Bug 1866092 - Remove dead uses of HashURI and replace MD5 with SHA-256 r=win-reviewers,keeler,mhowell

Differential Revision: https://phabricator.services.mozilla.com/D194391

widget/nsILegacyJumpListItem.idl

@@ -74,22 +74,6 @@ interface nsILegacyJumpListLink : nsILegacyJumpListItem
    * Set or get the title for a link item.
    */
   attribute AString uriTitle;
-
-  /**
-   * Get a 'privacy safe' unique string hash of the uri's
-   * spec. Useful in tracking removed items using visible
-   * data stores such as prefs. Generates an MD5 hash of
-   * the URI spec using nsICryptoHash.
-   */
-  readonly attribute ACString uriHash;
-
-  /**
-   * Compare this item's hash to another uri.
-   *
-   * Generates a spec hash of the incoming uri and compares
-   * it to this item's uri spec hash.
-   */
-  boolean compareHash(in nsIURI uri);
 };
 
 /**

widget/tests/unit/test_taskbar_legacyjumplistitems.js

@@ -54,58 +54,6 @@ function test_separator() {
   Assert.ok(item.type == Ci.nsILegacyJumpListItem.JUMPLIST_ITEM_SEPARATOR);
 }
 
-function test_hashes() {
-  var link = Cc["@mozilla.org/windows-legacyjumplistlink;1"].createInstance(
-    Ci.nsILegacyJumpListLink
-  );
-  var uri1 = Cc["@mozilla.org/network/simple-uri-mutator;1"]
-    .createInstance(Ci.nsIURIMutator)
-    .setSpec("http://www.123.com/")
-    .finalize();
-  var uri2 = Cc["@mozilla.org/network/simple-uri-mutator;1"]
-    .createInstance(Ci.nsIURIMutator)
-    .setSpec("http://www.123.com/")
-    .finalize();
-
-  link.uri = uri1;
-
-  Assert.ok(link.compareHash(uri2));
-  uri2 = uri2.mutate().setSpec("http://www.456.com/").finalize();
-  Assert.ok(!link.compareHash(uri2));
-  uri2 = uri2.mutate().setSpec("http://www.123.com/").finalize();
-  Assert.ok(link.compareHash(uri2));
-  uri2 = uri2.mutate().setSpec("https://www.123.com/").finalize();
-  Assert.ok(!link.compareHash(uri2));
-  uri2 = uri2.mutate().setSpec("http://www.123.com/test/").finalize();
-  Assert.ok(!link.compareHash(uri2));
-  uri1 = uri1.mutate().setSpec("http://www.123.com/test/").finalize();
-  link.uri = uri1;
-  uri2 = uri2.mutate().setSpec("http://www.123.com/test/").finalize();
-  Assert.ok(link.compareHash(uri2));
-  uri1 = uri1.mutate().setSpec("https://www.123.com/test/").finalize();
-  link.uri = uri1;
-  uri2 = uri2.mutate().setSpec("https://www.123.com/test/").finalize();
-  Assert.ok(link.compareHash(uri2));
-  uri2 = uri2.mutate().setSpec("ftp://www.123.com/test/").finalize();
-  Assert.ok(!link.compareHash(uri2));
-  uri2 = uri2.mutate().setSpec("http://123.com/test/").finalize();
-  Assert.ok(!link.compareHash(uri2));
-  uri1 = uri1.mutate().setSpec("https://www.123.com/test/").finalize();
-  link.uri = uri1;
-  uri2 = uri2.mutate().setSpec("https://www.123.com/Test/").finalize();
-  Assert.ok(!link.compareHash(uri2));
-
-  uri1 = uri1.mutate().setSpec("http://www.123.com/").finalize();
-  link.uri = uri1;
-  Assert.equal(link.uriHash, "QGLmWuwuTozr3tOfXSf5mg==");
-  uri1 = uri1.mutate().setSpec("http://www.123.com/test/").finalize();
-  link.uri = uri1;
-  Assert.equal(link.uriHash, "AG87Ls+GmaUYSUJFETRr3Q==");
-  uri1 = uri1.mutate().setSpec("https://www.123.com/").finalize();
-  link.uri = uri1;
-  Assert.equal(link.uriHash, "iSx6UH1a9enVPzUA9JZ42g==");
-}
-
 function test_links() {
   // links:
   var link1 = Cc["@mozilla.org/windows-legacyjumplistlink;1"].createInstance(
@@ -272,7 +220,6 @@ function run_test() {
   }
   test_basics();
   test_separator();
-  test_hashes();
   test_links();
   test_shortcuts();
 

widget/windows/LegacyJumpListItem.cpp

@@ -105,34 +105,6 @@ NS_IMETHODIMP LegacyJumpListLink::GetUriTitle(nsAString& aUriTitle) {
   return NS_OK;
 }
 
-NS_IMETHODIMP LegacyJumpListLink::GetUriHash(nsACString& aUriHash) {
-  if (!mURI) return NS_ERROR_NOT_AVAILABLE;
-
-  return mozilla::widget::FaviconHelper::HashURI(mCryptoHash, mURI, aUriHash);
-}
-
-NS_IMETHODIMP LegacyJumpListLink::CompareHash(nsIURI* aUri, bool* aResult) {
-  nsresult rv;
-
-  if (!mURI) {
-    *aResult = !aUri;
-    return NS_OK;
-  }
-
-  NS_ENSURE_ARG_POINTER(aUri);
-
-  nsAutoCString hash1, hash2;
-
-  rv = mozilla::widget::FaviconHelper::HashURI(mCryptoHash, mURI, hash1);
-  NS_ENSURE_SUCCESS(rv, rv);
-  rv = mozilla::widget::FaviconHelper::HashURI(mCryptoHash, aUri, hash2);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  *aResult = hash1.Equals(hash2);
-
-  return NS_OK;
-}
-
 NS_IMETHODIMP LegacyJumpListLink::Equals(nsILegacyJumpListItem* aItem,
                                          bool* aResult) {
   NS_ENSURE_ARG_POINTER(aItem);

widget/windows/WinUtils.cpp

@@ -1045,25 +1045,32 @@ nsresult FaviconHelper::ObtainCachedIconFile(
   return rv;
 }
 
-nsresult FaviconHelper::HashURI(nsCOMPtr<nsICryptoHash>& aCryptoHash,
-                                nsIURI* aUri, nsACString& aUriHash) {
-  if (!aUri) return NS_ERROR_INVALID_ARG;
-
+// Hash a URI using a cryptographic hash function (currently SHA-256)
+// Output will be a base64-encoded string of the hash.
+static nsresult HashURI(nsIURI* aUri, nsACString& aUriHash) {
   nsAutoCString spec;
   nsresult rv = aUri->GetSpec(spec);
   NS_ENSURE_SUCCESS(rv, rv);
 
-  if (!aCryptoHash) {
-    aCryptoHash = do_CreateInstance(NS_CRYPTO_HASH_CONTRACTID, &rv);
-    NS_ENSURE_SUCCESS(rv, rv);
-  }
+  nsCOMPtr<nsICryptoHash> cryptoHash =
+      do_CreateInstance(NS_CRYPTO_HASH_CONTRACTID, &rv);
+  NS_ENSURE_SUCCESS(rv, rv);
 
-  rv = aCryptoHash->Init(nsICryptoHash::MD5);
+  rv = cryptoHash->Init(nsICryptoHash::SHA256);
   NS_ENSURE_SUCCESS(rv, rv);
-  rv = aCryptoHash->Update(
-      reinterpret_cast<const uint8_t*>(spec.BeginReading()), spec.Length());
+
+  // Add some context to the hash to even further reduce the chances of
+  // collision. Note that we are hashing this string with its null-terminator.
+  const char kHashUriContext[] = "firefox-uri";
+  rv = cryptoHash->Update(reinterpret_cast<const uint8_t*>(kHashUriContext),
+                          sizeof(kHashUriContext));
   NS_ENSURE_SUCCESS(rv, rv);
-  rv = aCryptoHash->Finish(true, aUriHash);
+
+  rv = cryptoHash->Update(reinterpret_cast<const uint8_t*>(spec.BeginReading()),
+                          spec.Length());
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  rv = cryptoHash->Finish(true, aUriHash);
   NS_ENSURE_SUCCESS(rv, rv);
 
   return NS_OK;
@@ -1072,13 +1079,15 @@ nsresult FaviconHelper::HashURI(nsCOMPtr<nsICryptoHash>& aCryptoHash,
 // (static) Obtains the ICO file for the favicon at page aFaviconPageURI
 // If successful, the file path on disk is in the format:
 // <ProfLDS>\jumpListCache\<hash(aFaviconPageURI)>.ico
+//
+// We generate the name with a cryptographically secure hash function in order
+// to ensure that malicious websites can't intentionally craft URLs to collide
+// with legitimate websites.
 nsresult FaviconHelper::GetOutputIconPath(nsCOMPtr<nsIURI> aFaviconPageURI,
                                           nsCOMPtr<nsIFile>& aICOFile,
                                           bool aURLShortcut) {
-  // Hash the input URI and replace any / with _
   nsAutoCString inputURIHash;
-  nsCOMPtr<nsICryptoHash> cryptoHash;
-  nsresult rv = HashURI(cryptoHash, aFaviconPageURI, inputURIHash);
+  nsresult rv = HashURI(aFaviconPageURI, inputURIHash);
   NS_ENSURE_SUCCESS(rv, rv);
   char* cur = inputURIHash.BeginWriting();
   char* end = inputURIHash.EndWriting();

widget/windows/WinUtils.h

@@ -646,9 +646,6 @@ class FaviconHelper {
       RefPtr<LazyIdleThread>& aIOThread, bool aURLShortcut,
       already_AddRefed<nsIRunnable> aRunnable = nullptr);
 
-  static nsresult HashURI(nsCOMPtr<nsICryptoHash>& aCryptoHash, nsIURI* aUri,
-                          nsACString& aUriHash);
-
   static nsresult GetOutputIconPath(nsCOMPtr<nsIURI> aFaviconPageURI,
                                     nsCOMPtr<nsIFile>& aICOFile,
                                     bool aURLShortcut);