| 2012-10-22 13:45:27 |
Chris Coulson |
bug |
|
|
added bug |
| 2012-10-22 13:48:26 |
Chris Coulson |
bug task added |
|
unity-firefox-extension |
|
| 2012-10-22 13:53:58 |
Marc Deslauriers |
cve linked |
|
2012-0958 |
|
| 2012-10-22 13:58:04 |
Marc Deslauriers |
unity-firefox-extension (Ubuntu): assignee |
|
Ken VanDine (ken-vandine) |
|
| 2012-10-23 05:35:12 |
Launchpad Janitor |
branch linked |
|
lp:~zaspire/unity-firefox-extension/merge-Unity.toDataURL-Unity.init |
|
| 2012-10-23 05:37:09 |
Maxim Ermilov |
unity-firefox-extension: assignee |
|
Maxim Ermilov (zaspire) |
|
| 2012-10-24 12:53:37 |
Launchpad Janitor |
branch linked |
|
lp:unity-firefox-extension |
|
| 2012-10-24 13:05:26 |
Maxim Ermilov |
unity-firefox-extension: status |
New |
Fix Committed |
|
| 2012-11-06 18:27:27 |
Marc Deslauriers |
information type |
Private Security |
Public Security |
|
| 2012-11-13 20:34:08 |
Alexandre Abreu |
bug task added |
|
unity-chromium-extension |
|
| 2012-11-13 21:04:07 |
Alexandre Abreu |
branch linked |
|
lp:~abreu-alexandre/unity-chromium-extension/fix-1069817 |
|
| 2012-11-13 21:14:37 |
Alexandre Abreu |
unity-chromium-extension: status |
New |
Fix Committed |
|
| 2012-11-13 21:14:43 |
Alexandre Abreu |
unity-chromium-extension: assignee |
|
Alexandre Abreu (abreu-alexandre) |
|
| 2012-11-14 20:53:00 |
Alexandre Abreu |
description |
This addon exposes a toDataURL() function to the web which allows content to convert an image (specified by a URL) to a data URI. It seems to work by drawing the image to a canvas and using the canvas.toDataURL() mechanism. However, this function seems to bypass all same-origin checks and returns valid data even if the image URL doesn't have the same origin as the document URL.
canvas.toDataURL() will throw a SecurityError exception if the canvas is not origin-clean. A canvas is not origin clean if you call ctx.drawImage() with a URL which does not have the same origin as the document that the canvas is in. However, the canvas used for the conversion is created in chrome context, so it has full privileges and the usual security mechanisms are bypassed completely.
This can be reproduced with the following test case (I loaded this at http://localhost/test.html):
<html>
<head></head>
<body>
<p id="foo"/>
<script type="text/javascript">
window.external
.getUnityObject(1)
.toDataURL("http://www.ubuntu.com/sites/default/themes/ubuntu10/images/footer_logo.png",
function(a, b) {
document.getElementById("foo").innerHTML = b;
});
</script>
</html>
In this example, you will see that toDataURL() throws as expected and an alert appears ("The operation is insecure"):
<html>
<head></head>
<body>
<p id="foo"/>
<script type="text/javascript">
var img = new Image();
var canvas = document.createElement('canvas');
var ctx = canvas.getContext('2d');
img.onload = function() {
try {
ctx.drawImage(img, 0, 0);
document.getElementById("foo").innerHTML = canvas.toDataURL();
} catch(e) { alert(e); }
};
img.src = "http://www.ubuntu.com/sites/default/themes/ubuntu10/images/footer_logo.png";
</script>
</html> |
This addon exposes a toDataURL() function to the web which allows content to convert an image (specified by a URL) to a data URI. It seems to work by drawing the image to a canvas and using the canvas.toDataURL() mechanism. However, this function seems to bypass all same-origin checks and returns valid data even if the image URL doesn't have the same origin as the document URL.
canvas.toDataURL() will throw a SecurityError exception if the canvas is not origin-clean. A canvas is not origin clean if you call ctx.drawImage() with a URL which does not have the same origin as the document that the canvas is in. However, the canvas used for the conversion is created in chrome context, so it has full privileges and the usual security mechanisms are bypassed completely.
[Test Case]
This can be reproduced with the following test case (I loaded this at http://localhost/test.html):
<html>
<head></head>
<body>
<p id="foo"/>
<script type="text/javascript">
window.external
.getUnityObject(1)
.toDataURL("http://www.ubuntu.com/sites/default/themes/ubuntu10/images/footer_logo.png",
function(a, b) {
document.getElementById("foo").innerHTML = b;
});
</script>
</html>
In this example, you will see that toDataURL() throws as expected and an alert appears ("The operation is insecure"):
<html>
<head></head>
<body>
<p id="foo"/>
<script type="text/javascript">
var img = new Image();
var canvas = document.createElement('canvas');
var ctx = canvas.getContext('2d');
img.onload = function() {
try {
ctx.drawImage(img, 0, 0);
document.getElementById("foo").innerHTML = canvas.toDataURL();
} catch(e) { alert(e); }
};
img.src = "http://www.ubuntu.com/sites/default/themes/ubuntu10/images/footer_logo.png";
</script>
</html>
[Regression Risks]
The fix consists mostly in removing code from the exposed API (toDataURL). |
|
| 2012-11-15 16:26:28 |
Ken VanDine |
nominated for series |
|
Ubuntu Quantal |
|
| 2012-11-15 16:26:28 |
Ken VanDine |
bug task added |
|
unity-firefox-extension (Ubuntu Quantal) |
|
| 2012-11-15 16:26:49 |
Ken VanDine |
bug task added |
|
unity-chromium-extension (Ubuntu) |
|
| 2012-11-15 16:28:53 |
Ken VanDine |
unity-chromium-extension: status |
Fix Committed |
Fix Released |
|
| 2012-11-15 18:00:31 |
Launchpad Janitor |
unity-chromium-extension (Ubuntu): status |
New |
Fix Released |
|
| 2012-11-15 20:44:37 |
Ken VanDine |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2012-11-30 11:13:02 |
Maxim Ermilov |
unity-firefox-extension: status |
Fix Committed |
Fix Released |
|
| 2012-12-05 01:16:34 |
Chris Halse Rogers |
unity-chromium-extension (Ubuntu Quantal): status |
New |
Fix Committed |
|
| 2012-12-05 01:16:39 |
Chris Halse Rogers |
bug |
|
|
added subscriber SRU Verification |
| 2012-12-05 01:16:47 |
Chris Halse Rogers |
tags |
|
verification-needed |
|
| 2012-12-13 11:50:48 |
Didier Roche-Tolomelli |
unity-firefox-extension (Ubuntu): status |
New |
Fix Committed |
|
| 2012-12-13 11:56:43 |
Didier Roche-Tolomelli |
unity-firefox-extension (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2012-12-13 11:57:35 |
Didier Roche-Tolomelli |
bug task added |
|
webapps-applications (Ubuntu) |
|
| 2012-12-13 13:41:41 |
Didier Roche-Tolomelli |
bug task deleted |
webapps-applications (Ubuntu Quantal) |
|
|
| 2012-12-13 13:45:17 |
Didier Roche-Tolomelli |
bug task added |
|
unity-webapps-amazoncloudreader (Ubuntu) |
|
| 2012-12-13 13:46:38 |
Didier Roche-Tolomelli |
bug task added |
|
unity-webapps-facebookapps (Ubuntu) |
|
| 2012-12-13 13:48:23 |
Didier Roche-Tolomelli |
bug task added |
|
unity-webapps-librefm (Ubuntu) |
|
| 2012-12-13 13:50:18 |
Didier Roche-Tolomelli |
bug task added |
|
unity-webapps-pandora-com (Ubuntu) |
|
| 2012-12-13 14:12:09 |
Launchpad Janitor |
unity-webapps-amazoncloudreader (Ubuntu): status |
New |
Fix Released |
|
| 2012-12-13 14:12:13 |
Launchpad Janitor |
unity-webapps-facebookapps (Ubuntu): status |
New |
Fix Released |
|
| 2012-12-13 14:12:16 |
Launchpad Janitor |
unity-webapps-librefm (Ubuntu): status |
New |
Fix Released |
|
| 2012-12-13 14:12:20 |
Launchpad Janitor |
unity-webapps-pandora-com (Ubuntu): status |
New |
Fix Released |
|
| 2012-12-13 14:12:23 |
Launchpad Janitor |
unity-firefox-extension (Ubuntu Quantal): status |
New |
Fix Released |
|
| 2012-12-13 14:55:22 |
Launchpad Janitor |
webapps-applications (Ubuntu): status |
New |
Fix Released |
|
| 2013-01-28 21:57:15 |
Launchpad Janitor |
branch linked |
|
lp:~ken-vandine/unity-firefox-extension/unwind |
|
| 2013-07-02 17:01:42 |
Launchpad Janitor |
unity-chromium-extension (Ubuntu Quantal): status |
Fix Committed |
Fix Released |
|
