Closed
Bug 286629
Opened 19 years ago
Closed 19 years ago
Allow untrusted script access to Components.lookupMethod
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
People
(Reporter: ted, Assigned: jst)
References
Details
Attachments
(3 files)
|
1.86 KB,
patch
|
dveditz
:
review+
brendan
:
superreview+
chofmann
:
approval1.8b2+
|
Details | Diff | Splinter Review |
|
1.88 KB,
patch
|
Details | Diff | Splinter Review | |
|
352 bytes,
text/html
|
Details |
Components.lookupMethod allows script to get the "original" implementation of a method. In XBL that is bound to an untrusted DOM, this method is not available, so webpages can break XBL bindings by redefining necessary methods such as createElement. This can be seen in particular in the Flashblock extension, which attaches an XBL binding to embed tags, and uses document.createElement, which means arbitrary pages can redefine that function and break the binding, thus letting Flash through.
|
Assignee | |
Comment 1•19 years ago
|
||
This change lets anyone call Components.lookupMethod() from anywhere. I can't see any harm in permitting that, so I'm proposing we check this in.
Attachment #177799 -
Flags: superreview?(brendan)
Attachment #177799 -
Flags: review?(dveditz)
|
||
Comment 2•19 years ago
|
||
Comment on attachment 177799 [details] [diff] [review] Let anyone call Components.lookupMethod r=dveditz If we're going to make changes here, how 'bout allowing isSuccessCode too? No reason to block it, and could prevent errors in code that doesn't expect a non-zero success.
Attachment #177799 -
Flags: review?(dveditz) → review+
|
||
Comment 3•19 years ago
|
||
Comment on attachment 177799 [details] [diff] [review] Let anyone call Components.lookupMethod >+ static const char* allowed[] = { "lookupMethod", nsnull}; Uber-nit: space after nsnull before the closing brace? I agree with Dan, why not expose isSuccessCode too? Gotta stick up for NS_COMFALSE (blech! ;-) here. /be
Attachment #177799 -
Flags: superreview?(brendan) → superreview+
|
||
Comment 4•19 years ago
|
||
Do we still perform the correct security checks at some point? (I'm not up on whether we do the method security checks at invocation or reference).
|
|
Assignee | |
Comment 5•19 years ago
|
||
(In reply to comment #4) > Do we still perform the correct security checks at some point? (I'm not up on > whether we do the method security checks at invocation or reference). The security check happens in XPCWrappedNative::CallMethod(), which is invoked no matter how you get at a JS function for a XPConnect implemented method/getter/setter on a native wrapper, so it's all good AFAIKT (and testing verified this too).
|
|
Assignee | |
Comment 6•19 years ago
|
||
|
|
Assignee | |
Comment 7•19 years ago
|
||
|
|
Assignee | |
Updated•19 years ago
|
Attachment #177799 -
Flags: approval1.8b2?
|
||
Comment 8•19 years ago
|
||
Comment on attachment 177799 [details] [diff] [review] Let anyone call Components.lookupMethod a=chofmann
Attachment #177799 -
Flags: approval1.8b2? → approval1.8b2+
|
|
Assignee | |
Comment 9•19 years ago
|
||
FIXED.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•