Closed
Bug 1257521
Opened 9 years ago
Closed 9 years ago
Investigate if VariantToJsval is in anyway compartment safe
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: smaug, Unassigned)
Details
(Keywords: sec-high)
When dealing with variants which point to some DOM object, we execute
http://mxr.mozilla.org/mozilla-central/source/js/xpconnect/src/XPCConvert.cpp#743
Not related to this bug, but http://mxr.mozilla.org/mozilla-central/source/js/xpconnect/src/XPCConvert.cpp#771 is wrong since it isn't in anyway null-safe.
But more worrisome is http://mxr.mozilla.org/mozilla-central/source/js/xpconnect/src/XPCConvert.cpp#786
I don't see, at least haven't yet seen, anything guaranteeing that we don't assert there.
|
||
Comment 1•9 years ago
|
||
Olli, do you think this should be marked sec-high or sec-audit? It sounds like you are pretty sure there is a problem.
|
Reporter | |
Comment 2•9 years ago
|
||
I tried to write a testcase but couldn't get it to assert yet.
I'm pretty sure, but not 100% we have an issue here.
sec-high for now, and if someone proves this can't for example happen on web content then reduce to -audit or invalid or so.
Keywords: sec-high
|
|
Reporter | |
Comment 3•9 years ago
|
||
I think I was wrong here. Looking at this again, and I can't see the assertion failing.
->invalid.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
|
||
Updated•9 years ago
|
Group: dom-core-security
|
Assignee | |
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•