-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Desktop] [hackerone] [Security] webtorrent should clear redirect URL if not http:// or https:// #9159
Comments
Here are the steps I found to reproduce this reliably:
If I skip Step 3, I get the following error page: This suggests that perhaps the extension load order matters. |
Based on the Slack thread, I made this simple fix:
but it didn't help since it's not even entering that function and printing anything to the console when I click on the offending links. |
@feross Was that the fix you were trying to test or did you have something else in mind? |
I think this is just a quirk of how the lazy-loading feature was implemented. The WebTorrent extension is not loaded until it's needed. So it seems like linking directly to an extension URL doesn't cause the extension to get enabled. Going into settings and toggling it OFF -> ON seems to force it to be enabled. Another option to your steps 1-3 is to load a torrent from https://webtorrent.io/free-torrents which has the same effect. |
Indeed, this was the intended fix. Are neither of your logs ("NO REDIRECT" and "REDIRECT") getting printed out? I think the issue may actually be in If I understand that code correctly, it appears to be translating the URL by just taking the unescaped query portion of the original URL, without first checking that it is HTTP or HTTPS. So the URL @fmarier Can you try moving the check into that function instead? |
Test plan specified in brave/brave-core#5595 (comment) |
Verified passed with
Verification passed on
Verified passed with
|
Test plan
See brave/brave-core#5595 (comment)
Description
originally reported at https://hackerone.com/reports/847848
this is a very minor phishing risk.
STR:
Expected behavior:
In step 3, either nothing should happen or you should be navigated to about:blank
(Expected behavior updated by @yrliou ) In step 3, a blank extension page is shown with original URL (chrome-extension://lgjmpdmojkpocjcopdikifhejkkjglho/extension/brave_webtorrent.html?chrome://wallet/) and nothing will be changed when doing step 4.
The text was updated successfully, but these errors were encountered: