Commit 3b2165b8 authored by Alex Catarineu's avatar Alex Catarineu
Browse files

Bug 461204 - Improve the random number generator for the boundaries in multipart/form-data r=smaug 

Using a weak RNG for the form boundary allows a website operator to perform several
attacks on users (as outlined in https://trac.torproject.org/projects/tor/ticket/22919)

These include:
 - Identifying Windows users based on the unseeded RNG
 - Identify the number of form submissions that have occurred cross-origin between same-origin submissions

Additionally, a predictable boundary makes it possible to forge a boundary in the middle
of a file upload.

Differential Revision: https://phabricator.services.mozilla.com/D56056

--HG--
extra : moz-landing-system : lando
parent 78e8d897

dom/html/HTMLFormSubmission.cpp

+4 −3
Original line number Diff line number Diff line
@@ -37,6 +37,7 @@ 
#include "mozilla/dom/Directory.h"

#include "mozilla/dom/File.h"

#include "mozilla/StaticPrefs.h"

#include "mozilla/RandomNum.h"



namespace mozilla {

namespace dom {
@@ -367,9 +368,9 @@ FSMultipartFormData::FSMultipartFormData(nsIURI* aActionURL, 
  mTotalLength = 0;



  mBoundary.AssignLiteral("---------------------------");

  mBoundary.AppendInt(rand());

  mBoundary.AppendInt(rand());

  mBoundary.AppendInt(rand());

  mBoundary.AppendInt(static_cast<uint32_t>(mozilla::RandomUint64OrDie()));

  mBoundary.AppendInt(static_cast<uint32_t>(mozilla::RandomUint64OrDie()));

  mBoundary.AppendInt(static_cast<uint32_t>(mozilla::RandomUint64OrDie()));

}



FSMultipartFormData::~FSMultipartFormData() {

mfbt/RandomNum.cpp

+8 −0
Original line number Diff line number Diff line
@@ -150,4 +150,12 @@ MFBT_API Maybe<uint64_t> RandomUint64() { 
#endif

}



MFBT_API uint64_t RandomUint64OrDie() {

  Maybe<uint64_t> maybeRandomNum = RandomUint64();



  MOZ_RELEASE_ASSERT(maybeRandomNum.isSome());



  return maybeRandomNum.value();

}



}  // namespace mozilla

mfbt/RandomNum.h

+6 −0
Original line number Diff line number Diff line
@@ -30,6 +30,12 @@ namespace mozilla { 
 */

MFBT_API Maybe<uint64_t> RandomUint64();



/**

 *  Like RandomUint64, but always returns a uint64_t or crashes with an assert

 *  if the underlying RandomUint64 call failed.

 */

MFBT_API uint64_t RandomUint64OrDie();



}  // namespace mozilla



#endif  // mozilla_RandomNum_h_