Re: Clipboard API: remove dangerous formats from mandatory data types from Ashley Gullen on 2015-06-09 (public-webapps@w3.org from April to June 2015)

From: Ashley Gullen <ashley@scirra.com>
Date: Wed, 10 Jun 2015 00:23:35 +0100
To: Daniel Cheng <dcheng@google.com>
Cc: public-webapps@w3.org, Paul Libbrecht <paul@hoplahup.net>, Olli Pettay <olli@pettay.fi>
Message-ID: <CAABs73jWdZYLSVJXvoX2QNB_xM=GNQBZfa_aP_L0tXg-4=jyzw@mail.gmail.com>

The browser could copy a terminal command to wipe the disk, and the user
could run it. Or copy a URL to a web page that has a known security
exploit, and then the user pastes it in to the address bar. Maybe we
shouldn't allow copying anything at all?

Actually I think this is just security by paranoia. If pasting corrupt
images in to another app is enough of a problem to warrant concern, that
app should be fixed, rather than hobble the browser.
On 9 Jun 2015 21:23, "Daniel Cheng" <dcheng@google.com> wrote:

> On Tue, Jun 9, 2015 at 12:27 PM Paul Libbrecht <paul@hoplahup.net> wrote:
>
>>  Daniel,
>>
>> this does not make sense to me.
>>
>> All these image parsers exploits can be triggered by an img tag, or?
>> Similarly for XML using an XHR or some particular XML formats (RSS, SVG,
>> XHTML, ...) in markup.
>>
>
> Sure. That's why Chrome only decodes images in sandboxed processes like
> the renderer.
>
>
>>
>> There's absolutely no difference in the mistrust we should have between
>> content brought by an HTML page and content brought by a JavaScript, or?
>> Hence we should just not accept the reason of knowing of broken parsers to
>> be a reason to change the standards!
>>
>
> The difference is that "copy image to clipboard" never writes a
> GIF/JPG/PNG to the clipboard. The trusted browser process grabs the raw
> decoded bitmap from the renderer, validates the size information and some
> other stuff, and then writes it to the clipboard as a bitmap of the
> appropriate format.
>
> On the other hand, supporting this from JS means the untrusted renderer
> would get to control and place arbitrary GIF/JPG/PNG into the clipboard.
> It's not really feasible to do any corresponding validation that the data
> isn't bad.
>
>
>>
>> If, as a president, you need to decide to change the roads because a
>> particular car was built massively and needs a particularirty of your
>> roads, you would also find it nonsense, or? You're making me feel like
>> France which did this for a particular type of trains which required to
>> change all platforms because their ordered trains were already built too
>> wide....
>>
>
> It's unfortunate, but I doubt any native apps attempt to securely decode
> images. Previously, it didn't matter, since the clipboard content came from
> other native apps, and if you can't trust other native apps, you're kind of
> hosed anyway. However, going from web content -> native crosses a security
> boundary, which means these sort of issues need to be taken into
> consideration.
>
>
>
>>
>> Paul
>>
>>
>> On 9/06/15 21:15, Daniel Cheng wrote:
>>
>> I'm not against considering more formats to be dangerous. =)
>>
>>  In particular:
>> JS: I'm not support what context we'd ever want to support this, since we
>> go out of our way to try prevent XSS in HTML pastes.
>>  XML: I wouldn't mind getting rid of this. XML parsers seem to have RCE
>> bugs on a semi-regular basis.
>>
>>  Daniel
>>
>>  On Tue, Jun 9, 2015 at 12:01 PM Olli Pettay <olli@pettay.fi> wrote:
>>
>>> On 06/09/2015 09:39 PM, Daniel Cheng wrote:
>>> > Currently, the Clipboard API [1] mandates support for a number of
>>> formats. Unfortunately, we do not believe it is possible to safely support
>>> writing a
>>> > number of formats to the clipboard:
>>> > - image/png
>>> > - image/jpg, image/jpeg
>>> > - image/gif
>>> >
>>> > If these types are supported, malicious web content can trivially
>>> write a malformed GIF/JPG/PNG to the clipboard and trigger code execution
>>> when
>>> > pasting in a program with a vulnerable image decoder. This provides a
>>> trivial way to bypass the sandbox that web content is usually in.
>>> >
>>> > Given this, I'd like to propose that we remove the above formats from
>>> the list of mandatory data types, and avoid adding support for any more
>>> complex
>>> > formats.
>>> >
>>> > Daniel
>>> >
>>> > [1] http://www.w3.org/TR/clipboard-apis/#mandatory-data-types-1
>>>
>>>
>>> Why would text/html, application/xhtml+xml, image/svg+xml,
>>> application/xml, text/xml, application/javascript
>>> be any safer if the program which the data is pasted to has vulnerable
>>> html/xml/js parsing?
>>>
>>>
>>> -Olli
>>>
>>>
>>

Received on Tuesday, 9 June 2015 23:24:06 UTC