diff options
| author | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-03-01 14:10:57 +0100 |
|---|---|---|
| committer | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-03-01 14:12:02 +0100 |
| commit | e64dae886b83c63931c2f608c756885c689aeb56 (patch) | |
| tree | dd2502a462e73fdc4941dce6925ea31f96ab8fef | |
| parent | f89a809df5e50fc4f7a58fcaac55861aa33a8e31 (diff) | |
| parent | c1ece93c2be6fb571a013f9735dc629d7279f389 (diff) | |
| download | UXP-e64dae886b83c63931c2f608c756885c689aeb56.tar UXP-e64dae886b83c63931c2f608c756885c689aeb56.tar.gz UXP-e64dae886b83c63931c2f608c756885c689aeb56.tar.lz UXP-e64dae886b83c63931c2f608c756885c689aeb56.tar.xz UXP-e64dae886b83c63931c2f608c756885c689aeb56.zip | |
Improve the http basic auth DOS protection heuristics.
-> Merge branch 'authprompt-work'
| -rw-r--r-- | application/basilisk/app/profile/basilisk.js | 8 | ||||
| -rw-r--r-- | application/basilisk/base/content/browser.js | 5 | ||||
| -rw-r--r-- | application/basilisk/base/content/browser.xul | 3 | ||||
| -rw-r--r-- | application/basilisk/base/content/tabbrowser.xml | 11 | ||||
| -rw-r--r-- | application/basilisk/base/content/urlbarBindings.xml | 3 | ||||
| -rw-r--r-- | application/palemoon/app/profile/palemoon.js | 8 | ||||
| -rw-r--r-- | application/palemoon/base/content/browser.js | 5 | ||||
| -rw-r--r-- | application/palemoon/base/content/browser.xul | 3 | ||||
| -rw-r--r-- | application/palemoon/base/content/tabbrowser.xml | 11 | ||||
| -rw-r--r-- | application/palemoon/base/content/urlbarBindings.xml | 4 | ||||
| -rw-r--r-- | modules/libpref/init/all.js | 11 | ||||
| -rw-r--r-- | toolkit/components/passwordmgr/nsLoginManagerPrompter.js | 72 | ||||
| -rw-r--r-- | toolkit/content/widgets/browser.xml | 4 |
13 files changed, 112 insertions, 36 deletions
diff --git a/application/basilisk/app/profile/basilisk.js b/application/basilisk/app/profile/basilisk.js index 79d767851..24f1c582c 100644 --- a/application/basilisk/app/profile/basilisk.js +++ b/application/basilisk/app/profile/basilisk.js @@ -1438,3 +1438,11 @@ pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // controlling validation are located in /services/sync/services-sync.js pref("services.sync.validation.enabled", true); #endif + +// When a user cancels this number of authentication dialogs coming from +// a single web page (eTLD+1) in a row, all following authentication dialogs +// will be blocked (automatically canceled) for that page. +// This counter is per-tab and per-domain to minimize false positives. +// The counter resets when the page is reloaded from the UI +// (content-reloads do NOT clear this to mitigate reloading tricks). +pref("prompts.authentication_dialog_abuse_limit", 3); diff --git a/application/basilisk/base/content/browser.js b/application/basilisk/base/content/browser.js index 9fb997a42..336670fa0 100644 --- a/application/basilisk/base/content/browser.js +++ b/application/basilisk/base/content/browser.js @@ -3094,6 +3094,11 @@ function getWebNavigation() } function BrowserReloadWithFlags(reloadFlags) { + + // Reset DOS mitigation for auth prompts when user initiates a reload. + let browser = gBrowser.selectedBrowser; + delete browser.authPromptCounter; + let url = gBrowser.currentURI.spec; if (gBrowser.updateBrowserRemotenessByURL(gBrowser.selectedBrowser, url)) { // If the remoteness has changed, the new browser doesn't have any diff --git a/application/basilisk/base/content/browser.xul b/application/basilisk/base/content/browser.xul index 3208538c1..be64f1bac 100644 --- a/application/basilisk/base/content/browser.xul +++ b/application/basilisk/base/content/browser.xul @@ -997,7 +997,8 @@ contentcontextmenu="contentAreaContextMenu" autocompletepopup="PopupAutoComplete" selectmenulist="ContentSelectDropdown" - datetimepicker="DateTimePickerPanel"/> + datetimepicker="DateTimePickerPanel" + authdosprotected="true" /> </vbox> <vbox id="browser-border-end" hidden="true" layer="true"/> </hbox> diff --git a/application/basilisk/base/content/tabbrowser.xml b/application/basilisk/base/content/tabbrowser.xml index 043838020..52c51db69 100644 --- a/application/basilisk/base/content/tabbrowser.xml +++ b/application/basilisk/base/content/tabbrowser.xml @@ -25,7 +25,7 @@ <xul:vbox flex="1" class="browserContainer"> <xul:stack flex="1" class="browserStack" anonid="browserStack"> <xul:browser anonid="initialBrowser" type="content-primary" message="true" messagemanagergroup="browsers" - xbl:inherits="tooltip=contenttooltip,contextmenu=contentcontextmenu,autocompletepopup,selectmenulist,datetimepicker"/> + xbl:inherits="tooltip=contenttooltip,contextmenu=contentcontextmenu,autocompletepopup,selectmenulist,datetimepicker,authdosprotected"/> </xul:stack> </xul:vbox> </xul:hbox> @@ -1936,6 +1936,10 @@ if (this.hasAttribute("datetimepicker")) { b.setAttribute("datetimepicker", this.getAttribute("datetimepicker")); } + + if (this.hasAttribute("authdosprotected")) { + b.setAttribute("authdosprotected", this.getAttribute("authdosprotected")); + } b.setAttribute("autoscrollpopup", this._autoScrollPopup.id); @@ -2991,7 +2995,10 @@ <parameter name="aTab"/> <body> <![CDATA[ - this.getBrowserForTab(aTab).reload(); + let browser = this.getBrowserForTab(aTab); + // Reset DOS mitigation for basic auth prompt + delete browser.authPromptCounter; + browser.reload(); ]]> </body> </method> diff --git a/application/basilisk/base/content/urlbarBindings.xml b/application/basilisk/base/content/urlbarBindings.xml index ad11f7fdf..b9c17818a 100644 --- a/application/basilisk/base/content/urlbarBindings.xml +++ b/application/basilisk/base/content/urlbarBindings.xml @@ -540,6 +540,9 @@ file, You can obtain one at http://mozilla.org/MPL/2.0/. Cu.reportError(ex); } + // Reset DOS mitigations for the basic auth prompt. + delete browser.authPromptCounter; + let params = { postData, allowThirdPartyFixup: true, diff --git a/application/palemoon/app/profile/palemoon.js b/application/palemoon/app/profile/palemoon.js index 43f020f9a..3df5d7194 100644 --- a/application/palemoon/app/profile/palemoon.js +++ b/application/palemoon/app/profile/palemoon.js @@ -1160,6 +1160,14 @@ pref("toolkit.pageThumbs.minHeight", 180); pref("ui.key.menuAccessKeyFocuses", true); #endif +// When a user cancels this number of authentication dialogs coming from +// a single web page (eTLD+1) in a row, all following authentication dialogs +// will be blocked (automatically canceled) for that page. +// This counter is per-tab and per-domain to minimize false positives. +// The counter resets when the page is reloaded from the UI +// (content-reloads do NOT clear this to mitigate reloading tricks). +pref("prompts.authentication_dialog_abuse_limit", 3); + // ****************** s4e prefs ****************** pref("status4evar.addonbar.borderStyle", false); pref("status4evar.addonbar.closeButton", false); diff --git a/application/palemoon/base/content/browser.js b/application/palemoon/base/content/browser.js index 3feeef9b6..4e753d422 100644 --- a/application/palemoon/base/content/browser.js +++ b/application/palemoon/base/content/browser.js @@ -2661,6 +2661,11 @@ function getWebNavigation() } function BrowserReloadWithFlags(reloadFlags) { + + // Reset DOS mitigation for auth prompts when user initiates a reload. + let browser = gBrowser.selectedBrowser; + delete browser.authPromptCounter; + /* First, we'll try to use the session history object to reload so * that framesets are handled properly. If we're in a special * window (such as view-source) that has no session history, fall diff --git a/application/palemoon/base/content/browser.xul b/application/palemoon/base/content/browser.xul index ce2a7c5a8..ddc305a7b 100644 --- a/application/palemoon/base/content/browser.xul +++ b/application/palemoon/base/content/browser.xul @@ -965,7 +965,8 @@ tabcontainer="tabbrowser-tabs" contentcontextmenu="contentAreaContextMenu" autocompletepopup="PopupAutoComplete" - datetimepicker="DateTimePickerPanel"/> + datetimepicker="DateTimePickerPanel" + authdosprotected="true"/> <chatbar id="pinnedchats" layer="true" mousethrough="always" hidden="true"/> <statuspanel id="statusbar-display" inactive="true"/> </vbox> diff --git a/application/palemoon/base/content/tabbrowser.xml b/application/palemoon/base/content/tabbrowser.xml index 988cae55c..cbe029af0 100644 --- a/application/palemoon/base/content/tabbrowser.xml +++ b/application/palemoon/base/content/tabbrowser.xml @@ -30,7 +30,7 @@ <xul:vbox flex="1" class="browserContainer"> <xul:stack flex="1" class="browserStack" anonid="browserStack"> <xul:browser anonid="initialBrowser" type="content-primary" message="true" disablehistory="true" - xbl:inherits="tooltip=contenttooltip,contextmenu=contentcontextmenu,autocompletepopup,datetimepicker"/> + xbl:inherits="tooltip=contenttooltip,contextmenu=contentcontextmenu,autocompletepopup,datetimepicker,authdosprotected"/> </xul:stack> </xul:vbox> </xul:hbox> @@ -1588,6 +1588,10 @@ if (this.hasAttribute("datetimepicker")) { b.setAttribute("datetimepicker", this.getAttribute("datetimepicker")); } + + if (this.hasAttribute("authdosprotected")) { + b.setAttribute("authdosprotected", this.getAttribute("authdosprotected")); + } // Create the browserStack container var stack = document.createElementNS(NS_XUL, "stack"); @@ -2458,7 +2462,10 @@ <parameter name="aTab"/> <body> <![CDATA[ - this.getBrowserForTab(aTab).reload(); + let browser = this.getBrowserForTab(aTab); + // Reset DOS mitigation for basic auth prompt + delete browser.authPromptCounter; + browser.reload(); ]]> </body> </method> diff --git a/application/palemoon/base/content/urlbarBindings.xml b/application/palemoon/base/content/urlbarBindings.xml index d188e6658..d2d9cc720 100644 --- a/application/palemoon/base/content/urlbarBindings.xml +++ b/application/palemoon/base/content/urlbarBindings.xml @@ -302,6 +302,10 @@ // but don't let that interfere with the loading of the url. Cu.reportError(ex); } + + // Reset DOS mitigations for the basic auth prompt. + let browser = gBrowser.selectedBrowser; + delete browser.authPromptCounter; function loadCurrent() { let flags = Ci.nsIWebNavigation.LOAD_FLAGS_ALLOW_THIRD_PARTY_FIXUP; diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js index f6e90170e..3666ca425 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js @@ -5451,8 +5451,9 @@ pref("dom.storageManager.enabled", true); pref("dom.storageManager.enabled", false); #endif -// When a user cancels this number of authentication dialogs coming from -// a single web page in a row, all following authentication dialogs will -// be blocked (automatically canceled) for that page. The counter resets -// when the page is reloaded. To turn this feature off, just set the limit to 0. -pref("prompts.authentication_dialog_abuse_limit", 3); +// DoS protection for HTTP Auth prompt spawning. +// -1 = completely disable HTTP Auth prompting. (careful!) +// 0 = disable this DoS protection +// >0 = suppress further prompts after the user has canceled the dialog n times +// See application preferences for appropriate defaults. +pref("prompts.authentication_dialog_abuse_limit", 0); diff --git a/toolkit/components/passwordmgr/nsLoginManagerPrompter.js b/toolkit/components/passwordmgr/nsLoginManagerPrompter.js index 720e80446..c4be39e31 100644 --- a/toolkit/components/passwordmgr/nsLoginManagerPrompter.js +++ b/toolkit/components/passwordmgr/nsLoginManagerPrompter.js @@ -97,17 +97,25 @@ LoginManagerPromptFactory.prototype = { return; } - // Allow only a limited number of authentication dialogs when they are all - // canceled by the user. - var cancelationCounter = (prompter._browser && prompter._browser.canceledAuthenticationPromptCounter) || { count: 0, id: 0 }; - if (prompt.channel) { - var httpChannel = prompt.channel.QueryInterface(Ci.nsIHttpChannel); - if (httpChannel) { - var windowId = httpChannel.topLevelContentWindowId; - if (windowId != cancelationCounter.id) { - // window has been reloaded or navigated, reset the counter - cancelationCounter = { count: 0, id: windowId }; - } + // Set up a counter for ensuring that the basic auth prompt can not + // be abused for DOS-style attacks. With this counter, each eTLD+1 + // per browser will get a limited number of times a user can + // cancel the prompt until we stop showing it. + let browser = prompter._browser; + let baseDomain = null; + if (browser && browser.isAuthDOSProtected) { + try { + baseDomain = Services.eTLD.getBaseDomainFromHost(hostname); + } catch (e) { + baseDomain = hostname; + } + + if (!browser.authPromptCounter) { + browser.authPromptCounter = {}; + } + + if (!browser.authPromptCounter[baseDomain]) { + browser.authPromptCounter[baseDomain] = 0; } } @@ -137,13 +145,14 @@ LoginManagerPromptFactory.prototype = { prompt.inProgress = false; self._asyncPromptInProgress = false; - if (ok) { - cancelationCounter.count = 0; - } else { - cancelationCounter.count++; - } - if (prompter._browser) { - prompter._browser.canceledAuthenticationPromptCounter = cancelationCounter; + if (browser && browser.isAuthDOSProtected) { + // Reset the counter state if the user replied to a prompt and actually + // tried to login (vs. simply clicking any button to get out). + if (ok && (prompt.authInfo.username || prompt.authInfo.password)) { + browser.authPromptCounter[baseDomain] = 0; + } else { + browser.authPromptCounter[baseDomain] += 1; + } } } @@ -168,14 +177,27 @@ LoginManagerPromptFactory.prototype = { var cancelDialogLimit = Services.prefs.getIntPref("prompts.authentication_dialog_abuse_limit"); - this.log("cancelationCounter =", cancelationCounter); - if (cancelDialogLimit && cancelationCounter.count >= cancelDialogLimit) { - this.log("Blocking auth dialog, due to exceeding dialog bloat limit"); - delete this._asyncPrompts[hashKey]; - - // just make the runnable cancel all consumers - runnable.cancel = true; + // Block the auth prompt if: + // - There is an attached browser element + // - The browser element has opted-in to DOS protection + // - The dialog cancellation limit is not 0 (= feature disabled) + // - The amount of cancellations >= the set abuse limit + if (browser && browser.isAuthDOSProtected) { + let cancelationCounter = browser.authPromptCounter[baseDomain]; + this.log("cancelationCounter =", cancelationCounter); + + if (cancelDialogLimit && cancelationCounter >= cancelDialogLimit) { + this.log("Blocking auth dialog, due to exceeding dialog bloat limit"); + delete this._asyncPrompts[hashKey]; + + // just make the runnable cancel all consumers + runnable.cancel = true; + } else { + this._asyncPromptInProgress = true; + prompt.inProgress = true; + } } else { + // No DOS protection: prompt this._asyncPromptInProgress = true; prompt.inProgress = true; } diff --git a/toolkit/content/widgets/browser.xml b/toolkit/content/widgets/browser.xml index a30ff1c43..5a0a99bf8 100644 --- a/toolkit/content/widgets/browser.xml +++ b/toolkit/content/widgets/browser.xml @@ -899,6 +899,10 @@ <field name="mIconURL">null</field> + <property name="isAuthDOSProtected" + onget="return (this.getAttribute('authdosprotected') == 'true');" + readonly="true"/> + <!-- This is managed by the tabbrowser --> <field name="lastURI">null</field> |