DHCP-based WPAD allows selecting a PAC file via file:// URL |
||||
Issue descriptionTentatively marking as security for triage. I haven't confirmed this bug with end-to-end testing, but I am pretty confident it is the case based on the code. This issue would affect the Windows and ChromeOS implementations of Chrome but not any other platform. (As ChromeOS and Windows are the only for which we have DHCP-based WPAD support). ISSUE: A DHCP server can advertise the ProxyAutoConfig (PAC) using option 252, which returns a URL string. Chrome consults this, and subsequently downloads the URL to obtain the PAC script contents. Ordinarily we would expect this PAC URL to be an http:// or https:// URL. The code in question does not whitelist the allowed URL schemes, and subsequently will accept the file:// scheme. This means the DHCP server could trigger the browser to read an arbitrary file on the user's local system (via file:// URL handling), and have the browser try to execute it as a PAC script. The DHCP server can already specify arbitrary content for us to use as a PAC script (and there is already hardening in place for that) so that aspect is not a new capability. However being able to trigger a read of a local file is unexpected, and may expose additional vulnerabilities. Probably the chrome.proxy extension API has the same problem in allowing proxy servers to be set via file://. As far as solutions, a complete removal of file:// for PAC is also on the table (Issue 839566). [1] chromeos getting the PAC URL: https://chromium.googlesource.com/chromium/src/+/678180e9e5aad1117b70a8e04db2dbc7ffac0f35/chromeos/network/network_state.cc#325 [2] windows getting the PAC URL: https://chromium.googlesource.com/chromium/src/+/f28e1c437fc0236bba7fd3336e57cac1bdc01748/net/proxy_resolution/dhcp_pac_file_adapter_fetcher_win.cc#150
,
May 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ab9fc65b771f4ef4a206a7084aef9aefd73237e1 commit ab9fc65b771f4ef4a206a7084aef9aefd73237e1 Author: Eric Roman <eroman@chromium.org> Date: Tue May 08 01:59:53 2018 Disallow fetching of file:// URLs discovered by DHCP-based WPAD. Bug: 839647 TBR: stevenjb@chromium.org Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo Change-Id: I9223238b5f187d632d68d54fd2ee4fd50981fc56 Reviewed-on: https://chromium-review.googlesource.com/1045610 Commit-Queue: Eric Roman <eroman@chromium.org> Reviewed-by: Helen Li <xunjieli@chromium.org> Cr-Commit-Position: refs/heads/master@{#556644} [modify] https://crrev.com/ab9fc65b771f4ef4a206a7084aef9aefd73237e1/chromeos/network/dhcp_pac_file_fetcher_chromeos.cc [add] https://crrev.com/ab9fc65b771f4ef4a206a7084aef9aefd73237e1/net/data/pac_file_fetcher_unittest/redirect-to-file [add] https://crrev.com/ab9fc65b771f4ef4a206a7084aef9aefd73237e1/net/data/pac_file_fetcher_unittest/redirect-to-file.mock-http-headers [modify] https://crrev.com/ab9fc65b771f4ef4a206a7084aef9aefd73237e1/net/proxy_resolution/dhcp_pac_file_adapter_fetcher_win.cc [modify] https://crrev.com/ab9fc65b771f4ef4a206a7084aef9aefd73237e1/net/proxy_resolution/dhcp_pac_file_adapter_fetcher_win.h [modify] https://crrev.com/ab9fc65b771f4ef4a206a7084aef9aefd73237e1/net/proxy_resolution/dhcp_pac_file_adapter_fetcher_win_unittest.cc [modify] https://crrev.com/ab9fc65b771f4ef4a206a7084aef9aefd73237e1/net/proxy_resolution/pac_file_fetcher_impl.cc [modify] https://crrev.com/ab9fc65b771f4ef4a206a7084aef9aefd73237e1/net/proxy_resolution/pac_file_fetcher_impl.h [modify] https://crrev.com/ab9fc65b771f4ef4a206a7084aef9aefd73237e1/net/proxy_resolution/pac_file_fetcher_impl_unittest.cc [modify] https://crrev.com/ab9fc65b771f4ef4a206a7084aef9aefd73237e1/services/network/url_request_context_builder_mojo.cc
,
May 8 2018
,
May 9 2018
,
Aug 15
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by eroman@chromium.org
, May 4 2018