Closed
Bug 1210570
Opened 9 years ago
Closed 9 years ago
|location + ""| is now spoofable
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla44
| Tracking | Status | |
|---|---|---|
| firefox43 | --- | unaffected |
| firefox44 | + | fixed |
People
(Reporter: bholley, Assigned: jorendorff)
References
Details
(Keywords: regression, sec-high)
Attachments
(2 files, 1 obsolete file)
|
1.37 KB,
patch
|
Details | Diff | Splinter Review | |
|
3.28 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
This is a regression from bug 1054756. I noticed some changes going by, and jorendorff confirmed. I'll attach a testcase.
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Updated•9 years ago
|
Flags: needinfo?(jorendorff)
|
||
Comment 2•9 years ago
|
||
Are we still keeping notes in https://etherpad-mozilla.org/html5-cross-origin-objects what the specification eventually needs to say? I've been somewhat occupied with other work, but I do mean to get that in due course. And since I haven't been super involved it would be great if we kept that as an up-to-date summary.
|
||
Comment 3•9 years ago
|
||
> Are we still keeping notes in https://etherpad-mozilla.org/html5-cross-origin-objects
> what the specification eventually needs to say?
Note that this bug is about the _same_ origin case.|
|
||
Comment 4•9 years ago
|
||
I see, so specification-wise, the problem here is that IDL hasn't been updated with the latest ECMAScript lingo. It does seem in the spirit of [Unforgeable] that this should not work. (Although [Unforgeable] at times saying it only applies to members does not make that very clear.)
|
|
||
Comment 5•9 years ago
|
||
It's not a matter of lingo either. It's just that IDL defined [Unforgeable] in such a way that it nerfed all the ways you could mess with the object, then ES added new ways of messing with the object. We just need to nerf those too, and audit any future such additions to the language before implementing them. And perhaps write more forward-looking tests for possible future ways objects could be messed with, but that's hard...
|
||
Updated•9 years ago
|
status-firefox43:
--- → unaffected
status-firefox44:
--- → affected
|
||
Updated•9 years ago
|
Group: core-security → dom-core-security
|
|
||
Comment 6•9 years ago
|
||
I'm going to mark this high. Feel free to adjust as needed.
Keywords: sec-high
|
||
Updated•9 years ago
|
tracking-firefox44:
--- → +
|
Assignee | |
Comment 7•9 years ago
|
||
Attachment #8670918 -
Flags: review?(bzbarsky)
|
|
||
Comment 8•9 years ago
|
||
Comment on attachment 8670918 [details] [diff] [review] Ensure that ToPrimitive(location) is not spoofable r=me, but please make sure there's a webidl issue on file.
Attachment #8670918 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 9•9 years ago
|
||
Filed <https://www.w3.org/Bugs/Public/show_bug.cgi?id=29183>.
Flags: needinfo?(jorendorff)
|
|
||
Comment 10•9 years ago
|
||
Allen raises a good question in that w3.org issue: can't we just have @@toPrimitive be a value property with the value undefined?
|
|
||
Updated•9 years ago
|
Flags: needinfo?(jorendorff)
|
|
Assignee | |
Comment 11•9 years ago
|
||
(In reply to Boris Zbarsky [:bz] from comment #10) > Allen raises a good question in that w3.org issue: can't we just have > @@toPrimitive be a value property with the value undefined? Implementing.
Flags: needinfo?(jorendorff)
|
|
Assignee | |
Comment 12•9 years ago
|
||
Bah, defining a data property isn't something this API really supports. I wonder if I should add support for it or route around...
|
|
||
Comment 13•9 years ago
|
||
We can handle this the same way we handle toJSON on Location for now, via the explicit bit in InitUnforgeablePropertiesOnHolder in Codegen.py.
|
|
Assignee | |
Comment 14•9 years ago
|
||
Attachment #8672703 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8670918 -
Attachment is obsolete: true
|
|
||
Comment 15•9 years ago
|
||
Comment on attachment 8672703 [details] [diff] [review] Ensure that ToPrimitive(location) is not spoofable r=me, but this pattern: SYMBOL_TO_JSID(JS::GetWellKnownSymbol(aCx, JS::SymbolCode::toPrimitive)) is pretty annoying, though used in various places now. It sure would be nice if we had a way to do WELL_KNOWN_SYMBOL_ID(aCx, toPrimitive) and have it work (all caps because it'd have to be a macro).
Attachment #8672703 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 16•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/48d1f07e8d39a3ed252ab9eda43a9208ac78a639 Bug 1210570 - Ensure that ToPrimitive(location) is not spoofable. r=bz.
https://hg.mozilla.org/mozilla-central/rev/48d1f07e8d39
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
|
|
||
Updated•9 years ago
|
Group: dom-core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
|
|
||
Updated•9 years ago
|
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•