Closed
Bug 468045
Opened 16 years ago
Closed 16 years ago
worker threads can access Components.*
Categories
(Core :: DOM: Core & HTML, defect, P1)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla1.9.2a1
People
(Reporter: timeless, Assigned: timeless)
References
Details
(Keywords: fixed1.9.1, Whiteboard: [sg:critical])
Attachments
(3 files, 2 obsolete files)
541 bytes,
text/javascript
|
Details | |
593 bytes,
text/html
|
Details | |
5.37 KB,
patch
|
bent.mozilla
:
review+
bent.mozilla
:
superreview+
|
Details | Diff | Splinter Review |
Components.stack/Components.classes are supposed to be restricted from content Components.interfaces is supposed to be available (for historical reasons).
Flags: blocking1.9.1?
Attachment #351529 -
Attachment is obsolete: true
Comment 3•16 years ago
|
||
No need to let worker threads access Components.interfaces either, there's no legacy here. In fact, we shouldn't expose Components at all.
i've given ted a patch to try, if it works, i'd hope someone will commit it
Comment 5•16 years ago
|
||
timeless asked me to test this patch he wrote. Without this patch, I see the contents of Components.classes in the test page here, with the patch I just see "hiReferenceError: Components is not defined".
Updated•16 years ago
|
Assignee: nobody → timeless
Updated•16 years ago
|
Attachment #351542 -
Flags: review?(jst)
Ugh, this was a todo that got forgotten... I'm sort of amazed that this works despite the JS_DeleteProperty. Clearly we need to check in a test case here.
Comment 7•16 years ago
|
||
On a side note, it seems that Worker is not subject to CAPS property access checks. user_pref("capability.policy.default.XMLHttpRequest.send", "noAccess"); works, user_pref("capability.policy.default.Worker.postMessage", "noAccess"); doesn't. Should we file a separate bug?
That has nothing to do with accessing the Components object, so yes :)
Support for that is more or less dropped everywhere, so I don't think there's need to do anything. However if you do think we should support it, or have a discussion about it, please file a separate bug or bring it to the newsgroup. It's definitely unrelated to this bug.
Comment 10•16 years ago
|
||
Comment on attachment 351542 [details] [diff] [review] timeless' patch Looks good!
Attachment #351542 -
Flags: superreview+
Attachment #351542 -
Flags: review?(jst)
Attachment #351542 -
Flags: review+
Updated•16 years ago
|
Whiteboard: [sg:critical]
Comment 11•16 years ago
|
||
bent: can you write a test for this? I'll push this change ASAP.
(In reply to comment #6) > I'm sort of amazed that this works despite the JS_DeleteProperty. Ugh, it's defined with JSPROP_PERMANENT. Patch with testcase coming up in a sec.
Attachment #351542 -
Attachment is obsolete: true
Attachment #351606 -
Flags: superreview+
Attachment #351606 -
Flags: review+
Comment 14•16 years ago
|
||
(In reply to comment #13) > Created an attachment (id=351606) [details] > Patch for checkin How does the test's mention of Components alert watchers that there may be a security issue to be exploited? Can we check this test in while we are shipping vulnerable releases?
Comment 15•16 years ago
|
||
We should be checking the test in, yes. None of our stable releases are in fact vulnerable.
Blocks: workerthreads
Updated•16 years ago
|
Keywords: checkin-needed
Pushed changeset 3d7f812792fb to mozilla-central.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Pushed changeset 92994c8da343 to mozilla-1.9.1.
Keywords: checkin-needed → fixed1.9.1
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
Updated•15 years ago
|
Flags: in-testsuite+
OS: Windows XP → All
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.2a1
Updated•15 years ago
|
Flags: wanted1.9.0.x-
Updated•14 years ago
|
Group: core-security
Updated•11 years ago
|
Component: DOM: Mozilla Extensions → DOM
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•