Closed Bug 200573 Opened 21 years ago Closed 21 years ago

Faulty embedding could lead to Code execution or suspicious application behavior

Categories

(Rhino Graveyard :: Core, defect)

Product:
Rhino Graveyard
Component:
Core
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED INVALID

People

(Reporter: mcbridematt, Assigned: norrisboyd)

Details

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Build Identifier: All releases with LiveConnect

As the leader of the Jazilla project, it has come to my attention that in the 
future, someone might slip some JS code in which executes applications via 
LiveConnect. I have not been able to verify this, but LiveConnect is proposed 
to be allowed within my application

Reproducible: Couldn't Reproduce

Steps to Reproduce:
Insert JavaScript code executing applications via LiveConnect



Expected Results:  
Haven't tried, but Rhino should deny it

This problem is trivial, but could happen in open source projects or ones that 
load external JS files and have LiveConnect enabled
cc'ing Igor -
To disable LiveConnect, use org.mozilla.javascript.ClassShutter,
http://lxr.mozilla.org/mozilla/source/js/rhino/src/org/mozilla/javascript/ClassShutter.java
, that prevent any class from been load and set it on instances to any Context
object you use:

static public final ClassShutter disableLiveConnect = new ClassShutter() 
{
    public boolean visibleToScripts(String fullClassName)
    {
        return false;
    }
};

...
    Context cx = Context.entrer();
    cx.setClussShutter(disableLiveConnect);
...


You can even disable it from JavaScript itself:

var cx = Packages.org.mozilla.javascript.Context.getCurrentContext();
var disableLC = { visibleToScripts: function(className) { return false; } };
cx.setClassShutter(new Packages.org.mozilla.javascript.ClassShutter(disableLC));

Then anything like new java.lang.Integer(0) should give an exception.


Moreover, you should restrict scripts by enabling SecurityManager and probably
implement org.mozilla.javascript.SecurityController to provide different
privileges to different scripts.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
Marking Verified -
Status: RESOLVED → VERIFIED
Targeting as resolved against 1.5R5
Target Milestone: --- → 1.5R5
Removing confidential flag from bugs resolved INVALID
Group: security
You need to log in before you can comment on or make changes to this bug.