Fixed
Status Update
Updated by @
Fixed for 0.66.
Comments
va...@google.com
since it isn't exploitable, i think we can treat it as a normal bug
nd...@protonmail.com
Last time just want yes/no so I can stop asking:
Given that the secure shell extension extension is on chrome-extension:// and has access to vmshell and crosh and auto-loading VMs is not allowed should other extensions also be blocked from navigating to it?
Given that the secure shell extension extension is on chrome-extension:// and has access to vmshell and crosh and auto-loading VMs is not allowed should other extensions also be blocked from navigating to it?
va...@google.com
we're prob going to remove that functionality from the extension, at least URL-wise. it doesn't serve a useful purpose anymore now that the Terminal app has fully shipped.
va...@google.com
ap...@google.com
Project: apps/libapps
Branch: main
commit f8bb4183387b59f6bd3a93693f053f94aa5fd9ad
Author: Mike Frysinger <vapier@chromium.org>
Date: Wed Apr 24 10:41:34 2024
ssh_client: mosh: filter uri args a bit
We only need to pass through a few attributes to the NaCl plugin.
Hardcode that list so the URI isn't allowed to set other attributes
that we didn't intend.
Bug:
Change-Id: Ic836d10fd92b1c9d21f69f823fea1b87074788ef
Reviewed-on:https://chromium-review.googlesource.com/c/apps/libapps/+/5483046
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Joel Hockey <joelhockey@chromium.org>
M ssh_client/third_party/mosh-chrome/build
A ssh_client/third_party/mosh-chrome/mosh-chrome-0.5.6-argv-pass-thru.patch
https://chromium-review.googlesource.com/5483046
Branch: main
commit f8bb4183387b59f6bd3a93693f053f94aa5fd9ad
Author: Mike Frysinger <vapier@chromium.org>
Date: Wed Apr 24 10:41:34 2024
ssh_client: mosh: filter uri args a bit
We only need to pass through a few attributes to the NaCl plugin.
Hardcode that list so the URI isn't allowed to set other attributes
that we didn't intend.
Bug:
Change-Id: Ic836d10fd92b1c9d21f69f823fea1b87074788ef
Reviewed-on:
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Joel Hockey <joelhockey@chromium.org>
M ssh_client/third_party/mosh-chrome/build
A ssh_client/third_party/mosh-chrome/mosh-chrome-0.5.6-argv-pass-thru.patch
nd...@protonmail.com
🎉
Description
<b>Steps to reproduce the problem:</b>
1. Download secure shell extension via
2. Go to chrome-extension://iodihamcpbpeioajjeobimgagajmlibd/plugin/mosh/mosh_window.html?args=eyJzdHlsZSI6ImJhY2tncm91bmQtaW1hZ2U6IHVybChcImh0dHBzOi8vaHR0cC5jYXQvMjAwXCIpIiwid2lkdGgiOjEwMDAsImhlaWdodCI6MTAwMH0=
3. See cat
<b>Problem Description:</b>
args from the url gets base64 decoded and set as attributes for an html embed tag.
While JS is prevented due to the CSP it still allows for CSS and I dont think a CSP is meant to be the only defense.
<b>Additional Comments:</b>
There are also other interesting url parameters to run crosh and vmshell that dont even need navigation's on chrome-untrusted:// to work.
<b>Chrome version: </b>103.0.0.0 <b>Channel: </b>Not sure
<b>OS:</b>Windows