Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-07 18:04:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 461204 - Improve the random number generator for the boundaries in multipart/form-data r=smaug

Browse Source 
Using a weak RNG for the form boundary allows a website operator to perform several
attacks on users (as outlined in https://trac.torproject.org/projects/tor/ticket/22919)

These include:
 - Identifying Windows users based on the unseeded RNG
 - Identify the number of form submissions that have occurred cross-origin between same-origin submissions

Additionally, a predictable boundary makes it possible to forge a boundary in the middle
of a file upload.

Differential Revision: https://phabricator.services.mozilla.com/D56056

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Alex Catarineu 2020-01-13 20:41:14 +00:00
parent 69b270f2c6
commit bc96439261
3 changed files with 18 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
dom/html/HTMLFormSubmission.cpp
View File

@ -32,6 +32,7 @@
#include "mozilla/dom/Directory.h"
#include "mozilla/dom/File.h"
#include "mozilla/StaticPrefs_dom.h"
#include "mozilla/RandomNum.h"
namespace mozilla {
namespace dom {
@ -355,9 +356,9 @@ FSMultipartFormData::FSMultipartFormData(nsIURI* aActionURL,
mTotalLength = 0;
mBoundary.AssignLiteral("---------------------------");
mBoundary.AppendInt(rand());
mBoundary.AppendInt(rand());
mBoundary.AppendInt(rand());
mBoundary.AppendInt(static_cast<uint32_t>(mozilla::RandomUint64OrDie()));
mBoundary.AppendInt(static_cast<uint32_t>(mozilla::RandomUint64OrDie()));
mBoundary.AppendInt(static_cast<uint32_t>(mozilla::RandomUint64OrDie()));
}
FSMultipartFormData::~FSMultipartFormData() {

8
mfbt/RandomNum.cpp
View File

@ -150,4 +150,12 @@ MFBT_API Maybe<uint64_t> RandomUint64() {
#endif
}
MFBT_API uint64_t RandomUint64OrDie() {
Maybe<uint64_t> maybeRandomNum = RandomUint64();
MOZ_RELEASE_ASSERT(maybeRandomNum.isSome());
return maybeRandomNum.value();
}
} // namespace mozilla

6
mfbt/RandomNum.h
View File

@ -30,6 +30,12 @@ namespace mozilla {
*/
MFBT_API Maybe<uint64_t> RandomUint64();
/**
* Like RandomUint64, but always returns a uint64_t or crashes with an assert
* if the underlying RandomUint64 call failed.
*/
MFBT_API uint64_t RandomUint64OrDie();
} // namespace mozilla
#endif // mozilla_RandomNum_h_