[tor-commits] [tor-browser/tor-browser-68.4.1esr-9.5-1] Bug 461204 - Improve the random number generator for the boundaries in multipart/form-data r=smaug

boklm at torproject.org boklm at torproject.org
Thu Jan 23 12:58:50 UTC 2020 

commit 3b2165b8be4f7fd7889c17cbb39a4348f7666bc8
Author: Alex Catarineu <acat at torproject.org>
Date:   Mon Jan 13 20:41:14 2020 +0000

    Bug 461204 - Improve the random number generator for the boundaries in multipart/form-data r=smaug
    
    Using a weak RNG for the form boundary allows a website operator to perform several
    attacks on users (as outlined in https://trac.torproject.org/projects/tor/ticket/22919)
    
    These include:
     - Identifying Windows users based on the unseeded RNG
     - Identify the number of form submissions that have occurred cross-origin between same-origin submissions
    
    Additionally, a predictable boundary makes it possible to forge a boundary in the middle
    of a file upload.
    
    Differential Revision: https://phabricator.services.mozilla.com/D56056
    
    --HG--
    extra : moz-landing-system : lando
---
 dom/html/HTMLFormSubmission.cpp | 7 ++++---
 mfbt/RandomNum.cpp              | 8 ++++++++
 mfbt/RandomNum.h                | 6 ++++++
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/dom/html/HTMLFormSubmission.cpp b/dom/html/HTMLFormSubmission.cpp
index baaed020ec3f..384ca3661426 100644
--- a/dom/html/HTMLFormSubmission.cpp
+++ b/dom/html/HTMLFormSubmission.cpp
@@ -37,6 +37,7 @@
 #include "mozilla/dom/Directory.h"
 #include "mozilla/dom/File.h"
 #include "mozilla/StaticPrefs.h"
+#include "mozilla/RandomNum.h"
 
 namespace mozilla {
 namespace dom {
@@ -367,9 +368,9 @@ FSMultipartFormData::FSMultipartFormData(nsIURI* aActionURL,
   mTotalLength = 0;
 
   mBoundary.AssignLiteral("---------------------------");
-  mBoundary.AppendInt(rand());
-  mBoundary.AppendInt(rand());
-  mBoundary.AppendInt(rand());
+  mBoundary.AppendInt(static_cast<uint32_t>(mozilla::RandomUint64OrDie()));
+  mBoundary.AppendInt(static_cast<uint32_t>(mozilla::RandomUint64OrDie()));
+  mBoundary.AppendInt(static_cast<uint32_t>(mozilla::RandomUint64OrDie()));
 }
 
 FSMultipartFormData::~FSMultipartFormData() {
diff --git a/mfbt/RandomNum.cpp b/mfbt/RandomNum.cpp
index 69f19e9d01fa..c3bb9ecef444 100644
--- a/mfbt/RandomNum.cpp
+++ b/mfbt/RandomNum.cpp
@@ -150,4 +150,12 @@ MFBT_API Maybe<uint64_t> RandomUint64() {
 #endif
 }
 
+MFBT_API uint64_t RandomUint64OrDie() {
+  Maybe<uint64_t> maybeRandomNum = RandomUint64();
+
+  MOZ_RELEASE_ASSERT(maybeRandomNum.isSome());
+
+  return maybeRandomNum.value();
+}
+
 }  // namespace mozilla
diff --git a/mfbt/RandomNum.h b/mfbt/RandomNum.h
index 5af510d621a6..5d392c9a6819 100644
--- a/mfbt/RandomNum.h
+++ b/mfbt/RandomNum.h
@@ -30,6 +30,12 @@ namespace mozilla {
  */
 MFBT_API Maybe<uint64_t> RandomUint64();
 
+/**
+ *  Like RandomUint64, but always returns a uint64_t or crashes with an assert
+ *  if the underlying RandomUint64 call failed.
+ */
+MFBT_API uint64_t RandomUint64OrDie();
+
 }  // namespace mozilla
 
 #endif  // mozilla_RandomNum_h_

More information about the tor-commits mailing list