Opened on 05/29/2018 at 02:08:10 PM

Closed on 05/29/2018 at 02:39:25 PM

Last modified on 06/14/2018 at 01:24:21 PM

#6704 closed change (fixed)

Ignore $rewrite filters for requests loading code to be executed

Reported by: sebastian Assignee: sebastian
Priority: P1 Milestone: Adblock-Plus-3.2-for-Chrome-Opera-Firefox
Module: Core Keywords:
Cc: mjethani, hfiguiere Blocked By:
Blocking: Platform: Unknown / Cross platform
Ready: yes Confidential: no
Tester: Ross Verified working: yes
Review URL(s):

https://codereview.adblockplus.org/29793555

Description (last modified by sebastian)

Background

With #6592 and #6622 we introduced the $rewrite filter option which allows requests to be redirected to another URL (of the same origin). However, we noticed some security issues, where for example a script hosted on a CDN could be replaced with another script from the same CDN, so that a malicious filter could cause arbitary code to be executed under some circumstances. Therefore we want to limit the request types that $rewrite filters might be applied to.

What to change

Unset the request types SCRIPT, SUBDOCUMENT, OBJECT and OBJECT_SUBREQUEST for filters that have an $rewrite option, so that they are always ignored for requests of these types.

Hints for testers

See #6622. In addition to what is specified there, filters with $rewrite filter option should be ignored if the request type is SCRIPT, SUBDOCUMENT, OBJECT or OBJECT_SUBREQUEST (as indicated in the devtools panel), even if those types are explicitly given in the filter.

Attachments (0)

Change History (8)

comment:1 Changed on 05/29/2018 at 02:08:43 PM by sebastian

  • Review URL(s) modified (diff)
  • Status changed from new to reviewing

comment:2 Changed on 05/29/2018 at 02:33:27 PM by sebastian

  • Description modified (diff)

comment:3 Changed on 05/29/2018 at 02:34:55 PM by abpbot

A commit referencing this issue has landed:
Issue 6704 - Prevent $rewrite filters from matching against request types that load code

comment:4 Changed on 05/29/2018 at 02:38:57 PM by abpbot

A commit referencing this issue has landed:
Issue 6704 - Updated adblockpluscore dependency for security mitigation of $rewrite filters

comment:5 Changed on 05/29/2018 at 02:39:25 PM by sebastian

  • Milestone set to Adblock-Plus-for-Chrome-Opera-Firefox-next
  • Resolution set to fixed
  • Status changed from reviewing to closed

comment:6 Changed on 05/30/2018 at 01:24:23 AM by mjethani

  • Priority changed from Unknown to P1
  • Ready set

comment:7 Changed on 05/30/2018 at 02:08:32 AM by hfiguiere

  • Summary changed from Ignore $rewrite filters for requests loading code to be executes to Ignore $rewrite filters for requests loading code to be executed

comment:8 Changed on 06/14/2018 at 01:24:21 PM by Ross

  • Tester changed from Unknown to Ross
  • Verified working set

Appears to working as expected. Rewrite filters are not applied to the request types listed above.

ABP 3.1.0.2065
Firefox 51 / 60 / Windows 8
Chrome 49 / 66 / Windows 8
Opera 36 / 52 / Windows 8

Add Comment

Modify Ticket

Change Properties
Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from sebastian.
AttachmentsDescription
 
Note: See TracTickets for help on using tickets.