Closed
Bug 301069
Opened 20 years ago
Closed 20 years ago
Bug 298934 (Dialog Origin Spoofing) not fixed on Mac
Categories
(Core :: Security, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla1.8beta4
People
(Reporter: tkh212+bugzilla, Assigned: asaf)
References
()
Details
(Whiteboard: [sg:spoof])
Attachments
(2 files)
|
91.56 KB,
image/png
|
Details | |
|
4.60 KB,
patch
|
jaas
:
review+
mconnor
:
review+
dveditz
:
approval-aviary1.0.8+
mconnor
:
approval1.8b4+
|
Details | Diff | Splinter Review |
Screenshot of dialog
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050716 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8b4) Gecko/20050716 Firefox/1.0+
Bug 298934 addresses SA15489, Dialog Origin Spoofing. However, the fix from
that bug doesn't apply to Mac OS X, because sheets don't have a visible title or
title bar on that platform (so it doesn't display the source URL anywhere). I
will attach a screenshot.
One possible way to fix this would be to include the URL after the dialog text,
in brackets, or some other formatting to make it distinct from the dialog text.
I verified this in Firefox 1.0.5 and the 2005-07-16 trunk build. If possible,
this should probably be fixed in the upcoming 1.0.6, since it's already been
fixed on all other platforms...
Reproducible: Always
|
Reporter | |
Comment 1•20 years ago
|
||
Here is a screenshot showing the problem (lack of the originating URL in the
dialog).
|
|
Reporter | |
Comment 2•20 years ago
|
||
Since the spoofing vulnerability was announced as fixed in Firefox 1.0.5, but
wasn't on the Mac, this should probably be fixed in 1.0.6. Nominating.
Flags: blocking-aviary1.0.6?
|
||
Comment 3•20 years ago
|
||
There is a visual difference, though perhaps not one a user would consciously
notice. In a real prompt from the target page the sheet would show at the top.
In the spoof the sheet is attached to a tiny titlebar floating mid-page.
No need for the security flag since the original secunia announcement is public.
Assignee: dveditz → joshmoz
Group: security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:fix]
|
||
Comment 4•20 years ago
|
||
I think that FF should be changed to not use sheets for these dialogs. The
window title should be visible.
|
||
Comment 5•20 years ago
|
||
I disagree. I think that we *should* be using sheets (tab-modal sheets, but
that's another bug), but we should put the site name in the content of the sheet
itself.
|
||
Comment 6•20 years ago
|
||
Per 1.0.6 meeting, minusing for aviary1.0.6, nominating for aviary1.0.7.
Flags: blocking-aviary1.0.7?
Flags: blocking-aviary1.0.6?
Flags: blocking-aviary1.0.6-
|
Assignee | |
Updated•20 years ago
|
Assignee: joshmoz → bugs.mano
Flags: blocking1.8b4?
Priority: -- → P2
Target Milestone: --- → mozilla1.8beta4
|
|
Assignee | |
Comment 7•20 years ago
|
||
(In reply to comment #5)
> I disagree. I think that we *should* be using sheets (tab-modal sheets, but
> that's another bug), but we should put the site name in the content of the sheet
> itself.
Indeed, mac ordinary dialogs expose the dialog header inside the dialog and keep
the titlebar empty. see: http://tinyurl.com/bdozq
|
|
Assignee | |
Updated•20 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 8•20 years ago
|
||
Attachment #190312 -
Flags: review?(joshmoz)
Comment on attachment 190312 [details] [diff] [review]
Expose dialog titles - v1
-+ content/global/commonDialog.js (commonDialog.js)
-+ content/global/commonDialog.xul (commonDialog.xul)
+*+ content/global/commonDialog.js (commonDialog.js)
+*+ content/global/commonDialog.xul (commonDialog.xul)
Fix the spacing issue you introducted there, r=josh
Attachment #190312 -
Flags: review?(joshmoz) → review+
|
|
Assignee | |
Updated•20 years ago
|
Attachment #190312 -
Flags: superreview?(mconnor)
Attachment #190312 -
Flags: approval1.8b4?
Attachment #190312 -
Flags: approval-aviary1.0.7?
|
|
Assignee | |
Updated•20 years ago
|
Attachment #190312 -
Flags: superreview?(mconnor) → review?(mconnor)
|
||
Updated•20 years ago
|
Flags: blocking1.8b4? → blocking1.8b4+
|
||
Updated•20 years ago
|
Attachment #190312 -
Flags: review?(mconnor)
Attachment #190312 -
Flags: review+
Attachment #190312 -
Flags: approval1.8b4?
Attachment #190312 -
Flags: approval1.8b4+
|
|
Assignee | |
Comment 10•20 years ago
|
||
Please file a separate bug for the suite, thanks.
Checking in toolkit/content/commonDialog.js;
/cvsroot/mozilla/toolkit/content/commonDialog.js,v <-- commonDialog.js
new revision: 1.9; previous revision: 1.8
done
Checking in toolkit/content/commonDialog.xul;
/cvsroot/mozilla/toolkit/content/commonDialog.xul,v <-- commonDialog.xul
new revision: 1.6; previous revision: 1.5
done
Checking in toolkit/content/jar.mn;
/cvsroot/mozilla/toolkit/content/jar.mn,v <-- jar.mn
new revision: 1.17; previous revision: 1.16
done
Checking in toolkit/themes/pinstripe/global/formatting.css;
/cvsroot/mozilla/toolkit/themes/pinstripe/global/formatting.css,v <--
formatting.css
new revision: 1.5; previous revision: 1.4
done
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 11•20 years ago
|
||
I think the way it looks with this fix is somewhat ugly...the body text doesn't
look right in it's non-bold form, and the URL may as well be in a title bar! I
still think it would look better at the bottom instead of the top...the actual
message text should be bold, as before, and the URL/dialog title should be the
plain text, at the bottom instead of the top. IMO, this would be more visually
appealing...
|
|
Assignee | |
Updated•19 years ago
|
Flags: blocking-aviary1.0.7?
|
|
Assignee | |
Updated•19 years ago
|
Attachment #190312 -
Flags: approval-aviary1.0.7?
|
|
Assignee | |
Updated•19 years ago
|
Flags: blocking-aviary1.0.7?
Flags: blocking-aviary1.0.6-
|
|
Assignee | |
Updated•19 years ago
|
Attachment #190312 -
Flags: approval-aviary1.0.7?
|
|
||
Updated•19 years ago
|
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
Whiteboard: [sg:fix] → [sg:spoof]
|
|
||
Comment 12•19 years ago
|
||
Comment on attachment 190312 [details] [diff] [review]
Expose dialog titles - v1
a=dveditz for drivers
Attachment #190312 -
Flags: approval-aviary1.0.8? → approval-aviary1.0.8+
|
|
||
Updated•19 years ago
|
Attachment #190312 -
Flags: approval1.7.13+
|
|
Assignee | |
Comment 13•19 years ago
|
||
Daniel, this patch does not affect the mozilla suite portion, see cooment 10.
|
|
Assignee | |
Comment 14•19 years ago
|
||
fixed-aviary1.0.8:
Checking in toolkit/content/commonDialog.js;
/cvsroot/mozilla/toolkit/content/commonDialog.js,v <-- commonDialog.js
new revision: 1.1.28.1.2.3; previous revision: 1.1.28.1.2.2
done
Checking in toolkit/content/commonDialog.xul;
/cvsroot/mozilla/toolkit/content/commonDialog.xul,v <-- commonDialog.xul
new revision: 1.1.42.1; previous revision: 1.1
done
Checking in toolkit/content/jar.mn;
/cvsroot/mozilla/toolkit/content/jar.mn,v <-- jar.mn
new revision: 1.6.8.5.2.1; previous revision: 1.6.8.5
done
Checking in toolkit/themes/pinstripe/global/formatting.css;
/cvsroot/mozilla/toolkit/themes/pinstripe/global/formatting.css,v <-- formatting.css
new revision: 1.1.2.1.2.1; previous revision: 1.1.2.1
done
Keywords: fixed-aviary1.0.8
|
|
||
Updated•19 years ago
|
Flags: blocking1.7.13+
|
|
||
Updated•19 years ago
|
Attachment #190312 -
Flags: approval1.7.13+
|
||
Comment 15•19 years ago
|
||
verified using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060215 Firefox/1.0.8. Using the test case on the secunia site, the dialog titles look fine. adding keyword.
Keywords: fixed-aviary1.0.8 → verified-aviary1.0.8
You need to log in
before you can comment on or make changes to this bug.
Description
•