New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: Field validation bubbles can appear over the wrong tab with using print()

Reported by chromium...@gmail.com, Apr 24 2017 Back to list

Issue description

VERSION
Chrome Version: Canary 60.0.3079.0
Operating System: Windows 7

I've got another way to bypass the fix in  bug 713686  (thankful) to make field validation bubbles appear over the wrong tab.

1. Open the test case.
2. Try to print the page via CTRL+P or ....
3. Observe.

 
test case.html
1.6 KB View Download

Comment 1 by palmer@chromium.org, Apr 25 2017

Cc: meacer@chromium.org
Components: Blink>Forms>Validation
Labels: M-59 Security_Impact-Stable OS-All Pri-1
Owner: tkent@chromium.org
Status: Assigned
I can verify that it works on Stable.

But, what is the supposed security impact? Why was  Issue 713686  rated Medium? +meacer It looks like a functional bug.

Comment 2 by meacer@chromium.org, Apr 25 2017

I think I assigned medium to  issue 713686  based on  https://crbug.com/673163#c19 

It sounds reasonable to me given it's a variant of "A bug that allows web content to tamper with trusted browser UI (550047)" entry in the severity guidelines (except instead of trusted UI this is another tab). Also, it feels worse than low severity to be able to tamper another tab.

Comment 3 by meacer@chromium.org, Apr 25 2017

Cc: mbarbe...@chromium.org
+mbarbella for  https://crbug.com/673163#c19 
While the effect is similar, requiring the potential victim to manually print the page is a significant mitigating factor. I'm not able to repro it to test it out, but is there any way this could still be exploitable using print()?

As-is I'd lean toward low severity here since the scope is fairly limited and it seems heavily mitigated, but I'll let someone else decide.

Comment 5 by palmer@chromium.org, Apr 25 2017

I don't see how the attacker can tamper with the DOM of another origin, or read information from another origin. Can they? Or is this just an annoyance in that browser chrome (outside the reach of any origin) goes wrong?

Comment 6 by meacer@chromium.org, Apr 26 2017

They can't tamper with or read the DOM, but they are effectively controlling another tab's view area.

As a hyphothetical attack, evil.com can open an OAuth page and display a "You should click accept" dialog on that tab, which would be bad. Whether it's medium-bad or low-bad is debatable, but I don't think it's simply a functional bug.

Comment 7 by mmoroz@chromium.org, Apr 26 2017

Labels: Security_Severity-Low
As per discussion above, I'm assigning Low severity here. Please feel free to change if you disagree.

Btw, good job on bypassing the fix from  issue 713686 !

Comment 8 by mmoroz@chromium.org, Apr 26 2017

Cc: mmoroz@chromium.org
Shouldn't be Medium severity here as in  issue 713686 ?
chromium.khalil@, would you mind suggesting a real attack scenario for this bug? I believe that it might help to adjust the severity properly.

As for now, it feels like this requires an interaction from victim + some kind of social engineering. But we are open for discussion if you have anything to add.

Severity Guidelines for Security Issues: https://www.chromium.org/developers/severity-guidelines
Your explanation sounds reasonable. Thanks!

Comment 12 Deleted

Project Member

Comment 13 by sheriffbot@chromium.org, Apr 27 2017

Labels: -Pri-1 Pri-2

Comment 14 by tkent@chromium.org, Apr 28 2017

Cc: keishi@chromium.org
Status: Started
Oh, the fix for  Issue 713686  was incomplete.

Project Member

Comment 15 by bugdroid1@chromium.org, Apr 28 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/93c0e26115af080b07623c0588c6ba1cfa5a552a

commit 93c0e26115af080b07623c0588c6ba1cfa5a552a
Author: tkent <tkent@chromium.org>
Date: Fri Apr 28 09:18:45 2017

Form validation: Do not show validation bubble during printing.

It was possible to show it in media query listener.

BUG= 714849 

Review-Url: https://codereview.chromium.org/2845273002
Cr-Commit-Position: refs/heads/master@{#467941}

[modify] https://crrev.com/93c0e26115af080b07623c0588c6ba1cfa5a552a/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/93c0e26115af080b07623c0588c6ba1cfa5a552a/third_party/WebKit/Source/core/html/HTMLFormControlElementTest.cpp

Comment 16 by tkent@chromium.org, Apr 30 2017

Labels: Merge-Request-59
Status: Fixed
Project Member

Comment 17 by sheriffbot@chromium.org, Apr 30 2017

Labels: -Merge-Request-59 Hotlist-Merge-Approved Merge-Approved-59
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 18 by bugdroid1@chromium.org, Apr 30 2017

Labels: -merge-approved-59 merge-merged-3071
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b718c53d32327ae11eb8bad92c2cd1c66bdfcb5a

commit b718c53d32327ae11eb8bad92c2cd1c66bdfcb5a
Author: Kent Tamura <tkent@chromium.org>
Date: Sun Apr 30 23:42:18 2017

Merge "Form validation: Do not show validation bubble during printing." to M59.

It was possible to show it in media query listener.

BUG= 714849 

Review-Url: https://codereview.chromium.org/2845273002
Cr-Commit-Position: refs/heads/master@{#467941}
(cherry picked from commit 93c0e26115af080b07623c0588c6ba1cfa5a552a)

Review-Url: https://codereview.chromium.org/2851123002 .
Cr-Commit-Position: refs/branch-heads/3071@{#312}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}

[modify] https://crrev.com/b718c53d32327ae11eb8bad92c2cd1c66bdfcb5a/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/b718c53d32327ae11eb8bad92c2cd1c66bdfcb5a/third_party/WebKit/Source/core/html/HTMLFormControlElementTest.cpp

Project Member

Comment 19 by sheriffbot@chromium.org, May 1 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
 Issue 717101  has been merged into this issue.
Cc: tkent@chromium.org
Owner: keishi@chromium.org
Status: Assigned
keishi, can you please investigate in tkent's absence? Thanks. It looks like the fix was incomplete (see  Issue 717101 ). Thank you!

Comment 23 Deleted

Project Member

Comment 24 by sheriffbot@chromium.org, May 2 2017

Status: Fixed
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Owner: tkent@chromium.org
Security team, can you add me to  Issue 717101 ?

Since I don't repro  issue 717101  with the testcase from above in c#0, I don't think if it worth to be merged into this bug.

Comment 27 by mmoroz@google.com, May 8 2017

tkent@, I added you to  Issue 717101 .
Ok, I realized r467941 was not a right fix.  A fix for  Issue 717101  will revert r467941, and add a different logic.

Status: Started
I also think  Issue 717101  is essentially same as this issue.


Project Member

Comment 30 by bugdroid1@chromium.org, May 9 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c55169a7c2279f0f30e15bbca66678f48e7df106

commit c55169a7c2279f0f30e15bbca66678f48e7df106
Author: tkent <tkent@chromium.org>
Date: Tue May 09 05:09:49 2017

Forms: Validation Message bubble should not open during print().

r467941 was a wrong approach because ShouldUsePrintingLayout() returns false
before closing print-preview dialog. We should check Page::Suspended() instead.

BUG= 714849 

Review-Url: https://codereview.chromium.org/2866193002
Cr-Commit-Position: refs/heads/master@{#470230}

[modify] https://crrev.com/c55169a7c2279f0f30e15bbca66678f48e7df106/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/c55169a7c2279f0f30e15bbca66678f48e7df106/third_party/WebKit/Source/core/html/HTMLFormControlElementTest.cpp

Fixed on 60.0.3095.0 (Developer Build).

Comment 32 by tkent@chromium.org, May 10 2017

Status: Fixed
Project Member

Comment 33 by bugdroid1@chromium.org, May 10 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4ed8907fbd46912db1da904b79bf26ccd41ac1e9

commit 4ed8907fbd46912db1da904b79bf26ccd41ac1e9
Author: Kent Tamura <tkent@chromium.org>
Date: Wed May 10 23:53:17 2017

Merge "Forms: Validation Message bubble should not open during print()." to M59.

r467941 was a wrong approach because ShouldUsePrintingLayout() returns false
before closing print-preview dialog. We should check Page::Suspended() instead.

BUG= 714849 

Review-Url: https://codereview.chromium.org/2866193002
Cr-Original-Commit-Position: refs/heads/master@{#470230}
Review-Url: https://codereview.chromium.org/2878463004 .
Cr-Commit-Position: refs/branch-heads/3071@{#504}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}

[modify] https://crrev.com/4ed8907fbd46912db1da904b79bf26ccd41ac1e9/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/4ed8907fbd46912db1da904b79bf26ccd41ac1e9/third_party/WebKit/Source/core/html/HTMLFormControlElementTest.cpp

Labels: -Hotlist-Merge-Approved
Labels: -reward-topanel reward-0
I'm afraid the panel decided to award for this report, but thanks as ever!
Labels: Release-0-M59
Labels: CVE-2017-5083
Project Member

Comment 38 by sheriffbot@chromium.org, Aug 17 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment