WebPreferences 漏洞修复
已发现一个远程代码执行漏洞,该漏洞会影响 Electron 版本(3.0.0-beta.6、2.0.7、1.8.7 和 1.7.15)中能够打开嵌套子窗口的应用。此漏洞已被分配 CVE 标识符 CVE-2018-15685。
¥A remote code execution vulnerability has been discovered affecting apps with the ability to open nested child windows on Electron versions (3.0.0-beta.6, 2.0.7, 1.8.7, and 1.7.15). This vulnerability has been assigned the CVE identifier CVE-2018-15685.
受影响的平台
¥Affected Platforms
如果出现以下情况,你将会受到影响:
¥You are impacted if:
-
你嵌入了任何远程用户内容,即使是在沙盒中。
¥You embed any remote user content, even in a sandbox
-
你接受任何存在 XSS 漏洞的用户输入
¥You accept user input with any XSS vulnerabilities
细节
¥Details
如果任何用户代码在 iframe 中运行或创建 iframe,你将受到影响。考虑到存在 XSS 漏洞的可能性,可以假设大多数应用都容易受到此漏洞的影响。
¥You are impacted if any user code runs inside an iframe / can create an iframe. Given the possibility of an XSS vulnerability it can be assumed that most apps are vulnerable to this case.
如果你使用 nativeWindowOpen: true 或 sandbox: true 选项。虽然此漏洞也需要应用中存在 XSS 漏洞才能造成,但如果你使用以下任一选项,仍应应用以下缓解措施之一。
¥You are also impacted if you open any of your windows with the nativeWindowOpen: true or sandbox: true option. Although this vulnerability also requires an XSS vulnerability to exist in your app, you should still apply one of the mitigations below if you use either of these options.
缓解措施
¥Mitigation
我们已发布 Electron 的新版本,其中包含针对此漏洞的修复:3.0.0-beta.7、2.0.8、1.8.8 和 1.7.16。我们敦促所有 Electron 开发者立即将其应用更新到最新的稳定版本。
¥We've published new versions of Electron which include fixes for this vulnerability: 3.0.0-beta.7, 2.0.8, 1.8.8, and 1.7.16. We urge all Electron developers to update their apps to the latest stable version immediately.
如果由于某种原因你无法升级 Electron 版本,你可以通过在 new-window 事件中为所有 webContents 事件统一调用 event.preventDefault() 来保护你的应用。如果你不使用 window.open 或任何子窗口,那么这对你的应用来说也是一个有效的缓解措施。
¥If for some reason you are unable to upgrade your Electron version, you can protect your app by blanket-calling event.preventDefault() on the new-window event for all webContents'. If you don't use window.open or any child windows at all then this is also a valid mitigation for your app.
mainWindow.webContents.on('new-window', (e) => e.preventDefault());
如果你依赖于子窗口创建孙窗口的功能,那么第三种缓解策略是在顶层窗口中使用以下代码:
¥If you rely on the ability of your child windows to make grandchild windows, then a third mitigation strategy is to use the following code on your top level window:
const enforceInheritance = (topWebContents) => {
const handle = (webContents) => {
webContents.on(
'new-window',
(event, url, frameName, disposition, options) => {
if (!options.webPreferences) {
options.webPreferences = {};
}
Object.assign(
options.webPreferences,
topWebContents.getLastWebPreferences(),
);
if (options.webContents) {
handle(options.webContents);
}
},
);
};
handle(topWebContents);
};
enforceInheritance(mainWindow.webContents);
此代码将强制将顶层窗口 webPreferences 手动应用于所有无限深的子窗口。
¥This code will manually enforce that the top level windows webPreferences is manually applied to all child windows infinitely deep.
更多信息
¥Further Information
此漏洞由 Contrast 安全 的 Matt Austin 发现并负责任地报告给 Electron 项目。
¥This vulnerability was found and reported responsibly to the Electron project by Matt Austin of Contrast Security.
要了解有关保护 Electron 应用安全的最佳实践的更多信息,请参阅我们的 安全教程。
¥To learn more about best practices for keeping your Electron apps secure, see our security tutorial.
如果你想报告 Electron 中的漏洞,请发送电子邮件至 security@electronjs.org。
¥If you wish to report a vulnerability in Electron, email security@electronjs.org.