Closed Bug 311619 Opened 19 years ago Closed 19 years ago

Fix for Bug 311024 does not block (new Script(code)).exec(window)

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

References

Details

(Keywords: fixed1.7.13, fixed1.8, Whiteboard: [sg:high] xss (splitwindows))

Attachments

(2 files, 1 obsolete file)

testcase - steal cookie
573 bytes, text/html
Details
This should really do it.
1.39 KB, patch
brendan
: review+
dveditz
: approval-aviary1.0.8-
dveditz
: approval1.7.13-
brendan
: approval1.8rc1+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050916
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051007 Firefox/1.6a1

I've tested on the hourly build 2005100718 that includes the fix for Bug 311024.
(new Script(code)).exec(window) is still executed with the outer window scope.

Reproducible: Always

Steps to Reproduce:

    
    

    
  
Blake may have caught this when working on bug 311025 and/or bug 311403 (see bug
311025 comment 12), or at least we noticed some inconsistency when I was
reviewing one of the patches.
Assignee: dveditz → mrbkap
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:high]
Flags: blocking1.8rc1?

    
    

    
  
I missed script_exec, patch soon.
Status: NEW → ASSIGNED

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Wrong patch file (obsolete)
        — Splinter Review
      

    


  

        Attachment #198887 -
        Flags: review?(brendan)

    
    

    
  
Comment on attachment 198887 [details] [diff] [review]
Wrong patch file

Sorry, wrong patch.

        Attachment #198887 -
        Attachment is obsolete: true

        Attachment #198887 -
        Flags: review?(brendan)

    
    

    
  


  

        Attachment #198888 -
        Flags: review?(brendan)

    
  

        Attachment #198887 -
        Attachment description: This should do it → Wrong patch file

        Attachment #198888 -
        Flags: review?(brendan)

        Attachment #198888 -
        Flags: review+

        Attachment #198888 -
        Flags: approval1.8rc1+
Flags: blocking1.8rc1? → blocking1.8rc1+

    
    

    
  
The 1.0 branch will also need this fix
Depends on: splitwindows
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
Whiteboard: [sg:high] → [sg:high] xss (splitwindows?)

    
    

    
  
Fix checked into trunk.

Dan, this is a splitwindow sort of fix. Porting it to 1.0.x might be hard. Do I
need to look into a 1.0.x fix for this?
Blocks: 311024
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
(In reply to comment #8)
> Dan, this is a splitwindow sort of fix. Porting it to 1.0.x might be hard. Do I
> need to look into a 1.0.x fix for this?

Not now. I've linked it to the splitwindows bug and we'll deal with backporting
those as a group when it's done and we round up the manpower to do it.


Whiteboard: [sg:high] xss (splitwindows?) → [sg:high] xss (splitwindows)

    
    

    
  
(In reply to comment #8)
> Fix checked into trunk.
> 
> Dan, this is a splitwindow sort of fix. Porting it to 1.0.x might be hard. Do I
> need to look into a 1.0.x fix for this?

Is there an exploit based on this bug's testcase that works in 1.0.x?  Please
attach a testcase demonstrating that attack, if possible.  I thought this bug
and bug 311024 were predicated on split windows.  We have already added
principals subsumption tests to 1.0.x and 1.7.y to handle eval and Script.

Say this bug does bite 1.0.x.  If we do not backport all of the split window
work, we might instead try to do something that will hurt performance, and that
doesn't fix all non-security bugs, but that does ensure security -- something
like adding principals holding and dropping to cloned function objects.  That
could hurt DHTML or AJAX perf, for sure.  It might be enough to ensure security,
and it would be a smaller patch.  Comments?

/be

    
    

    
  
Checked into MOZILLA_1_8_BRANCH.
Keywords: fixed1.8
Flags: testcase+

    
    

    
  
Comment on attachment 198888 [details] [diff] [review]
This should really do it.

Do we need this patch on old branches if we're going with mrbkap's splitwindow alternative?

        Attachment #198888 -
        Flags: approval1.7.13?

        Attachment #198888 -
        Flags: approval-aviary1.0.8?

    
    

    
  
Fixed on the aviary1.0/mozilla1.7 branches by the split-window alternative (bug 316589)
Keywords: fixed-aviary1.0.8, 
          
            fixed1.7.13

    
    

    
  
Comment on attachment 198888 [details] [diff] [review]
This should really do it.

No longer needed on old branches with split-windows alternative

        Attachment #198888 -
        Flags: approval1.7.13?

        Attachment #198888 -
        Flags: approval1.7.13-

        Attachment #198888 -
        Flags: approval-aviary1.0.8?

        Attachment #198888 -
        Flags: approval-aviary1.0.8-

    
    

    
  
v.fixed on 1.0.1 Aviary branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060220 Firefox/1.0.8, permission denied with cookie testcase.
Keywords: fixed-aviary1.0.8verified-aviary1.0.8
Group: security
Flags: in-testsuite+ → in-testsuite?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: