Firefox3.1/Downloadable Fonts Security Review: Difference between revisions
Jump to navigation
Jump to search
| (6 intermediate revisions by one other user not shown) | |||
| Line 11: | Line 11: | ||
** [http://www.microsoft.com/typography/otspec/ Microsoft OpenType spec] | ** [http://www.microsoft.com/typography/otspec/ Microsoft OpenType spec] | ||
** [http://developer.apple.com/textfonts/TTRefMan/index.html TrueType spec] | ** [http://developer.apple.com/textfonts/TTRefMan/index.html TrueType spec] | ||
* API's for handling loadable fonts: | * API's for handling loadable fonts: | ||
** [http://developer.apple.com/documentation/Carbon/Reference/ATS/DeprecationAppendix/AppendixADeprecatedAPI.html#//apple_ref/c/func/ATSFontActivateFromFileSpecification ATSFontActivateFromFileSpecification reference] | ** [http://developer.apple.com/documentation/Carbon/Reference/ATS/DeprecationAppendix/AppendixADeprecatedAPI.html#//apple_ref/c/func/ATSFontActivateFromFileSpecification ATSFontActivateFromFileSpecification reference] | ||
** [http://msdn.microsoft.com/en-us/library/ms536775(VS.85).aspx TTLoadEmbeddedFont reference] | ** [http://msdn.microsoft.com/en-us/library/ms536775(VS.85).aspx TTLoadEmbeddedFont reference] | ||
* Security issue tracking bugs: | |||
** [https://bugzilla.mozilla.org/show_bug.cgi?id=453223 Bug 453223 need to review thebes/cairo code] | |||
** [https://bugzilla.mozilla.org/show_bug.cgi?id=453225 Bug 453225 font fuzzer] | |||
== Security and Privacy == | == Security and Privacy == | ||
| Line 27: | Line 29: | ||
== Data == | == Data == | ||
* What data is read or parsed by this feature? | * What data is read or parsed by this feature? | ||
**The @font-face feature works by downloading font data and passing it to system calls to create a font reference. This is used to create a platform font and text is rendered the same way as with a platform font. | |||
The @font-face feature works by downloading font data and passing it to system calls to create a font reference. This is used to create a platform font and text is rendered the same way as with a platform font. | |||
* What is the output of this feature | * What is the output of this feature | ||
**Web pages rendered using downloaded fonts. | |||
Web pages rendered using downloaded fonts. | |||
* What storage formats are used | * What storage formats are used | ||
**We will be supporting the automatic download of TrueType and OpenType fonts but not Embedded OpenType or Type 1 fonts. | |||
We will be supporting the automatic download of TrueType and OpenType fonts but not Embedded OpenType or Type 1 fonts. | |||
== Reliability == | == Reliability == | ||
* What failure modes or decision points are presented to the user? | * What failure modes or decision points are presented to the user? | ||
**None. | |||
None. | |||
* Can its files be corrupted by failures? Does it clean up any locks/files after crashes? | * Can its files be corrupted by failures? Does it clean up any locks/files after crashes? | ||
**Font data is downloaded into the system temp directory. Under Windows, the data file is removed immediately after loading the font. On the Mac, the data file is retained until the document using the font is unloaded, so after crashes we need to clean out any leftover temp files. | |||
Font data is downloaded into the system temp directory. Under Windows, the data file is removed immediately after loading the font. On the Mac, the data file is retained until the document using the font is unloaded, so after crashes we need to clean out any leftover temp files. | |||
== Configuration == | == Configuration == | ||
| Line 57: | Line 51: | ||
== Relationships to other projects == | == Relationships to other projects == | ||
Are there related projects in the community? | Are there related projects in the community? | ||
* | * No | ||
== Review comments == | == Review comments == | ||
* we're supporting OpenType CFF and TrueType fonts everywhere. In addition we're supporting Apple Advanced Typography fonts on Mac. | |||
* windows probably supports bitmap fonts in an openType container. We should disable this explicitly for web-compat reasons so people don't get lured into making windows-only pages. | |||
* need to audit places in thebes/cairo that use metrics that come from the font itself (which might be malicious) | |||
* need to write or aquire a binary fuzzer (swapping bits/metrics) | |||
* can also fuzz by dumping to XML and messing with the hinting. Hinting is a limited scripting/bytecode language. | |||
* Uniscribe on Windows, pango on linux, atsui on mac. We may be exposing features here that are not well tested on the OS. Probably worth fuzzing the OS features directly. | |||
* Font downloads are limited to same-origin with the document (not the style-sheet). | |||
* Redirects need to be watched. | |||
* Will be adding support for access-control for cross-site fonts. | |||
* There's a pref "kill-switch" to disable this just in case. | |||
* bug 458861 was a persistent mac font cache corruption. We need to somehow validate the data to some degree. Should we insist on a new MIME type and only allow those? | |||
Latest revision as of 23:18, 29 October 2008
Overview
The goal of this feature is to support the CSS3 @font-face feature, which allows fonts to be downloaded when referenced within stylesheets.
- Background links
- Bug 70132 downloadable fonts meta bug
- Draft CSS3 Fonts spec, detailing @font-face
- Font format specs:
- API's for handling loadable fonts:
- Security issue tracking bugs:
Security and Privacy
The major concern with the introduction of this feature is that it exposes our text rendering code and the platform-specific libraries we use to attack via intentionally corrupt fonts. Evil fonts could already cause these problems with our code currently but adding support for downloadable fonts makes this far easier. Possible risk areas: handling font names, reading the character map, handling metrics, catching errors when drawing with bogus glyph data. Within our source tree this could affect code within gfx/thebes, gfx/cairo and within layout code.
Exported APIs
N/A
Module interactions
No dependency changes. Fonts are loaded by code with in the layout/style subtree and passed to gfx code for use when rendering text.
Data
- What data is read or parsed by this feature?
- The @font-face feature works by downloading font data and passing it to system calls to create a font reference. This is used to create a platform font and text is rendered the same way as with a platform font.
- What is the output of this feature
- Web pages rendered using downloaded fonts.
- What storage formats are used
- We will be supporting the automatic download of TrueType and OpenType fonts but not Embedded OpenType or Type 1 fonts.
Reliability
- What failure modes or decision points are presented to the user?
- None.
- Can its files be corrupted by failures? Does it clean up any locks/files after crashes?
- Font data is downloaded into the system temp directory. Under Windows, the data file is removed immediately after loading the font. On the Mac, the data file is retained until the document using the font is unloaded, so after crashes we need to clean out any leftover temp files.
Configuration
There are two pref settings for this feature:
- gfx.downloadable_fonts.enabled - boolean, enable/disable downloadable fonts, enabled by default
- gfx.downloadable_fonts.same-site-origin.enabled - boolean, enable/disable same-origin restriction, enabled by default
Other than these there are no other environment variables that affect this feature. I am considering adding some logging to allow problems with downloadable fonts to be diagnosed.
Relationships to other projects
Are there related projects in the community?
- No
Review comments
- we're supporting OpenType CFF and TrueType fonts everywhere. In addition we're supporting Apple Advanced Typography fonts on Mac.
- windows probably supports bitmap fonts in an openType container. We should disable this explicitly for web-compat reasons so people don't get lured into making windows-only pages.
- need to audit places in thebes/cairo that use metrics that come from the font itself (which might be malicious)
- need to write or aquire a binary fuzzer (swapping bits/metrics)
- can also fuzz by dumping to XML and messing with the hinting. Hinting is a limited scripting/bytecode language.
- Uniscribe on Windows, pango on linux, atsui on mac. We may be exposing features here that are not well tested on the OS. Probably worth fuzzing the OS features directly.
- Font downloads are limited to same-origin with the document (not the style-sheet).
- Redirects need to be watched.
- Will be adding support for access-control for cross-site fonts.
- There's a pref "kill-switch" to disable this just in case.
- bug 458861 was a persistent mac font cache corruption. We need to somehow validate the data to some degree. Should we insist on a new MIME type and only allow those?