Closed Bug 282615 Opened 20 years ago Closed 20 years ago

DOMSerializer's security checks don't take capabilities into account.

Categories

(Core :: DOM: Serializers, defect)

Product:
Core
Component:
DOM: Serializers
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jst, Assigned: jst)

Details

Attachments

(2 files, 2 obsolete files)

Updated fix.
3.84 KB, patch
Details | Diff | Splinter Review
Updated fix (diff -w)
3.53 KB, patch
sicking
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review 
Currently it's impossible to serialize a DOM node from a different domain even
if you enable "UniversalBrowserRead", the nsDOMSerializer code needs to check if
that capability is enabled. Patch coming up.
Attached patch Fix. (obsolete) — Splinter Review 

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Fix (diff -w for reviews) (obsolete)
        — Splinter Review
      

    


  

    
  

        Attachment #174606 -
        Flags: superreview?(bzbarsky)

        Attachment #174606 -
        Flags: review?(bugmail)

    
    

    
  
Comment on attachment 174606 [details] [diff] [review]
Fix (diff -w for reviews)

sr=bzbarsky

        Attachment #174606 -
        Flags: superreview?(bzbarsky) → superreview+

    
    

    
  
Couldn't you call nsContentUtils::CanCallerAccess

    
    

    
  
That's in the wrong library, not reachable from the nsDOMSerializer code.

    
    

    
  
Comment on attachment 174606 [details] [diff] [review]
Fix (diff -w for reviews)


>     nsCOMPtr<nsIDOMDocument> owner_doc(do_QueryInterface(aRoot));
> 
>     if (!owner_doc) {
>       aRoot->GetOwnerDocument(getter_AddRefs(owner_doc));
>     }
> 
>     nsCOMPtr<nsIDocument> doc(do_QueryInterface(owner_doc));

You didn't change this, but would you mind fixing the double-QI here for the
case when aRoot is a document?

You also need to check that the passed in node is an nsIContent or
nsIAttribute. Otherwise someone might pass in a js-object with a foregin node
as "child". Requesting new patch just to be no the safe side since this is
security and all that.

We desperatly need to move this stuff to the securitymanager.

        Attachment #174606 -
        Flags: review?(bugmail) → review-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Updated fix.Splinter Review
      

    


  

        Attachment #174605 -
        Attachment is obsolete: true

        Attachment #174606 -
        Attachment is obsolete: true

    
    

    
  


  

        Attachment #174778 -
        Flags: superreview?(bzbarsky)

        Attachment #174778 -
        Flags: review?(bugmail)

    
    

    
  
Comment on attachment 174778 [details] [diff] [review]
Updated fix (diff -w)

sr=bzbarsky

        Attachment #174778 -
        Flags: superreview?(bzbarsky) → superreview+

    
    

    
  
Fixed.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: