[HttpFoundation] Fix to prevent magic bytes injection in JSONP responses... (CVE-2014-4671) #11367

Merged
merged 1 commit into from Jul 15, 2014

Conversation

Projects
None yet
7 participants
@FineWolf
Q A
Bug fix? yes
New feature? no
BC breaks? no*
Deprecations? no
Tests pass? yes
Fixed tickets N/A
License MIT
Doc PR N/A
CVE Ticket CVE-2014-4671
See Also Rosetta Flash

* Unless you are parsing the response string manually, which you really shouldn't do anyway

THIS IS A SECURITY FIX AND SHOULD BE MERGED SHORTLY

This fix prevents attacks vectors where third-party browser plugins depends on ASCII magic bytes in order to execute a plugin. This is currently exploited with Flash using a carefully crafted JSONP response, allowing the execution of random SWF data from a domain with a vulnerable JSONP endpoint.

This security issue is mitigated by adding an empty comment right before the callback parameter. This does not affect the execution of the JSONP callback.

Andrew Moore
@FineWolf

This comment has been minimized.

Show comment
Hide comment
@stof

This comment has been minimized.

Show comment
Hide comment
@stof

stof Jul 10, 2014

Member

@FineWolf I suggest you read http://symfony.com/security for the way to report security issues for the next time. Sending a PR with the fix is a public disclosure

Member

stof commented Jul 10, 2014

@FineWolf I suggest you read http://symfony.com/security for the way to report security issues for the next time. Sending a PR with the fix is a public disclosure

@stof

This comment has been minimized.

Show comment
Hide comment
@stof

stof Jul 10, 2014

Member

however, 👍

Member

stof commented Jul 10, 2014

however, 👍

@FineWolf

This comment has been minimized.

Show comment
Hide comment
@FineWolf

FineWolf Jul 10, 2014

That issue (on a general basis) has already received public disclosure anyway thru various news organizations and blogs since July 8. Public disclosure of the issue with symfony at this point (even before the merge) is the best course of action so that people who are affected can manually merge (I am aware of the security mailing list). This isn't a symfony specific issue.

However this patch mitigates future attacks on the same vector.

That issue (on a general basis) has already received public disclosure anyway thru various news organizations and blogs since July 8. Public disclosure of the issue with symfony at this point (even before the merge) is the best course of action so that people who are affected can manually merge (I am aware of the security mailing list). This isn't a symfony specific issue.

However this patch mitigates future attacks on the same vector.

@Tobion

This comment has been minimized.

Show comment
Hide comment
@Tobion

Tobion Jul 10, 2014

Member

👍

Member

Tobion commented Jul 10, 2014

👍

@mvrhov

This comment has been minimized.

Show comment
Hide comment
@mvrhov

mvrhov Jul 11, 2014

IMO both lines should warrant a comment, that the comment at the beginning is this is due to CVE....

IMO both lines should warrant a comment, that the comment at the beginning is this is due to CVE....

@willdurand

This comment has been minimized.

Show comment
Hide comment
@willdurand

willdurand Jul 11, 2014

Contributor

A mitigation is to make endpoints return the HTTP header Content-Disposition: attachment; filename=f.txt, forcing a file download. This is enough for instructing Flash Player not to run the SWF starting from Adobe Flash 10.2.

[...]

Furthermore, to hinder this attack vector in Chrome and Opera you can also return the HTTP header X-Content-Type-Options: nosniff.

From: http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/.

I think setting such headers would be nice too.

Contributor

willdurand commented Jul 11, 2014

A mitigation is to make endpoints return the HTTP header Content-Disposition: attachment; filename=f.txt, forcing a file download. This is enough for instructing Flash Player not to run the SWF starting from Adobe Flash 10.2.

[...]

Furthermore, to hinder this attack vector in Chrome and Opera you can also return the HTTP header X-Content-Type-Options: nosniff.

From: http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/.

I think setting such headers would be nice too.

@willdurand willdurand referenced this pull request in FriendsOfSymfony/FOSRestBundle Jul 11, 2014

Merged

Mitigate CSRF bypassing Same Origin Policy attack #807

@stof

This comment has been minimized.

Show comment
Hide comment
@stof

stof Jul 11, 2014

Member

I think setting such headers would be nice too.

See https://github.com/nelmio/NelmioSecurityBundle#content-type-sniffing

Member

stof commented Jul 11, 2014

I think setting such headers would be nice too.

See https://github.com/nelmio/NelmioSecurityBundle#content-type-sniffing

@willdurand

This comment has been minimized.

Show comment
Hide comment
@willdurand

willdurand Jul 11, 2014

Contributor

@stof it is not part of the framework AFAIK..

Contributor

willdurand commented Jul 11, 2014

@stof it is not part of the framework AFAIK..

@stof

This comment has been minimized.

Show comment
Hide comment
@stof

stof Jul 11, 2014

Member

@willdurand adding a way to configure the CSP headers in FrameworkBundle has already been rejected in favor of using this bundle which implements things properly: #8515 (comment)

Member

stof commented Jul 11, 2014

@willdurand adding a way to configure the CSP headers in FrameworkBundle has already been rejected in favor of using this bundle which implements things properly: #8515 (comment)

@willdurand

This comment has been minimized.

Show comment
Hide comment
@willdurand

willdurand Jul 11, 2014

Contributor

@stof ok forgot about this issue.

Contributor

willdurand commented Jul 11, 2014

@stof ok forgot about this issue.

@fabpot

This comment has been minimized.

Show comment
Hide comment
@fabpot

fabpot Jul 15, 2014

Member

Not sure if we need a CVE for Symfony as it's not really a Symfony security issue per se. I'm going to merge this now as we will release a security issue for Symfony shortly anyway.

Member

fabpot commented Jul 15, 2014

Not sure if we need a CVE for Symfony as it's not really a Symfony security issue per se. I'm going to merge this now as we will release a security issue for Symfony shortly anyway.

@stof

This comment has been minimized.

Show comment
Hide comment
@stof

stof Jul 15, 2014

Member

@fabpot I think we can reference the original CVE saying we added the server-side mitigation for it.

Member

stof commented Jul 15, 2014

@fabpot I think we can reference the original CVE saying we added the server-side mitigation for it.

@fabpot

This comment has been minimized.

Show comment
Hide comment
@fabpot

fabpot Jul 15, 2014

Member

Thank you @FineWolf.

Member

fabpot commented Jul 15, 2014

Thank you @FineWolf.

@fabpot fabpot merged commit 6af3d05 into symfony:2.3 Jul 15, 2014

2 checks passed

continuous-integration/travis-ci The Travis CI build passed
Details
default Success: Travis, fabbot
Details

fabpot added a commit that referenced this pull request Jul 15, 2014

feature #11367 [HttpFoundation] Fix to prevent magic bytes injection …
…in JSONP responses... (CVE-2014-4671) (Andrew Moore)

This PR was merged into the 2.3 branch.

Discussion
----------

[HttpFoundation] Fix to prevent magic bytes injection in JSONP responses... (CVE-2014-4671)

| Q             | A
| ------------- | ---
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no*
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | N/A
| License       | MIT
| Doc PR        | N/A
| CVE Ticket   | [CVE-2014-4671](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4671)
| See Also | [Rosetta Flash](http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/)

\* Unless you are parsing the response string manually, which you really shouldn't do anyway

**THIS IS A SECURITY FIX AND SHOULD BE MERGED SHORTLY**

This fix prevents attacks vectors where third-party browser plugins depends on ASCII magic bytes in order to execute a plugin. This is currently exploited with Flash using a carefully crafted JSONP response, allowing the execution of random SWF data from a domain with a vulnerable JSONP endpoint.

This security issue is mitigated by adding an empty comment right before the callback parameter. This does not affect the execution of the JSONP callback.

Commits
-------

6af3d05 [HttpFoundation] Fix to prevent magic bytes injection in JSONP responses (Prevents CVE-2014-4671)
@FineWolf

This comment has been minimized.

Show comment
Hide comment
@FineWolf

FineWolf Jul 15, 2014

@fabpot You are welcome.

And no, I don't think we need a Symfony specific CVE. This is a server-side mitigation measure to a client-side security issue. This is also why I didn't go thru the mailing list (again, nothing wrong with Symfony per-se).

However, since we can mitigate it, I summited this patch. On peut jamais être trop prudent...

@fabpot You are welcome.

And no, I don't think we need a Symfony specific CVE. This is a server-side mitigation measure to a client-side security issue. This is also why I didn't go thru the mailing list (again, nothing wrong with Symfony per-se).

However, since we can mitigate it, I summited this patch. On peut jamais être trop prudent...

romainneutron added a commit that referenced this pull request Jul 25, 2014

bug #11436 fix signal handling in wait() on calls to stop() (xabbuh, …
…romainneutron)

This PR was merged into the 2.3 branch.

Discussion
----------

fix signal handling in wait() on calls to stop()

| Q             | A
| ------------- | ---
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #11286
| License       | MIT
| Doc PR        |

``wait()`` throws an exception when the process was terminated by a signal. This should not happen when the termination was requested by calling the ``stop()`` method (for example, inside a callback which is passed to ``wait()``).

Commits
-------

5939d34 [Process] Fix unit tests in sigchild environment
eb68662 [Process] fix signal handling in wait()
94ffc4f bug #11469  [BrowserKit] Fixed server HTTP_HOST port uri conversion (bcremer, fabpot)
103fd88 [BrowserKit] refactor code and fix unquoted regex
f401ab9 Fixed server HTTP_HOST port uri conversion
045cbc5 bug #11425 Fix issue described in #11421 (Ben, ben-rosio)
f5bfa9b bug #11423 Pass a Scope instance instead of a scope name when cloning a container in the GrahpvizDumper (jakzal)
3177be5 minor #11464 [Translator] Use quote to surround invalid locale (lyrixx)
c9742ef [Translator] Use quote to surround invalid locale
4dbe0e1 bug #11120 [2.3][Process] Reduce I/O load on Windows platform (romainneutron)
797d814 bug #11342 [2.3][Form] Check if IntlDateFormatter constructor returned a valid object before using it (romainneutron)
0b5348e minor #11441 [Translator] Optimize assertLocale regexp (Jérémy Derussé)
537c39b Optimize assertLocale regexp
4cf50e8 Bring code into standard
9f4313c [Process] Add test to verify fix for issue #11421
02eb765 [Process] Fixes issue #11421
6787669 [DependencyInjection] Pass a Scope instance instead of a scope name.
9572918 bug #11411 [Validator] Backported #11410 to 2.3: Object initializers are called only once per object (webmozart)
291cbf9 [Validator] Backported #11410 to 2.3: Object initializers are called only once per object
efab884 bug #11403 [Translator][FrameworkBundle] Added @ to the list of allowed chars in Translator (takeit)
3176f8b [Translator][FrameworkBundle] Added @ to the list of allowed chars in Translator
91e32f8 bug #11381 [2.3] [Process] Use correct test for empty string in UnixPipes (whs, romainneutron)
45df2f3 minor #11397 [2.3][Process] Fix unit tests on Windows platform (romainneutron)
cec0a45 [Process] Adjust PR #11264, make it Windows compatible and fix CS
d418935 [Process] Fix unit tests on Windows platform
ff0bb01 [Process] Reduce I/O load on Windows platform
ace5a29 bumped Symfony version to 2.3.19
75e07e6 updated VERSION for 2.3.18
4a12f4d update CONTRIBUTORS for 2.3.18
98b891d updated CHANGELOG for 2.3.18
06a80fb Validate locales sets intos translator
06fc97e feature #11367 [HttpFoundation] Fix to prevent magic bytes injection in JSONP responses... (CVE-2014-4671) (Andrew Moore)
3c54659 minor #11387 [2.3] [Validator] Fix UserPassword validator translation (redstar504)
73d50ed Fix UserPassword validator translation
93a970c bug #11386 Remove Spaceless Blocks from Twig Form Templates (chrisguitarguy)
8f9ed3e Remove Spaceless Blocks from Twig Form Templates
9e1ea4a [Process] Use correct test for empty string in UnixPipes
6af3d05 [HttpFoundation] Fix to prevent magic bytes injection in JSONP responses (Prevents CVE-2014-4671)
ebf967d [Form] Check if IntlDateFormatter constructor returned a valid object before using it
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment