalid characters. The extra check may pose a performance issue, but it is negligible for the average case (we already do many scans of the URL spec). [String/UUID change made/needed]: None.
Attachment #8579434 - Flags: approval-mozilla-aurora?
Attachment #8579434 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/mozilla-central/rev/c334736aa584
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-b2g-v1.4: --- → unaffected
status-b2g-v2.0: --- → unaffected
status-b2g-v2.0M: --- → unaffected
status-b2g-v2.1: --- → unaffected
status-b2g-v2.1S: --- → unaffected
status-b2g-v2.2: --- → unaffected
status-b2g-master: --- → fixed
status-firefox39: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: