Closed Bug 163768 Opened 22 years ago Closed 22 years ago

Prevent web content from accessing non-XBL anonymous content

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 164086

People

(Reporter: john, Assigned: john)

References

Details

Some of our inputs use anonymous content, particularly input type=text input
type=file.  It is a Bad Thing when users access this stuff.  We should put a
check in the JS wrapper / classinfo code that prevents creation of a wrapper if:

(1) the content is anonymous (this could be a bit in mFlags for efficient checking)
(2) the content is non-XBL (we think bindingParent will tell us this--need to
ensure that bindingParent is null in the case of anonymous children of an input
type=file that is itself an anonymous child of XBL)
(3) web content is accessing it

This preemptively strikes a whole class of input type=file exploits and prevents
users from meddling where they aren't wanted.  Chrome could create a JS wrapper
and hand it to web content, but that is a less likely situation (at least in the
current world).
Also, when this gets fixed we should get rid of the fix for bug 163598 since it
will be redundant.
Status: NEW → ASSIGNED
Depends on: 163598
Since this alludes to what the fix is for 163598 (and thus making guessing the
security bug easier), marking this security sensitive to be on the safe side.
Group: security?
We went with this solution for bug 164086.

*** This bug has been marked as a duplicate of 164086 ***
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Group: security
You need to log in before you can comment on or make changes to this bug.