RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link into item.url, filters only for presence and date, and returns the item list. The live-folder manager later creates pinned lazy tabs from these values with gBrowser.addTrustedTab(item.url, ...).
Impact:
An attacker-controlled or compromised feed can influence browser tab creation with non-web item URLs. The final severity depends on how the runtime handles each scheme when lazy trusted tabs are restored or selected, but the current trust boundary allows untrusted feed content to choose navigation targets that should be limited to ordinary web URLs.
Preconditions:
- The user adds an RSS live folder pointing to an attacker-controlled or compromised feed.
- The feed contains a valid recent item with a non-
http/https link.
Non-destructive validation:
- Use a disposable Zen profile.
- Serve a local RSS/Atom feed over
http://127.0.0.1.
- Include one recent item whose link uses a non-web scheme.
- Add the local feed as an RSS live folder.
- Confirm whether the item survives provider filtering.
- Confirm whether the created pinned lazy tab preserves and attempts to load the non-web URL when activated.
Expected result:
The provider should reject or drop non-http/https item links before they reach tab creation.
Observed source behavior:
The source code only validates the top-level feed URL, not individual item links.
Recommended fix:
- Validate every RSS/Atom item URL with
new URL.
- Allow only
http: and https: item links.
- Add a second allowlist check in
ZenLiveFoldersManager before addTrustedTab.
- Add regression tests covering
javascript:, data:, file:, about:, chrome:, invalid URLs, and normal https: links.
RSS feed URLs entered by the user are validated to
http:orhttps:inpromptForFeedUrl, but item links inside the feed are not subject to the same restriction. The provider maps each RSS/Atom item link intoitem.url, filters only for presence and date, and returns the item list. The live-folder manager later creates pinned lazy tabs from these values withgBrowser.addTrustedTab(item.url, ...).Impact:
An attacker-controlled or compromised feed can influence browser tab creation with non-web item URLs. The final severity depends on how the runtime handles each scheme when lazy trusted tabs are restored or selected, but the current trust boundary allows untrusted feed content to choose navigation targets that should be limited to ordinary web URLs.
Preconditions:
http/httpslink.Non-destructive validation:
http://127.0.0.1.Expected result:
The provider should reject or drop non-
http/httpsitem links before they reach tab creation.Observed source behavior:
The source code only validates the top-level feed URL, not individual item links.
Recommended fix:
new URL.http:andhttps:item links.ZenLiveFoldersManagerbeforeaddTrustedTab.javascript:,data:,file:,about:,chrome:, invalid URLs, and normalhttps:links.