Closed
Bug 105050
Opened 24 years ago
Closed 23 years ago
Webpage is loaded in message pane because of "opener"
Categories
(MailNews Core :: Security, defect, P1)
Tracking
(Not tracked)
VERIFIED
FIXED
mozilla0.9.9
People
(Reporter: bugzilla, Assigned: security-bugs)
References
Details
Attachments
(2 files)
|
1.73 KB,
patch
|
jst
:
superreview+
|
Details | Diff | Splinter Review |
|
1.54 KB,
patch
|
hjtoi-bugzilla
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
Wow... try this:
1. make sure you dont have any navigator windows running
1. start Mail and News
2. click on a link in a message the produces a new navigator window
3. in the window load: http://gemal.dk/test/3.html
and wupti the website http://gemal.dk is loaded in the message pane of Mail & News!
20011015
| Assignee | ||
Comment 1•24 years ago
|
||
Good one. This could be used for mail spoofing. Henrik, with your permission I'd
like to make this bug Security-Sensitive to protect our users. You'll still be
able to view and comment on it. If you object, just uncheck the
Security-Sensitive box above.
Clearly, a webpage should not be able to change the location of its opener if
the opener is a mail message.
A severity of 'blocker' generally means that this bug blocks someone's tests or
daily work. As I don't think that's the case, I'm changing the severity to Major.
Group: security?
Severity: blocker → major
Status: NEW → ASSIGNED
| Assignee | ||
Updated•24 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla0.9.6
Comment 2•24 years ago
|
||
*** Bug 107952 has been marked as a duplicate of this bug. ***
| Assignee | ||
Updated•24 years ago
|
Target Milestone: mozilla0.9.6 → mozilla0.9.7
| Assignee | ||
Updated•24 years ago
|
Target Milestone: mozilla0.9.7 → mozilla0.9.8
| Assignee | ||
Updated•24 years ago
|
Target Milestone: mozilla0.9.8 → mozilla0.9.9
| Assignee | ||
Comment 3•24 years ago
|
||
| Assignee | ||
Comment 4•24 years ago
|
||
Johnny, can you think of any other way for a script on a webpage to get a handle
to a mail message's window object?
Updated•24 years ago
|
Comment 5•24 years ago
|
||
Comment on attachment 69388 [details] [diff] [review]
Fix - don't expose opener property if the opener is a mail message
>+ nsCOMPtr<nsIDocShell> openerDocShell;
>+ openerSGO->GetDocShell(getter_AddRefs(openerDocShell));
>+ if (openerDocShell) {
>+ nsCOMPtr<nsIDocShellTreeItem> docShellAsItem(do_QueryInterface(openerDocShell));
Loose the null check of openerDocShell, do_QueryInterface() does that for you.
>+ if (docShellAsItem) {
>+ nsCOMPtr<nsIDocShellTreeItem> openerRootItem;
>+ docShellAsItem->GetRootTreeItem(getter_AddRefs(openerRootItem));
>+ if (openerRootItem) {
>+ nsCOMPtr<nsIDocShell> openerRootDocShell(do_QueryInterface(openerRootItem));
Loose the null check for openerRootItem...
>+ if (openerRootDocShell) {
>+ PRUint32 appType;
>+ nsresult rv = openerRootDocShell->GetAppType(&appType);
>+ if (NS_SUCCEEDED(rv) && appType != nsIDocShell::APP_TYPE_MAIL) {
>+ *aOpener = mOpener;
>+ NS_IF_ADDREF(*aOpener);
>+ return NS_OK;
This would IMO be cleaner if you'd null out *aOpener as the first thing in this
method, and then just set it here and do the NS_IF_ADDREF() and the return as
the last thing below.
>+ }
>+ }
>+ }
>+ }
>+ }
>+ }
>+ *aOpener = nsnull;
i.e. move this to the beginning of the method.
> return NS_OK;
> }
sr=jst if you fix that.
Attachment #69388 -
Flags: superreview+
| Assignee | ||
Comment 6•24 years ago
|
||
Comment 7•24 years ago
|
||
Comment on attachment 69566 [details] [diff] [review]
New patch with the above suggestions
sr=jst
Attachment #69566 -
Flags: superreview+
Comment on attachment 69566 [details] [diff] [review]
New patch with the above suggestions
r=heikki
Attachment #69566 -
Flags: review+
The patch looks it will make GetOpener() somewhat expensive - how often is
it called? lxr only turned up two references, which I find somewhat hard
to believe.
Comment 10•23 years ago
|
||
a=asa (on behalf of drivers) for checkin to 0.9.9
| Assignee | ||
Comment 11•23 years ago
|
||
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 13•23 years ago
|
||
Tor, the speed of GetOpener() should not be significant, and the changes don't
really make it that expensive. GetOpener() is very rarely used.
| Assignee | ||
Updated•23 years ago
|
Group: security?
Updated•21 years ago
|
Product: MailNews → Core
Updated•17 years ago
|
Product: Core → MailNews Core
You need to log in
before you can comment on or make changes to this bug.
Description
•