[RESOLVED] Redirect triggers LOCAL rule

Discussions about the Application Boundaries Enforcer (ABE) module
siu
Posts: 6
Joined: Fri May 11, 2012 7:46 am

[RESOLVED] Redirect triggers LOCAL rule

Post by siu »

When accessing http://bottlepy.org I get this error message from the ABE:

Code: Select all

Request {GET http://bottlepy.org/docs/dev/ <<< http://bottlepy.org/, chrome://browser/content/browser.xul - 6} filtered by ABE: <LOCAL> Deny
I've tried on two different computers, one running ubuntu / FF 12.0 / NoScript 2.4 and I can't reproduce it, on the contrary on another pc running archlinux / FF 12.0 / NoScript 2.4 I'm having this issue. I've tried with a freshly created FF profile and it is still happening.

I've noticed that bottlepy.org is returning a redirect in the headers but there is no content on the page and I guess this makes Firefox render chrome://browser/content/browser.xul.

Do you think it is a problem in my system, a bug in FF/NoScript or something I should report to bottlepy.org?
Last edited by siu on Fri May 18, 2012 9:54 am, edited 1 time in total.
Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: redirect and chrome://browser/content/browser/browser.xu

Post by Tom T. »

siu wrote:When accessing http://bottlepy.org I get this error message from the ABE:

Code: Select all

Request {GET http://bottlepy.org/docs/dev/ <<< http://bottlepy.org/, chrome://browser/content/browser.xul - 6} filtered by ABE: <LOCAL> Deny
Unable to reproduce on Win XP, Fx 12.0, NS 2.4.1rc3, even after multiple page reloads resulting from allowing the disqus script and its related items in Blocked Objects menu -- and that's with the additional ABE NAT-pinning rule discussed here.

Have you added any ABE rules beyond the default SYSTEM rule?
siu wrote:I've tried on two different computers, one running ubuntu / FF 12.0 / NoScript 2.4 and I can't reproduce it, on the contrary on another pc running archlinux / FF 12.0 / NoScript 2.4 I'm having this issue.
Wouldn't that point to an issue in archlinux? -- as you don't get it in Ubuntu, and I don't get it in Windows?
I've tried with a freshly created FF profile and it is still happening.
Try a freshly-created profile with a fresh install of NS, and *no* other add-ons, to eliminate the possibility that the problematic system has an extension conflict.
.... something I should report to bottlepy.org?
Not at this time. So far, it's pointing to something in that Linux distro, or as mentioned, an extension conflict in that particular profile.

If you have access to other systems, or if anyone else can reproduce on, say, Mac, etc., please advise.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0
siu
Posts: 6
Joined: Fri May 11, 2012 7:46 am

Re: redirect and chrome://browser/content/browser/browser.xu

Post by siu »

Thanks for your answer, let's try to find where is the error.
Tom T. wrote: Unable to reproduce on Win XP, Fx 12.0, NS 2.4.1rc3, even after multiple page reloads resulting from allowing the disqus script and its related items in Blocked Objects menu -- and that's with the additional ABE NAT-pinning rule discussed here.
Notice that I don't even get to that point, I only see an empty page with the ABE warning on the top.
Tom T. wrote: Have you added any ABE rules beyond the default SYSTEM rule?
No, I've never touched the ABE rules.
Tom T. wrote:
I've tried with a freshly created FF profile and it is still happening.
Try a freshly-created profile with a fresh install of NS, and *no* other add-ons, to eliminate the possibility that the problematic system has an extension conflict.
This is exactly what I've done, I created a new profile and installed NoScript 2.4.1 from mozilla addons.
Tom T. wrote:If you have access to other systems, or if anyone else can reproduce on, say, Mac, etc., please advise.
I've been able to reproduce it on two other systems:

- CentOS, FF 12.0 downloaded from the official website
- Red Hat EL, using FF 10.0 distributed with the system

Once again I tested with new profiles where I've only installed NoScript 2.4.1.

It also happens when I search for that URL in google and I follow the link but in this case the warning instead of chrome://... shows what looks like the referrer URL.
Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
siu
Posts: 6
Joined: Fri May 11, 2012 7:46 am

Re: redirect and chrome://browser/content/browser/browser.xu

Post by siu »

I've spent a few hours debugging and I could finally find out why the LOCAL rule was being applied.
I think the issue is in the parsing of IPv6 addresses in DNS.js. IPv6 is enabled in my pc and that makes the function DNSRecord.isLocal() iterate over all the possible addresses, i.e. the IPv4 and the IPv6 address. That's ok. But then the DNS.isLocalIP(addr) fails to detect the IPv6 address as IPv6 because in this specific case it starts with "fe80:" but it is searching only for "2002:". I think that the regexp on the top of that function can be applied to IPv6 as but it seems that it doesn't work in this case.

I could fix it by replacing the comparison

Code: Select all

addr.indexOf("2002:") === 0
by

Code: Select all

addr.indexOf(":") != -1
, as in:

Code: Select all

  _localIPRx: /^(?:(?:0|127|10|169\.254|172\.(?:1[6-9]|2\d|3[0-1])|192\.168)\..*\.[^0]\d*$|(?:(?:255\.)3255|::1?)$|f(?:[cd]|e(?:[c-f]|80:))[0-9a-f]*:)/i,
  isLocalIP: function(addr) {

    // see https://bug354493.bugzilla.mozilla.org/attachment.cgi?id=329492 for a more verbose but incomplete (missing IPV6 ULA) implementation
    // Relevant RFCs linked at http://en.wikipedia.org/wiki/Private_network
    return (addr.indexOf(":") != -1
        ? this.isLocalIP(this.ip6to4(addr))
        : this._localIPRx.test(addr)
        ) ||
      this.localExtras && this.localExtras.testIP(addr) ||
      WAN.ipMatcher && WAN.ipMatcher.testIP(addr);
  },
It is probably not the best way to fix it but at least it removes this false positive.

Is it there a bugtracker where to post and discuss about this?
Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: redirect and chrome://browser/content/browser/browser.xu

Post by dhouwn »

Very nice analysis!
siu wrote:Is it there a bugtracker where to post and discuss about this?
Sadly, no. This here is basically the bug tracker.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: redirect and chrome://browser/content/browser/browser.xu

Post by Giorgio Maone »

Unfortunately your analysis, albeit suggestive, is incorrect.

Current relevant code is:

Code: Select all

 return (addr.indexOf("2002:") === 0
        ? this.isLocalIP(this.ip6to4(addr))
        : this._localIPRx.test(addr)
        ) 
where the check for the address beginning with "2002:" is just a performance optimization to use the relatively slower recursive call after converting IPv6 to IPv4 only if the address can be converted (i.e. is a IPv4 address represented as an IPv6 one, identified by the "2002:" prefix).

Otherwise (i.e. if the address does not begin with "2002:", it is checked against the this._localIPRx regular expression, which BTW correctly matches IPv6 addresses starting with the "fe80:" prefix.

Furthermore, it is not your local IP which is checked by isLocalIP(), but the origin and the destination of the HTTP request (i.e. the site containing the link and the destination of the link): if the origin is found to be non-local but the destination is a lan IP, the rule is triggered.

Therefore the most likely reason for ABE to warn you (possible bugs aside), is bottlepy.org pointing to a local IP.
Could you please run the following snippet in your Error Console (Ctrl+Shift+J) and copy here the content of the alert box?

Code: Select all

top.opener.noscriptOverlay.ns.__global__.DNS.resolve("bottlepy.org", 0, function(r) alert(r.toSource())) 
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: redirect and chrome://browser/content/browser/browser.xu

Post by Tom T. »

Giorgio Maone wrote:... Therefore the most likely reason for ABE to warn you (possible bugs aside), is bottlepy.org pointing to a local IP.
Could you please run the following snippet in your Error Console (Ctrl+Shift+J) and copy here the content of the alert box?

Code: Select all

top.opener.noscriptOverlay.ns.__global__.DNS.resolve("bottlepy.org", 0, function(r) alert(r.toSource())) 
I get

Code: Select all

Error: missing ; before statement
Source File: javascript:%20Timestamp:%2(local date/time)%20PM%20Error:%20attempt%20to%20run%20compile-and-go%20script%20on%20a%20cleared%20scope%20Source%20File:%20chrome://noscript/content/DNS.js%20Line:%20238
Line: 1, Column: 22
Source Code:
 Timestamp: (local date/time) PM Error: attempt to run compile-and-go script on a cleared scope Source File: chrome://noscript/content/DNS.js Line: 238
So far, the problem has occurred only on *nix systems, and not on my 32-bit Win, or (apparently) your 64-bit Win with full IPV6 support (I don't have that on this older machine.)
If indeed "the most likely reason for ABE to warn you (possible bugs aside), is bottlepy.org pointing to a local IP", then why wouldn't you and I be able to reproduce it?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: redirect and chrome://browser/content/browser/browser.xu

Post by Giorgio Maone »

Tom T. wrote: If indeed "the most likely reason for ABE to warn you (possible bugs aside), is bottlepy.org pointing to a local IP", then why wouldn't you and I be able to reproduce?
Because of a difference in ours and his DNS configuration, for instance.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
siu
Posts: 6
Joined: Fri May 11, 2012 7:46 am

Re: redirect and chrome://browser/content/browser/browser.xu

Post by siu »

Giorgio Maone wrote:Unfortunately your analysis, albeit suggestive, is incorrect.

Current relevant code is:

Code: Select all

 return (addr.indexOf("2002:") === 0
        ? this.isLocalIP(this.ip6to4(addr))
        : this._localIPRx.test(addr)
        ) 
where the check for the address beginning with "2002:" is just a performance optimization to use the relatively slower recursive call after converting IPv6 to IPv4 only if the address can be converted (i.e. is a IPv4 address represented as an IPv6 one, identified by the "2002:" prefix).

Otherwise (i.e. if the address does not begin with "2002:", it is checked against the this._localIPRx regular expression, which BTW correctly matches IPv6 addresses starting with the "fe80:" prefix.
Ok, I wasn't sure about this part.
Giorgio Maone wrote: Furthermore, it is not your local IP which is checked by isLocalIP(), but the origin and the destination of the HTTP request (i.e. the site containing the link and the destination of the link): if the origin is found to be non-local but the destination is a lan IP, the rule is triggered.
Yes, it is indeed failing when checking the destinationIP.
Giorgio Maone wrote: Therefore the most likely reason for ABE to warn you (possible bugs aside), is bottlepy.org pointing to a local IP.
Could you please run the following snippet in your Error Console (Ctrl+Shift+J) and copy here the content of the alert box?

Code: Select all

top.opener.noscriptOverlay.ns.__global__.DNS.resolve("bottlepy.org", 0, function(r) alert(r.toSource())) 
I will perform this test at work on Monday where I see this issue. So you think that it resolves to a local IP, and I'm beginning to think that bottlepy.org is probably hosted in a university in Germany, and I'm having this issue only when I visit the site from either a university (in Spain) or a public organization (in France).
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: redirect and chrome://browser/content/browser/browser.xu

Post by Tom T. »

siu wrote:. So you think that it resolves to a local IP, and I'm beginning to think that bottlepy.org is probably hosted in a university in Germany, and I'm having this issue only when I visit the site from either a university (in Spain) or a public organization (in France).
It seems to be a strange combination of hosting in the US, with DNS servers in Germany.
IP address: 173.214.207.14
Host name: bottlepy.org

173.214.207.14 is from United States(US) in region North America

TraceRoute to 173.214.207.14 [bottlepy.org]
<snip>
11 25 25 25 173.214.207.14 unknown.carohosting.net


Retrieving DNS records for bottlepy.org...

DNS servers
ns2.hans.hosteurope.de [80.237.128.10]
ns1.hans.hosteurope.de

Answer records
bottlepy.org NS ns1.hans.hosteurope.de 259200s
bottlepy.org NS ns2.hans.hosteurope.de 259200s

bottlepy.org SOA server: ns1.hans.hosteurope.de 86400s


Results returned from whois.arin.net:
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=173.2 ... xt=netref2
#

Carolina Internet, Ltd. CARO-NET-ARIN-7 (NET-173-214-192-0-1) 173.214.192.0 - 173.214.207.255
CaroNet Managed Hosting, Inc. CI-173-214-204-0-22 (NET-173-214-204-0-1) 173.214.204.0 - 173.214.207.255

OrgName: CaroNet Managed Hosting, Inc.
OrgId: CIL-56
Address: 900 Center Park Dr
Address: Suite A
City: Charlotte
State: NC (North Carolina -- you know, the State where John Edwards used to be a Senator. :D )
PostalCode: 28217
Country: US
I don't see why visiting it from a public organization in France would cause it to point to your LAN, unless your LAN includes those French and Spanish sites.
See PM for a bit more.

I could be mistaken, but I think Giorgio was suggesting that it was something in the DNS configuration: on the machines configured one way, it doesn't happen, but on those configured another way, it does. Try experimenting with a different DNS server? (OpenDNS, etc.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0
siu
Posts: 6
Joined: Fri May 11, 2012 7:46 am

Re: redirect and chrome://browser/content/browser/browser.xu

Post by siu »

I would say this issue is solved, we've been discussing in private and this is what we've found:

The output of this command:

Code: Select all

top.opener.noscriptOverlay.ns.__global__.DNS.resolve("bottlepy.org", 0, function(r) { alert(r.toSource())} )
is:

Code: Select all

({ts:1337158919407, entries:["173.214.207.14", "fe80::226:b9ff:fe53:ebd3"], expireTime:1337158979407})
Of those, the first IP address is a valid IPv4 address but the second is a IPv6 link-local address (as of the standard: http://en.wikipedia.org/wiki/Private_network#IPv6). Indeed the AAAA DNS record for that domain looks like this:

Code: Select all

 ; <<>> DiG 9.3.2 <<>> @8.8.8.8 bottlepy.org AAAA
 ; (1 server found)
 ;; global options:  printcmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48086
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
 
 ;; QUESTION SECTION:
 ;bottlepy.org.			IN	AAAA
 
 ;; ANSWER SECTION:
 bottlepy.org.		82690	IN	AAAA	fe80::226:b9ff:fe53:ebd3
 
 ;; Query time: 8 msec
 ;; SERVER: 8.8.8.8#53(8.8.8.8)
 ;; WHEN: Fri May 18 11:15:11 2012
 ;; MSG SIZE  rcvd: 58
Which should not be used on the internet and is triggering the LOCAL rule of the ABE.

Related topic: http://forums.informaction.com/viewtopi ... =23&t=8729

Thanks a lot to Giorgio Maone and Tom T. for the support.
Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: [RESOLVED] Redirect triggers LOCAL rule

Post by Giorgio Maone »

Mystery solved, indeed:
bottlepy wrote: @ma1 @dakami The http://bottlepy.org fe80:/10 AAAA thing was just stupidity on my part :)
Giogio Maone wrote: @bottlepy @dakami @davidsinuela 10x for solving this mystery. http://wm161.net same issue? Should ABE automail DNS tech contacts?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: [RESOLVED] Redirect triggers LOCAL rule

Post by GµårÐïåñ »

How is this resolved exactly? Just wondering because the case I wrote Giorgio in private about was forums.informaction.com triggering LOCAL and it still does it, mostly on redirects but sometimes on just Ctrl+Click of a link to open in a new tab, sometimes just straight up click, so I am not sure what's going on but I think we are glossing over this way too quickly. Just saying. I tried to resolve this in private with Giorgio LONG before a bunch of posts about this and that showed up on the site but no resolution and now that its gone public, I would personally like to know the why, not just, oh I assume this is the problem. I mean for 15 years my DNS has been fine, suddenly my DHCP/DNS is f-ed up? Seriously? Not buying that.

EDIT: Apparently while I was posting this Giorgio was posting his reply, so my reply was pre Giorgio reply you see below/above depending on how you have your posts sorted.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: [RESOLVED] Redirect triggers LOCAL rule

Post by Tom T. »

@ GµårÐïåñ:

I've never had that issue, so whatever it is, it appears to be unrelated to this thread. But as was done here, check your DNS configuration, try other DNSs, etc., and if there is a discrepancy, then you can get it fixed as was done here.


@siu:

You're quite welcome, and some good came out of it: DNS "stupidity" corrected. Isn't it good that Giorgio has enough pull to get through where most of us couldn't? ;)


@ Giorgio: :
Should ABE automail DNS tech contacts?

Apparently. :D

I'm glad that it wasn't the things I suggested in PM - DNS hack, cache poisoning, ARP poisoning, etc. ... but OTOH, if it were, would the DNS Admin or bottlepy Admin admit it? Can't imagine deliberately or even accidentally registering a local link address with a DNS. Just wondering ...

Thanks for your help in seeing this through to full resolution.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0
Post Reply