Bugzilla@Mozilla – Bug 466937
File stealing with SessionStore
Last modified: 2009-02-03 17:29:49 PST
Summon comment box
It's possible to change the type of an input control during restoration.
Created attachment 350380 [details] [review] patch and test In order to keep sessionstore.js small and to remain compatible with Betas 1 and 2, this patch special-cases <input type="file">. AFAICT this is the only privacy sensitive of our input elements (please correct me now, if I'm wrong!). On a side-note: The same vulnerability works the other way round, as well: If the user selects a file, it'd be possible to get the full file path instead of just the filename. Both patch and test take care of both ways.
Created attachment 350381 [details] [review] 1.9 branch patch
Created attachment 350382 [details] [review] 1.8.1 branch patch
(In reply to comment #2) > AFAICT this is the only privacy sensitive of our input elements ... besides <input type="password"> which we single out already.
Do we still need 1.8.1 patches, anyway?
Created attachment 350477 [details] [review] patch and test Minor update to the test: Let's also make sure that <input type="file"> restoration wasn't broken in the same circumstances.
This has been placed on our "Top Security Bugs" list. Please treat as a top priority.
Comment on attachment 350477 [details] [review] patch and test looks fine, r=me
(In reply to comment #6) > Do we still need 1.8.1 patches, anyway? Several vendors will continue to support Firefox 2 longer than MoCo, so yeah, it's extremely helpful.
We're going to wait for 1.9.1 approval and landing before approving for the older branches, but why is 1.9.1 so different from 1.9.0 here? That would seem to call for a separate review.
Comment on attachment 350381 [details] [review] 1.9 branch patch (In reply to comment #11) > why is 1.9.1 so different from 1.9.0 here? Because with all the improvements on 1.9.1 we can actually distinguish type="file" from type="text" and restore both whereas on older branches we can't and thus just have to ignore type="file" during both saving and restoring. Dietrich: The second bit has been included in the 1.9.1 patch and the first bit is equal to the type="password" one. Please nod if I haven't missed anything.
Comment on attachment 350477 [details] [review] patch and test a191=beltzner
http://hg.mozilla.org/mozilla-central/rev/8d0d5017c101
Comment on attachment 350381 [details] [review] 1.9 branch patch Approved for 1.9.0.6, a=dveditz for release-drivers.
dveditz, please approve blocking1.8.1.next if you come to it.
checked into 1.9.1: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/b9c4584c3fc2
checked into 1.9.0 branch: Checking in browser/components/sessionstore/src/nsSessionStore.js; /cvsroot/mozilla/browser/components/sessionstore/src/nsSessionStore.js,v <-- nsSessionStore.js new revision: 1.108; previous revision: 1.107 done
Removing checkin-needed keyword, as I think this has been completely landed, but please correct me if I'm wrong.
This hasn't landed on the 1.8.1 branch yet. Needs approval first, though.
yep. we are waiting for approval1.8.1.next? from comment 16 ... drivers please support us!
Verified for 1.9.0.6 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6pre) Gecko/2009010606 GranParadiso/3.0.6pre.
Comment on attachment 350382 [details] [review] 1.8.1 branch patch Approved for 1.8 branch, a=dveditz
MOZILLA_1_8_BRANCH: Checking in browser/components/sessionstore/src/nsSessionStore.js; /cvsroot/mozilla/browser/components/sessionstore/src/nsSessionStore.js,v <-- nsSessionStore.js new revision: 1.5.2.55; previous revision: 1.5.2.54 done