Closed
Bug 424188
Opened 16 years ago
Closed 16 years ago
[FIX]Possible to exploit relative xul:script URIs in signed jars
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
People
(Reporter: bzbarsky, Assigned: bzbarsky)
References
()
Details
(Keywords: fixed1.8.1.15, Whiteboard: [sg:high][fixed on branch by 424426])
Attachments
(1 file)
|
10.03 KB,
patch
|
sicking
:
review+
sicking
:
superreview+
damons
:
approval1.9b5+
damons
:
approval1.9+
|
Details | Diff | Splinter Review |
|
Assignee | |
Comment 1•16 years ago
|
||
The problem is presumably that XUL doesn't use the scriptloader for <xul:script> and hence doesn't do the downgrading that the scriptloader does?
|
|
Assignee | |
Comment 3•16 years ago
|
||
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #310841 -
Flags: superreview?(jonas)
Attachment #310841 -
Flags: review?(jonas)
|
|
Assignee | |
Updated•16 years ago
|
Flags: in-testsuite?
Summary: Possible to exploit relative script URIs in signed jars → [FIX]Possible to exploit relative script URIs in signed jars
Comment on attachment 310841 [details] [diff] [review] Fix Looks good
Attachment #310841 -
Flags: superreview?(jonas)
Attachment #310841 -
Flags: superreview+
Attachment #310841 -
Flags: review?(jonas)
Attachment #310841 -
Flags: review+
|
|
Assignee | |
Comment 5•16 years ago
|
||
Comment on attachment 310841 [details] [diff] [review] Fix Extend to XUL the protection HTML already had. Only affects non-chrome XUL served inside a signed jar. Such XUL can no longer keep its signed status if it includes unsigned scripts. Might be worth beta exposure.
Attachment #310841 -
Flags: approval1.9b5?
Attachment #310841 -
Flags: approval1.9?
|
||
Comment 6•16 years ago
|
||
Can we get a test for this?
|
|
Assignee | |
Comment 7•16 years ago
|
||
I'm not going to have time to write one in time for beta... We need some tests for bug 418996 too, and to test this we need to either copy the server-side stuff Collin set up or (better) come up with some custom signed jars that mochitests can use...
|
|
||
Comment 8•16 years ago
|
||
Comment on attachment 310841 [details] [diff] [review] Fix Can I get a promise that we'll get a test case for this and bug 418996? :) a1.9+ & a1.9beta5+=damons
Attachment #310841 -
Flags: approval1.9b5?
Attachment #310841 -
Flags: approval1.9b5+
Attachment #310841 -
Flags: approval1.9?
Attachment #310841 -
Flags: approval1.9+
|
|
Assignee | |
Comment 9•16 years ago
|
||
> Can I get a promise that we'll get a test case for this and bug 418996? :)
Absolutely. It's on my short-list of bugs to write tests for as soon as I have the time. I'm just not sure that will be before 1.9 ship...
If someone picks this up in the meantime, great. If not, once I finish this whole dissertation thing, I'll just do it.|
|
Assignee | |
Comment 10•16 years ago
|
||
Filed bug 424488 on having a decent way to test this in a good controlled manner.
|
|
Assignee | |
Comment 11•16 years ago
|
||
Checked in. Marking fixed in the sense that XUL and HTML now behave the same, though Collin found bug 424426, which affects both for now.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Summary: [FIX]Possible to exploit relative script URIs in signed jars → [FIX]Possible to exploit relative xul:script URIs in signed jars
|
||
Updated•16 years ago
|
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.14?
Whiteboard: [sg:high]
|
|
||
Updated•16 years ago
|
Flags: blocking1.8.1.15? → blocking1.8.1.15+
|
||
Updated•16 years ago
|
Whiteboard: [sg:high] → [sg:high][needs branch patch - eta July?]
|
||
Comment 12•16 years ago
|
||
The branch patch in bug 424426 fixes this bug.
|
|
||
Updated•16 years ago
|
Whiteboard: [sg:high][needs branch patch - eta July?] → [sg:high][fixed on branch by 424426]
|
||
Comment 14•16 years ago
|
||
(In reply to comment #0) > See bug 418996 comment 1 and bug 418996 comment 21. > I tested the fix with the linked test case in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15pre) Gecko/2008061005 BonEcho/2.0.0.15pre and the case doesn't repro like it does for 2.0.0.14. Is there additional testing that we should do to verify this?
|
||
Updated•16 years ago
|
OS: Linux → All
Hardware: PC → All
|
|
||
Updated•16 years ago
|
Group: security
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•