Bug 1515903 - [autoconfig] Allow PNG and JPEG image data: URLs. r=Neil
authorBen Bucksch <ben.bucksch@beonex.com>
Fri, 21 Dec 2018 15:44:48 +0100
changeset 34044 1f255495f7a15d5b8094512f76cf8078b2a61e76
parent 34043 8a7f1cf1ba4e940788ac10a522dcd4cc1ff3cd5a
child 34045 50e06565357c041f6c2ce53bd2efe9bb0f6c15c1
push id389
push userclokep@gmail.com
push dateMon, 18 Mar 2019 19:01:53 +0000
bugs1515903, 1514628
Bug 1515903 - [autoconfig] Allow PNG and JPEG image data: URLs. r=Neil Bug 1514628 changed the icon URL from http: to data:image/png;. However, data: URLs are forbidden, so the addon doesn't show up at all. data: URLs are highly dangerous in chrome code. They can contain anything, including javascript, e.g. data:text/javascript; and data:text/html; and similar. If these come from the network, and they are run from chrome code, they allow the attacker to run arbitrary code with system privileges, i.e. a remote code execution bug, a critical security bug. These are one of the most dangerous URLs in chrome. These should be avoided at all costs. However, I guess that data:image/png; and data:image/jpeg; are fine, because they cannot contain code. Then again, SVG can contain JS and must be forbidden. This change opens this up a little bit, allowing specifically PNG and JPEG image data: URLs, and only those. That allows icons to be inline.
--- a/mail/components/accountcreation/content/sanitizeDatatypes.js
+++ b/mail/components/accountcreation/content/sanitizeDatatypes.js
@@ -100,18 +100,31 @@ var sanitize =
     return str.toLowerCase();
    * A non-chrome URL that's safe to request.
   url(unchecked) {
     var str = this.string(unchecked);
-    if (!str.startsWith("http") && !str.startsWith("https"))
+    // DANGER ZONE: data:text/javascript or data:text/html can contain
+    // JavaScript code, run in the caller's security context, and might allow
+    // arbitrary code execution, so these must be prevented at all costs.
+    // PNG and JPEG data: URLs are fine.  But SVG is again dangerous,
+    // it can contain javascript, so it would create a critical security hole.
+    // Talk to BenB or bz before relaxing *any* of the checks in this function.
+    if (str.startsWith("data:image/png;") ||
+        str.startsWith("data:image/jpeg;")) {
+      return new URL(str).href;
+    }
+    if (!str.startsWith("http:") && !str.startsWith("https:")) {
       throw new MalformedException("url_scheme.error", unchecked);
+    }
     var uri;
     try {
       uri = Services.io.newURI(str);
       uri = uri.QueryInterface(Ci.nsIURL);
     } catch (e) {
       throw new MalformedException("url_parsing.error", unchecked);