Launchpad itself

Launchpad session cookie is accessible from Javascript

Bug #96878 reported by James Henstridge
272
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
William Grant
Python
Fix Committed
Unknown

Bug Description

By default cookies are available to javascript running in the page. While this is not a problem in theory, if Launchpad had an cross site scripting hole it would expose our session credentials, which could then be passed to another site.

Apparently Internet Explorer 6 implements an extension to the Set-Cookie header that has been adopted for Firefox 3 that can help here:

    https://bugzilla.mozilla.org/show_bug.cgi?id=178993

So if we send the cookie as:
    Set-Cookie: launchpad=XXXXXX; domain=.launchpad.net; expires=...; secure; HttpOnly

Then it will be sent back to us as before, but will not be accessible to the page in document.cookies.

Related branches

lp:~wgrant/launchpad/secure-headers
Curtis Hovey (community): Approve (code)
Diff: 292 lines (+93/-20)
10 files modified
lib/lp/code/stories/webservice/xx-branchmergeproposal.txt (+2/-0)
lib/lp/hardwaredb/stories/hwdb/xx-hwdb.txt (+2/-0)
lib/lp/registry/stories/productrelease/xx-productrelease-rdf.txt (+1/-0)
lib/lp/registry/stories/productseries/xx-productseries-rdf.txt (+1/-0)
lib/lp/services/oauth/stories/request-token.txt (+1/-1)
lib/lp/services/webapp/servers.py (+20/-1)
lib/lp/services/webapp/session.py (+5/-3)
lib/lp/services/webapp/tests/test_servers.py (+35/-1)
lib/lp/services/webapp/tests/test_session.py (+24/-7)
lib/lp/testing/tests/test_yuixhr_fixture.js (+2/-7)
Revision history for this message
James Henstridge (jamesh) wrote :

It seems that the Python Cookie module (used by Zope for cookie handling) does not support custom attributes, such as HttpOnly.

Bug Watch Updater (bug-watch-updater)
Changed in python:
status: Unknown → Fix Committed
Stuart Bishop (stub)
Changed in launchpad-foundations:
status: New → Won't Fix
status: Won't Fix → New
status: New → Confirmed
Revision history for this message
Stuart Bishop (stub) wrote :

We might be better off fixing this in zope.session

Stuart Bishop (stub)
Changed in launchpad-foundations:
importance: Undecided → High
security vulnerability: no → yes
Revision history for this message
Stuart Bishop (stub) wrote :

Make Launchpad use this when it is running with Python 2.6

Revision history for this message
Guilherme Salgado (salgado) wrote :

I thought we relied on this to access the webservice API using javascript.

Revision history for this message
Stuart Bishop (stub) wrote : Re: [Bug 96878] Re: Launchpad session cookie should be hidden from Javascript

On Wed, Feb 17, 2010 at 5:54 PM, Guilherme Salgado <email address hidden> wrote:

> I thought we relied on this to access the webservice API using
> javascript.

I don't think so, but it certainly is something to test. As I understand it, the cookie will still be sent with all HTTP requests, including those initiated from JavaScript to launchpad.net. The JavaScript can't access the cookie itself though so cannot steal or do anything malicious with it.

--
Stuart Bishop <email address hidden>
http://www.stuartbishop.net/

Revision history for this message
Francis J. Lacoste (flacoste) wrote : Re: Launchpad session cookie should be hidden from Javascript

We rely on the session cookie being sent with the AJAX http requests. We don't need to access it through document.cookies. So this seems safe.

Gary Poster (gary)
Changed in launchpad-foundations:
milestone: none → 10.04
Revision history for this message
David Wagner (daw-bugzilla) wrote :

I wonder if you're aware that HttpOnly adds only very limited protections? If someone can run malicious script on your domain, then in most cases they can do just as much harm with HttpOnly cookies as without; it just requires a more complex attack. So this may "raise the bar" slightly, but doesn't add a lot of security; you're primarily relying upon avoiding XSS bugs in the first place.

Analysis and detailed justification:
http://www.gnucitizen.org/blog/why-httponly-wont-protect-you/

Revision history for this message
Robert Collins (lifeless) wrote :

@David this is a defense in depth approach, not a blanket win (obviously).

Revision history for this message
Robert Collins (lifeless) wrote :

We're on 2.6 now, so this can be done.

Gary Poster (gary)
tags: added: bugjam2010
Curtis Hovey (sinzui)
Changed in launchpad:
status: Confirmed → Triaged
Robert Collins (lifeless)
summary: - Launchpad session cookie should be hidden from Javascript
+ Launchpad session cookie is accessible from Javascript
Curtis Hovey (sinzui)
Changed in launchpad:
assignee: nobody → William Grant (wgrant)
status: Triaged → In Progress
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r14912 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/14912>.

Changed in launchpad:
milestone: 10.04 → none
tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
William Grant (wgrant)
tags: added: qa-ok
removed: qa-needstesting
William Grant (wgrant)
Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.