Opened on 05/29/2018 at 02:08:10 PM
Closed on 05/29/2018 at 02:39:25 PM
Last modified on 06/14/2018 at 01:24:21 PM
#6704 closed change (fixed)
Ignore $rewrite filters for requests loading code to be executed
Reported by: | sebastian | Assignee: | sebastian |
---|---|---|---|
Priority: | P1 | Milestone: | Adblock-Plus-3.2-for-Chrome-Opera-Firefox |
Module: | Core | Keywords: | |
Cc: | mjethani, hfiguiere | Blocked By: | |
Blocking: | Platform: | Unknown / Cross platform | |
Ready: | yes | Confidential: | no |
Tester: | Ross | Verified working: | yes |
Review URL(s): |
Description (last modified by sebastian)
Background
With #6592 and #6622 we introduced the $rewrite filter option which allows requests to be redirected to another URL (of the same origin). However, we noticed some security issues, where for example a script hosted on a CDN could be replaced with another script from the same CDN, so that a malicious filter could cause arbitary code to be executed under some circumstances. Therefore we want to limit the request types that $rewrite filters might be applied to.
What to change
Unset the request types SCRIPT, SUBDOCUMENT, OBJECT and OBJECT_SUBREQUEST for filters that have an $rewrite option, so that they are always ignored for requests of these types.
Hints for testers
See #6622. In addition to what is specified there, filters with $rewrite filter option should be ignored if the request type is SCRIPT, SUBDOCUMENT, OBJECT or OBJECT_SUBREQUEST (as indicated in the devtools panel), even if those types are explicitly given in the filter.
Attachments (0)
Change History (8)
comment:1 Changed on 05/29/2018 at 02:08:43 PM by sebastian
- Review URL(s) modified (diff)
- Status changed from new to reviewing
comment:3 Changed on 05/29/2018 at 02:34:55 PM by abpbot
comment:4 Changed on 05/29/2018 at 02:38:57 PM by abpbot
A commit referencing this issue has landed:
Issue 6704 - Updated adblockpluscore dependency for security mitigation of $rewrite filters
comment:5 Changed on 05/29/2018 at 02:39:25 PM by sebastian
- Milestone set to Adblock-Plus-for-Chrome-Opera-Firefox-next
- Resolution set to fixed
- Status changed from reviewing to closed
comment:6 Changed on 05/30/2018 at 01:24:23 AM by mjethani
- Priority changed from Unknown to P1
- Ready set
comment:7 Changed on 05/30/2018 at 02:08:32 AM by hfiguiere
- Summary changed from Ignore $rewrite filters for requests loading code to be executes to Ignore $rewrite filters for requests loading code to be executed
comment:8 Changed on 06/14/2018 at 01:24:21 PM by Ross
- Tester changed from Unknown to Ross
- Verified working set
Appears to working as expected. Rewrite filters are not applied to the request types listed above.
ABP 3.1.0.2065
Firefox 51 / 60 / Windows 8
Chrome 49 / 66 / Windows 8
Opera 36 / 52 / Windows 8
A commit referencing this issue has landed:
Issue 6704 - Prevent $rewrite filters from matching against request types that load code