Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Starred by 2 users
Status: Fixed
Owner:
Closed: May 10
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security



Sign in to add a comment
Security: Field validation bubbles can appear over the wrong tab with using print()
Reported by chromium...@gmail.com, Apr 24 Back to list
VERSION
Chrome Version: Canary 60.0.3079.0
Operating System: Windows 7

I've got another way to bypass the fix in  bug 713686  (thankful) to make field validation bubbles appear over the wrong tab.

1. Open the test case.
2. Try to print the page via CTRL+P or ....
3. Observe.

 
test case.html
1.6 KB View Download
Cc: meacer@chromium.org
Components: Blink>Forms>Validation
Labels: M-59 Security_Impact-Stable OS-All Pri-1
Owner: tkent@chromium.org
Status: Assigned
I can verify that it works on Stable.

But, what is the supposed security impact? Why was  Issue 713686  rated Medium? +meacer It looks like a functional bug.
I think I assigned medium to  issue 713686  based on  https://crbug.com/673163#c19 

It sounds reasonable to me given it's a variant of "A bug that allows web content to tamper with trusted browser UI (550047)" entry in the severity guidelines (except instead of trusted UI this is another tab). Also, it feels worse than low severity to be able to tamper another tab.
Cc: mbarbe...@chromium.org
+mbarbella for  https://crbug.com/673163#c19 
While the effect is similar, requiring the potential victim to manually print the page is a significant mitigating factor. I'm not able to repro it to test it out, but is there any way this could still be exploitable using print()?

As-is I'd lean toward low severity here since the scope is fairly limited and it seems heavily mitigated, but I'll let someone else decide.
I don't see how the attacker can tamper with the DOM of another origin, or read information from another origin. Can they? Or is this just an annoyance in that browser chrome (outside the reach of any origin) goes wrong?
They can't tamper with or read the DOM, but they are effectively controlling another tab's view area.

As a hyphothetical attack, evil.com can open an OAuth page and display a "You should click accept" dialog on that tab, which would be bad. Whether it's medium-bad or low-bad is debatable, but I don't think it's simply a functional bug.
Labels: Security_Severity-Low
As per discussion above, I'm assigning Low severity here. Please feel free to change if you disagree.

Btw, good job on bypassing the fix from  issue 713686 !
Cc: mmoroz@chromium.org
Shouldn't be Medium severity here as in  issue 713686 ?
chromium.khalil@, would you mind suggesting a real attack scenario for this bug? I believe that it might help to adjust the severity properly.

As for now, it feels like this requires an interaction from victim + some kind of social engineering. But we are open for discussion if you have anything to add.

Severity Guidelines for Security Issues: https://www.chromium.org/developers/severity-guidelines
Your explanation sounds reasonable. Thanks!
Comment 12 Deleted
Project Member Comment 13 by sheriffbot@chromium.org, Apr 27
Labels: -Pri-1 Pri-2
Cc: keishi@chromium.org
Status: Started
Oh, the fix for  Issue 713686  was incomplete.

Project Member Comment 15 by bugdroid1@chromium.org, Apr 28
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/93c0e26115af080b07623c0588c6ba1cfa5a552a

commit 93c0e26115af080b07623c0588c6ba1cfa5a552a
Author: tkent <tkent@chromium.org>
Date: Fri Apr 28 09:18:45 2017

Form validation: Do not show validation bubble during printing.

It was possible to show it in media query listener.

BUG= 714849 

Review-Url: https://codereview.chromium.org/2845273002
Cr-Commit-Position: refs/heads/master@{#467941}

[modify] https://crrev.com/93c0e26115af080b07623c0588c6ba1cfa5a552a/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/93c0e26115af080b07623c0588c6ba1cfa5a552a/third_party/WebKit/Source/core/html/HTMLFormControlElementTest.cpp

Labels: Merge-Request-59
Status: Fixed
Project Member Comment 17 by sheriffbot@chromium.org, Apr 30
Labels: -Merge-Request-59 Hotlist-Merge-Approved Merge-Approved-59
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 18 by bugdroid1@chromium.org, Apr 30
Labels: -merge-approved-59 merge-merged-3071
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b718c53d32327ae11eb8bad92c2cd1c66bdfcb5a

commit b718c53d32327ae11eb8bad92c2cd1c66bdfcb5a
Author: Kent Tamura <tkent@chromium.org>
Date: Sun Apr 30 23:42:18 2017

Merge "Form validation: Do not show validation bubble during printing." to M59.

It was possible to show it in media query listener.

BUG= 714849 

Review-Url: https://codereview.chromium.org/2845273002
Cr-Commit-Position: refs/heads/master@{#467941}
(cherry picked from commit 93c0e26115af080b07623c0588c6ba1cfa5a552a)

Review-Url: https://codereview.chromium.org/2851123002 .
Cr-Commit-Position: refs/branch-heads/3071@{#312}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}

[modify] https://crrev.com/b718c53d32327ae11eb8bad92c2cd1c66bdfcb5a/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/b718c53d32327ae11eb8bad92c2cd1c66bdfcb5a/third_party/WebKit/Source/core/html/HTMLFormControlElementTest.cpp

Project Member Comment 19 by sheriffbot@chromium.org, May 1
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Labels: reward-topanel
 Issue 717101  has been merged into this issue.
Cc: tkent@chromium.org
Owner: keishi@chromium.org
Status: Assigned
keishi, can you please investigate in tkent's absence? Thanks. It looks like the fix was incomplete (see  Issue 717101 ). Thank you!
Comment 23 Deleted
Project Member Comment 24 by sheriffbot@chromium.org, May 2
Status: Fixed
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Owner: tkent@chromium.org
Security team, can you add me to  Issue 717101 ?

Since I don't repro  issue 717101  with the testcase from above in c#0, I don't think if it worth to be merged into this bug.
tkent@, I added you to  Issue 717101 .
Ok, I realized r467941 was not a right fix.  A fix for  Issue 717101  will revert r467941, and add a different logic.

Status: Started
I also think  Issue 717101  is essentially same as this issue.


Project Member Comment 30 by bugdroid1@chromium.org, May 9
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c55169a7c2279f0f30e15bbca66678f48e7df106

commit c55169a7c2279f0f30e15bbca66678f48e7df106
Author: tkent <tkent@chromium.org>
Date: Tue May 09 05:09:49 2017

Forms: Validation Message bubble should not open during print().

r467941 was a wrong approach because ShouldUsePrintingLayout() returns false
before closing print-preview dialog. We should check Page::Suspended() instead.

BUG= 714849 

Review-Url: https://codereview.chromium.org/2866193002
Cr-Commit-Position: refs/heads/master@{#470230}

[modify] https://crrev.com/c55169a7c2279f0f30e15bbca66678f48e7df106/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/c55169a7c2279f0f30e15bbca66678f48e7df106/third_party/WebKit/Source/core/html/HTMLFormControlElementTest.cpp

Fixed on 60.0.3095.0 (Developer Build).
Status: Fixed
Project Member Comment 33 by bugdroid1@chromium.org, May 10
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4ed8907fbd46912db1da904b79bf26ccd41ac1e9

commit 4ed8907fbd46912db1da904b79bf26ccd41ac1e9
Author: Kent Tamura <tkent@chromium.org>
Date: Wed May 10 23:53:17 2017

Merge "Forms: Validation Message bubble should not open during print()." to M59.

r467941 was a wrong approach because ShouldUsePrintingLayout() returns false
before closing print-preview dialog. We should check Page::Suspended() instead.

BUG= 714849 

Review-Url: https://codereview.chromium.org/2866193002
Cr-Original-Commit-Position: refs/heads/master@{#470230}
Review-Url: https://codereview.chromium.org/2878463004 .
Cr-Commit-Position: refs/branch-heads/3071@{#504}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}

[modify] https://crrev.com/4ed8907fbd46912db1da904b79bf26ccd41ac1e9/third_party/WebKit/Source/core/html/HTMLFormControlElement.cpp
[modify] https://crrev.com/4ed8907fbd46912db1da904b79bf26ccd41ac1e9/third_party/WebKit/Source/core/html/HTMLFormControlElementTest.cpp

Labels: -Hotlist-Merge-Approved
Labels: -reward-topanel reward-0
I'm afraid the panel decided to award for this report, but thanks as ever!
Labels: Release-0-M59
Labels: CVE-2017-5083
Project Member Comment 38 by sheriffbot@chromium.org, Aug 17
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Sign in to add a comment