New issue
Advanced search Search tips

Issue 668970 link

Starred by 0 users
Status: Fixed
Owner:
tkent@chromium.org
Closed: Nov 2016
Cc:
jannh@google.com
ifratric@google.com
ddkil...@apple.com
yosin@chromium.org
markbrand@google.com
infe...@chromium.org
hayato@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: Debugger API exposes UA shadow trees, and can cause bad-casts

Project Member Reported by tkent@chromium.org, Nov 28 2016 

VULNERABILITY DETAILS
UA shadow tree implementations have multiple non-checked casts.
See https://bugs.chromium.org/p/chromium/issues/detail?id=666246 Comment 33 and 38.


IMO, introducing toHTMLSelectEelmentOrDie() and using it in UA shadow trees would be enough.

Comment 1 by tkent@chromium.org, Nov 28 2016

Cc: -janh@google.com jannh@google.com

Comment 2 by jannh@google.com, Nov 28 2016

Cc: ifratric@google.com

Comment 3 by hayato@chromium.org, Nov 28 2016 

Could someone share a concrete example how debugger API is being used?

Comment 4 by awhalley@chromium.org, Nov 28 2016

Cc: ddkil...@apple.com

Comment 5 by hayato@chromium.org, Nov 28 2016 

I missed this comment about debugger API.
https://bugs.chromium.org/p/chromium/issues/detail?id=666246#c47

> This API isn't in stable yet

It sounds that the API is not stable yet.

Could we have a chance to reject debugger API reaching an internal of UA shadow trees? I am afraid that Blink is not ready for such an API. That would cause a lot of breakage of the current code's assumptions.
I think introducing toHTMLSelectEelmentOrDie() is just a *local* fix.

Comment 6 by tkent@chromium.org, Nov 29 2016

Status: Started (was: Assigned)

Comment 7 by dominickn@chromium.org, Nov 29 2016

Labels: Security_Severity-High
Labelling as high severity since this seems to be able to induce a browser crash.
Project Member

Comment 8 by bugdroid1@chromium.org, Nov 29 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2ce7841faa0fcfb4bff02b808745a9399a1c0603

commit 2ce7841faa0fcfb4bff02b808745a9399a1c0603
Author: tkent <tkent@chromium.org>
Date: Tue Nov 29 05:10:43 2016

Avoid unchecked casts in UA shadow DOM.

If we have a way to leak UA shadow DOM to web authors or Chrome extension authors,
these unchecked casts would be dangerous.
This CL introduces toFooTypeOrDie() helpers, and apply it to UA shadow DOM.

BUG= 668970 

Review-Url: https://codereview.chromium.org/2534873004
Cr-Commit-Position: refs/heads/master@{#434899}

[modify] https://crrev.com/2ce7841faa0fcfb4bff02b808745a9399a1c0603/third_party/WebKit/Source/build/scripts/templates/ElementTypeHelpers.h.tmpl
[modify] https://crrev.com/2ce7841faa0fcfb4bff02b808745a9399a1c0603/third_party/WebKit/Source/core/dom/Element.h
[modify] https://crrev.com/2ce7841faa0fcfb4bff02b808745a9399a1c0603/third_party/WebKit/Source/core/html/HTMLDetailsElement.cpp
[modify] https://crrev.com/2ce7841faa0fcfb4bff02b808745a9399a1c0603/third_party/WebKit/Source/core/html/HTMLKeygenElement.cpp
[modify] https://crrev.com/2ce7841faa0fcfb4bff02b808745a9399a1c0603/third_party/WebKit/Source/core/html/HTMLOptGroupElement.cpp
[modify] https://crrev.com/2ce7841faa0fcfb4bff02b808745a9399a1c0603/third_party/WebKit/Source/core/html/TextControlElement.cpp
[modify] https://crrev.com/2ce7841faa0fcfb4bff02b808745a9399a1c0603/third_party/WebKit/Source/core/html/forms/BaseButtonInputType.cpp
[modify] https://crrev.com/2ce7841faa0fcfb4bff02b808745a9399a1c0603/third_party/WebKit/Source/core/html/forms/ColorInputType.cpp
[modify] https://crrev.com/2ce7841faa0fcfb4bff02b808745a9399a1c0603/third_party/WebKit/Source/core/html/forms/FileInputType.cpp
[modify] https://crrev.com/2ce7841faa0fcfb4bff02b808745a9399a1c0603/third_party/WebKit/Source/core/html/forms/MultipleFieldsTemporalInputTypeView.cpp
[modify] https://crrev.com/2ce7841faa0fcfb4bff02b808745a9399a1c0603/third_party/WebKit/Source/core/html/forms/RangeInputType.cpp
[modify] https://crrev.com/2ce7841faa0fcfb4bff02b808745a9399a1c0603/third_party/WebKit/Source/core/html/forms/TextFieldInputType.cpp
[modify] https://crrev.com/2ce7841faa0fcfb4bff02b808745a9399a1c0603/third_party/WebKit/Source/core/html/shadow/DateTimeEditElement.cpp
[modify] https://crrev.com/2ce7841faa0fcfb4bff02b808745a9399a1c0603/third_party/WebKit/Source/core/svg/SVGUseElement.cpp
[modify] https://crrev.com/2ce7841faa0fcfb4bff02b808745a9399a1c0603/third_party/WebKit/Source/wtf/Assertions.h

Comment 9 by tkent@chromium.org, Nov 29 2016

Status: Fixed (was: Started)
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 29 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 11 by awhalley@chromium.org, Dec 2 2016

Labels: M-56 M-57

Comment 12 by awhalley@chromium.org, Dec 2 2016

Labels: Merge-Request-56

Comment 13 by dimu@chromium.org, Dec 2 2016

Labels: -Merge-Request-56 Merge-Approved-56 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M56 (branch: 2924)
Project Member

Comment 14 by bugdroid1@chromium.org, Dec 5 2016

Labels: -merge-approved-56 merge-merged-2924
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0db497a39cbefc87a1c63ebfa6e5b26eda899da7

commit 0db497a39cbefc87a1c63ebfa6e5b26eda899da7
Author: Kent Tamura <tkent@chromium.org>
Date: Mon Dec 05 00:09:50 2016

Mere "Avoid unchecked casts in UA shadow DOM." to M56

If we have a way to leak UA shadow DOM to web authors or Chrome extension authors,
these unchecked casts would be dangerous.
This CL introduces toFooTypeOrDie() helpers, and apply it to UA shadow DOM.

BUG= 668970 

Review-Url: https://codereview.chromium.org/2534873004
Cr-Commit-Position: refs/heads/master@{#434899}
(cherry picked from commit 2ce7841faa0fcfb4bff02b808745a9399a1c0603)

Review URL: https://codereview.chromium.org/2552613002 .

Cr-Commit-Position: refs/branch-heads/2924@{#322}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[modify] https://crrev.com/0db497a39cbefc87a1c63ebfa6e5b26eda899da7/third_party/WebKit/Source/build/scripts/templates/ElementTypeHelpers.h.tmpl
[modify] https://crrev.com/0db497a39cbefc87a1c63ebfa6e5b26eda899da7/third_party/WebKit/Source/core/dom/Element.h
[modify] https://crrev.com/0db497a39cbefc87a1c63ebfa6e5b26eda899da7/third_party/WebKit/Source/core/html/HTMLDetailsElement.cpp
[modify] https://crrev.com/0db497a39cbefc87a1c63ebfa6e5b26eda899da7/third_party/WebKit/Source/core/html/HTMLKeygenElement.cpp
[modify] https://crrev.com/0db497a39cbefc87a1c63ebfa6e5b26eda899da7/third_party/WebKit/Source/core/html/HTMLOptGroupElement.cpp
[modify] https://crrev.com/0db497a39cbefc87a1c63ebfa6e5b26eda899da7/third_party/WebKit/Source/core/html/TextControlElement.cpp
[modify] https://crrev.com/0db497a39cbefc87a1c63ebfa6e5b26eda899da7/third_party/WebKit/Source/core/html/forms/BaseButtonInputType.cpp
[modify] https://crrev.com/0db497a39cbefc87a1c63ebfa6e5b26eda899da7/third_party/WebKit/Source/core/html/forms/ColorInputType.cpp
[modify] https://crrev.com/0db497a39cbefc87a1c63ebfa6e5b26eda899da7/third_party/WebKit/Source/core/html/forms/FileInputType.cpp
[modify] https://crrev.com/0db497a39cbefc87a1c63ebfa6e5b26eda899da7/third_party/WebKit/Source/core/html/forms/MultipleFieldsTemporalInputTypeView.cpp
[modify] https://crrev.com/0db497a39cbefc87a1c63ebfa6e5b26eda899da7/third_party/WebKit/Source/core/html/forms/RangeInputType.cpp
[modify] https://crrev.com/0db497a39cbefc87a1c63ebfa6e5b26eda899da7/third_party/WebKit/Source/core/html/forms/TextFieldInputType.cpp
[modify] https://crrev.com/0db497a39cbefc87a1c63ebfa6e5b26eda899da7/third_party/WebKit/Source/core/html/shadow/DateTimeEditElement.cpp
[modify] https://crrev.com/0db497a39cbefc87a1c63ebfa6e5b26eda899da7/third_party/WebKit/Source/core/svg/SVGUseElement.cpp
[modify] https://crrev.com/0db497a39cbefc87a1c63ebfa6e5b26eda899da7/third_party/WebKit/Source/wtf/Assertions.h

Comment 15 by awhalley@google.com, Dec 19 2016

Labels: -Hotlist-Merge-Approved

Comment 16 by awhalley@chromium.org, Jan 24 2017

Labels: Release-0-M56
Project Member

Comment 17 by sheriffbot@chromium.org, Mar 7 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment