Closed
Bug 162393
Opened 22 years ago
Closed 22 years ago
[FIX]a variable called "content" confuses urlSecurityCheck in contentAreaUtils.js
Categories
(Core :: Security, defect, P1)
Core
Security
Tracking
()
VERIFIED
FIXED
mozilla1.2beta
People
(Reporter: jruderman, Assigned: caillon)
References
()
Details
(Whiteboard: [sg:blocker])
Attachments
(4 files, 5 obsolete files)
624 bytes,
text/html
|
Details | |
612 bytes,
text/html
|
Details | |
6.47 KB,
patch
|
bzbarsky
:
review+
caillon
:
superreview+
asa
:
approval+
|
Details | Diff | Splinter Review |
11.66 KB,
patch
|
caillon
:
approval+
|
Details | Diff | Splinter Review |
http://www.uni-duesseldorf.de/ulb/db.html defines a variable called |content|, which causes "Open Link in New Window" to break with this error message: Error: focusedWindow._content.location has no properties Source File: chrome://communicator/content/contentAreaUtils.js Line: 59 Thanks to biesi for pointing out this bug on #mozillazine. This is a security hole. If a page defines |content| such that content.location.href is the string "chrome://foo", middle-clicking (or selecting Open Link in New Window) on a link to a chrome url succeeds. I think functions in contentAreaUtils.js such as openNewWindowWith and urlSecurityCheck should pass around the content document that contains the link rather than relying on xuldocument.commandDispatcher.focusedWindow and isDocumentFrame. It seems to me that passing around the content document would be simpler.
Reporter | ||
Comment 3•22 years ago
|
||
Reporter | ||
Comment 4•22 years ago
|
||
Attachment #95030 -
Attachment is obsolete: true
Reporter | ||
Comment 5•22 years ago
|
||
Assignee | ||
Updated•22 years ago
|
Attachment #95031 -
Attachment mime type: text/plain → text/html
Comment 6•22 years ago
|
||
Um, testcase B doesn't seem to be exploitable using a trunk build, is it exploitable using a branch build only?
Comment 7•22 years ago
|
||
Haven't we seen this before? Bug 143369 was this type of problem, too, wasn't it?
Comment 8•22 years ago
|
||
jst, testcase B is exploitable for me if I open the link in a new window.
Comment 9•22 years ago
|
||
oops, forgot to mention, that was with trunk build 2002081209 on windows98.
Assignee | ||
Comment 10•22 years ago
|
||
There's actually several different bugs that this is about. I can fix these, but I'd like to know whether or not I need to conjure up a "real fix" or a "lowest risk" fix (i.e. is this wanted for MachV?). Nominating in either case.
Keywords: nsbeta1
Comment 11•22 years ago
|
||
The good news is that javascript: URLs don't seem to run with chrome privileges even after this trick.
Comment 12•22 years ago
|
||
Oh, duh. I didn't read testcase B through before testing, it is exploitable using trunk builds.
Assignee | ||
Comment 13•22 years ago
|
||
Can't do anything serious with this, so not a MachV stopper. This is something we should fix in Buffy though.
Priority: -- → P1
Target Milestone: --- → mozilla1.2alpha
Comment 14•22 years ago
|
||
*** Bug 167941 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 15•22 years ago
|
||
Works against both testcases. I actually want to remove urlSecurityCheck completely from contentAreaUtils.js. There is still one place, http://lxr.mozilla.org/mozilla/source/editor/ui/composer/content/editorApplicationOverlay.js#63 that calls it, but I can't find any callers of that method (editLink). I'll double check with the editor folks first, though.
Assignee | ||
Comment 16•22 years ago
|
||
With the code completely moved into browser.xml
Assignee | ||
Comment 17•22 years ago
|
||
glazou/cmanske: is this change ok with you guys?
Comment 18•22 years ago
|
||
Comment on attachment 99792 [details] [diff] [review] Same as before; but completely removing urlSecurityCheck r=cmanske for change in editorApplicationOverlay.js
Attachment #99792 -
Flags: review+
Updated•22 years ago
|
Attachment #99792 -
Flags: review+
Comment 19•22 years ago
|
||
This change doesn't seem right. For a frameset we would use the frame's URL as the referrer, now we'll always be using the outermost frameset's URL. Also, do we always want to fall back to the document.currentURI or about:blank for the referrer in the security check? Should clicking a bookmark in the personal toolbar really be checked against document.currentURI?
Assignee | ||
Comment 20•22 years ago
|
||
Attachment #99791 -
Attachment is obsolete: true
Attachment #99792 -
Attachment is obsolete: true
We need this for 1.2 final.
Whiteboard: [sg:blocker]
Assignee | ||
Comment 22•22 years ago
|
||
All righty then.
Summary: a variable called "content" confuses urlSecurityCheck in contentAreaUtils.js → [FIX]a variable called "content" confuses urlSecurityCheck in contentAreaUtils.js
Target Milestone: mozilla1.2alpha → mozilla1.2beta
Comment 23•22 years ago
|
||
So comments on irc to caillon: isDocumentFrame should probably be renamed to isContentFrame or isContentWindow focusedWindow.location.href is unsafe and should be replaced with the lookupMethod version.
Assignee | ||
Comment 24•22 years ago
|
||
Attachment #102669 -
Attachment is obsolete: true
Comment 25•22 years ago
|
||
Comment on attachment 103009 [details] [diff] [review] Patch v2.1 >Index: xpfe/browser/resources/content/navigator.js >- if (!_content || !_content.frames.length || !isDocumentFrame(document.commandDispatcher.focusedWindow)) >+ if (!content || !content.length || !isContentFrame(document.commandDispatcher.focusedWindow)) Even though you and I know that content.frames == content (ewww), I think the code is clearer if you keep this as content.frames.length. >Index: xpfe/communicator/resources/content/contentAreaUtils.js > function urlSecurityCheck(url, doc) > { > // URL Loading Security Check > var focusedWindow = doc.commandDispatcher.focusedWindow; >+ var sourceWin = getContentFrameHref(focusedWindow); Perhaps this should be named sourceURL instead of sourceWin. sr=jag
Attachment #103009 -
Flags: superreview+
Comment 26•22 years ago
|
||
Actually, name the function getContentFrameURI, href is the property name but the URI is really what you're getting there.
Assignee | ||
Comment 27•22 years ago
|
||
jag's comments addressed.
Attachment #103009 -
Attachment is obsolete: true
Comment 28•22 years ago
|
||
Comment on attachment 103106 [details] [diff] [review] Patch v2.2 r=bzbarsky
Attachment #103106 -
Flags: review+
Assignee | ||
Comment 29•22 years ago
|
||
Comment on attachment 103106 [details] [diff] [review] Patch v2.2 transferring sr=jag
Attachment #103106 -
Flags: superreview+
Comment 30•22 years ago
|
||
Comment on attachment 103106 [details] [diff] [review] Patch v2.2 a=asa for checkin to 1.2 (on behalf of drivers)
Attachment #103106 -
Flags: approval+
Assignee | ||
Comment 31•22 years ago
|
||
Fixed, though this didn't make the beta.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment 32•22 years ago
|
||
caillon: I suspect this bug applies to the 1.0 branch as well. If so, once it gets a little baking on trunk, I'd like you to make a 1.0 branch patch as well.
Assignee | ||
Comment 33•22 years ago
|
||
Sure will do. For reference, this fix depends on the fix for bug 159667 which was not checked into the 1.0 branch.
Comment 34•22 years ago
|
||
this has caused regressions in composer
OS: Windows 2000 → All
Hardware: PC → All
Assignee | ||
Comment 35•22 years ago
|
||
I haven't actually tested this against the 1.0 branch since it appears the branch doesn't support the compiler I'm using (gcc3.2), which seems a bit strange to me as gcc3.2 is likely going to be sticking around for quite a while...
Comment 36•22 years ago
|
||
I'm kind of confused. This made it into the mozilla trunk, right? I see a note about regressions in composer.
Assignee | ||
Comment 37•22 years ago
|
||
The regression is/was bug 175304 and has already been fixed on trunk. The branc patch I uploaded includes that fix (sans the comment as requested by brade).
Comment 38•22 years ago
|
||
Discussed in bBird team meeting. Minusing for bBird.
Assignee | ||
Comment 39•22 years ago
|
||
Comment on attachment 104130 [details] [diff] [review] Patch for 1.0 branch Adding a=asa,shaver,roc+moz via email and confirming with roc on irc that 3 oks is an implied a=.
Attachment #104130 -
Flags: approval+
Assignee | ||
Comment 40•22 years ago
|
||
Checked in on the branch.
Whiteboard: [sg:blocker] → [sg:blocker][fixed1.0.2]
Updated•22 years ago
|
Keywords: fixed1.0.2
Whiteboard: [sg:blocker][fixed1.0.2] → [sg:blocker]
Comment 41•22 years ago
|
||
Verified on 2002-11-06-branch build on Win 2000. Both above test cases work as expected.
Status: RESOLVED → VERIFIED
Updated•22 years ago
|
Group: security
Updated•19 years ago
|
Flags: testcase+
Updated•17 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•