Bug 483437 - PSM doesn't properly escape AVA Values in Cert Viewer Details tab, r=nelson+benjamin

build/pgo/server-locations.txt

@@ -156,3 +156,7 @@ https://sub.sectest1.example.org:443
 # Used while testing the url-classifier
 #
 http://malware.example.com:80
+
+# Bug 483437, 484111
+https://www.bank1.com:443           privileged,cert=escapeattack1
+https://www.bank2.com:443           privileged,cert=escapeattack2

security/manager/ssl/src/nsNSSCertHelper.cpp

@@ -885,7 +885,24 @@ ProcessRDN(CERTRDN* rdn, nsAString &finalString, nsINSSComponent *nssComponent)
     if(!decodeItem) {
       return NS_ERROR_FAILURE;
     }
-    avavalue = NS_ConvertUTF8toUTF16((char*)decodeItem->data, decodeItem->len);
+
+    // We know we can fit buffer of this length. CERT_RFC1485_EscapeAndQuote
+    // will fail if we provide smaller buffer then the result can fit to.
+    PRIntn escapedValueCapacity = decodeItem->len * 3 + 3;
+    nsAutoArrayPtr<char> escapedValue;
+    escapedValue = new char[escapedValueCapacity];
+    if (!escapedValue)
+      return NS_ERROR_OUT_OF_MEMORY;
+
+    SECStatus status = CERT_RFC1485_EscapeAndQuote(
+          escapedValue.get(),
+          escapedValueCapacity, 
+          (char*)decodeItem->data, 
+          decodeItem->len);
+    if (SECSuccess != status)
+      return NS_ERROR_FAILURE;
+
+    avavalue = NS_ConvertUTF8toUTF16(escapedValue);
     
     SECITEM_FreeItem(decodeItem, PR_TRUE);
     params[0] = type.get();

security/manager/ssl/tests/mochitest/bugs/Makefile.in

@@ -40,14 +40,21 @@ DEPTH		= ../../../../../..
 topsrcdir	= @top_srcdir@
 srcdir		= @srcdir@
 VPATH		= @srcdir@
-relativesrcdir	= security/ssl
+relativesrcdir	= security/ssl/bugs
 
 include $(DEPTH)/config/autoconf.mk
 include $(topsrcdir)/config/rules.mk
 
+_TEST_FILES = \
+        test_bug480509.html \
+        test_bug484111.html \
+        $(NULL)
+
 _CHROME_FILES = \
         test_bug413909.html \
         $(NULL)
 
+libs:: $(_TEST_FILES)
+	$(INSTALL) $(foreach f,$^,"$f") $(DEPTH)/_tests/testing/mochitest/tests/$(relativesrcdir)
 libs:: $(_CHROME_FILES)
 	$(INSTALL) $(foreach f,$^,"$f") $(DEPTH)/_tests/testing/mochitest/chrome/$(relativesrcdir)

security/manager/ssl/tests/mochitest/bugs/test_bug480509.html

@@ -0,0 +1,88 @@
+<html>
+<head>
+  <title>Test bug 483437 and bug 480509</title>
+  <script type="text/javascript" src="chrome://mochikit/content/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>        
+  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css" />
+</head>
+<body onload="onWindowLoad()">
+
+<iframe src="https://www.bank1.com/" onload="onFrameLoad()"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+function badCertListener() 
+{
+}
+
+badCertListener.prototype = {
+  badCertCaught: false,
+
+  getInterface: function (aIID) {
+    return this.QueryInterface(aIID);
+  },
+
+  QueryInterface: function(aIID) {
+    netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
+    if (aIID.equals(Components.interfaces.nsIBadCertListener2) ||
+        aIID.equals(Components.interfaces.nsIInterfaceRequestor) ||
+        aIID.equals(Components.interfaces.nsISupports))
+      return this;
+
+    throw Components.results.NS_ERROR_NO_INTERFACE;
+  },  
+
+  testCert: function(cert1, expected)
+  {
+    netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
+    var certDumpTree1 = Components.classes["@mozilla.org/security/nsASN1Tree;1"]
+                       .createInstance(Components.interfaces.nsIASN1Tree);
+    certDumpTree1.loadASN1Structure(cert1.ASN1Structure);
+    var value1 = certDumpTree1.getDisplayData(9);
+    
+    is(value1, expected, "Incorrect subject recognized");
+  },
+  
+  notifyCertProblem: function(socketInfo, sslStatus, targetHost) {
+    netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
+    var cert = sslStatus.QueryInterface(Components.interfaces.nsISSLStatus)
+      .serverCert;
+    this.testCert(cert, "CN = www.bank1.com\\00www.bad-guy.com\n");
+
+    this.badCertCaught = true;
+    return true;
+  }
+}
+
+function onFrameLoad()
+{
+  ok(false, "Attackers page failed to load");
+}
+
+function onWindowLoad()
+{
+  var req = new XMLHttpRequest();
+  var certListener = new badCertListener();
+  try
+  {
+    req.open("GET", "https://www.bank1.com/", false);
+    netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
+    req.channel.notificationCallbacks = certListener;
+    req.send(null);
+  }
+  catch(ex)
+  {
+    // ignore
+  }
+  
+  ok(certListener.badCertCaught, "We Caught the invalid certificate");
+  
+  SimpleTest.finish();
+}
+
+</script>
+
+</body>
+</html>

security/manager/ssl/tests/mochitest/bugs/test_bug484111.html

@@ -0,0 +1,72 @@
+<html>
+<head>
+  <title>Test bug 484111</title>
+  <script type="text/javascript" src="chrome://mochikit/content/MochiKit/packed.js"></script>
+  <script type="text/javascript" src="chrome://mochikit/content/tests/SimpleTest/SimpleTest.js"></script>        
+  <link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css" />
+</head>
+<body onload="onWindowLoad()">
+
+<iframe src="https://www.bank2.com/" onload="onFrameLoad()"></iframe>
+
+<script class="testbody" type="text/javascript">
+
+SimpleTest.waitForExplicitFinish();
+
+function badCertListener() 
+{
+}
+
+badCertListener.prototype = {
+  badCertCaught: false,
+
+  getInterface: function (aIID) {
+    return this.QueryInterface(aIID);
+  },
+
+  QueryInterface: function(aIID) {
+    netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
+    if (aIID.equals(Components.interfaces.nsIBadCertListener2) ||
+        aIID.equals(Components.interfaces.nsIInterfaceRequestor) ||
+        aIID.equals(Components.interfaces.nsISupports))
+      return this;
+
+    throw Components.results.NS_ERROR_NO_INTERFACE;
+  },  
+
+  notifyCertProblem: function(socketInfo, sslStatus, targetHost) {
+    this.badCertCaught = true;
+    return true;
+  }
+}
+
+function onFrameLoad()
+{
+  ok(false, "Attackers page failed to load");
+}
+
+function onWindowLoad()
+{
+  var req = new XMLHttpRequest();
+  var certListener = new badCertListener();
+  try
+  {
+    req.open("GET", "https://www.bank2.com/", false);
+    netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
+    req.channel.notificationCallbacks = certListener;
+    req.send(null);
+  }
+  catch(ex)
+  {
+    // ignore
+  }
+  
+  ok(certListener.badCertCaught, "We Caught the invalid certificate");
+  
+  SimpleTest.finish();
+}
+
+</script>
+
+</body>
+</html>