corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 461204 - Improve the random number generator for the boundaries in multipart/form-data r=smaug

Browse Source 
Using a weak RNG for the form boundary allows a website operator to perform several
attacks on users (as outlined in https://trac.torproject.org/projects/tor/ticket/22919)

These include:
 - Identifying Windows users based on the unseeded RNG
 - Identify the number of form submissions that have occurred cross-origin between same-origin submissions

Additionally, a predictable boundary makes it possible to forge a boundary in the middle
of a file upload.

Differential Revision: https://phabricator.services.mozilla.com/D56056
This commit is contained in:
Alex Catarineu
2020-01-13 20:41:14 +00:00
parent 96679ffc28
commit a0d20a5fbd
3 changed files with 18 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
dom/html/HTMLFormSubmission.cpp
View File

@@ -32,6 +32,7 @@
#include "mozilla/dom/Directory.h"
#include "mozilla/dom/File.h"
#include "mozilla/StaticPrefs_dom.h"
#include "mozilla/RandomNum.h"
namespace mozilla {
namespace dom {
@@ -355,9 +356,9 @@ FSMultipartFormData::FSMultipartFormData(nsIURI* aActionURL,
mTotalLength = 0;
mBoundary.AssignLiteral("---------------------------");
mBoundary.AppendInt(rand());
mBoundary.AppendInt(rand());
mBoundary.AppendInt(rand());
mBoundary.AppendInt(static_cast<uint32_t>(mozilla::RandomUint64OrDie()));
mBoundary.AppendInt(static_cast<uint32_t>(mozilla::RandomUint64OrDie()));
mBoundary.AppendInt(static_cast<uint32_t>(mozilla::RandomUint64OrDie()));
}
FSMultipartFormData::~FSMultipartFormData() {