Injecting JavaScript code in the bookmarks file, may be executed

VERIFIED FIXED

Status

()

defect
P3
normal
VERIFIED FIXED
20 years ago
20 years ago

People

(Reporter: joro, Assigned: mozilla)

Tracking

Trunk
x86
Windows 95
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

()

Reporter

Description

20 years ago
Mozilla build 1999090408 (and earlier builds) allows executing JS code in the
"file" protocol by injecting code in the bookmarks file.
The problem are SCRIPT tags in the TITLE tag.

Demonstration and more info is available at:
http://www.nat.bg/~joro/mozilla/bookm2.html

Comment 1

20 years ago
Since we wrote the bookmarks.html parser by hand, I _know_ that we won't be
executing any JS when the file is parsed. How _exactly_ does the JS get run?
From the description, it looks like you need to open the bookmarks file as a
local HTML document, in which case, the normal content/chrome distinction needs
to ensure that no evil JS can run.

Yes, you can save _any_ URL as a bookmark (including "javascript:" URLs).
However, that is a _good_ thing (e.g., bookmarklets a la 4.x).

IMO, we need to fix the code that does the URL dispatching for bookmarks (which
AFAIK is exactly the same as, e.g., the URL dispatching on an anchor tag).

Comment 2

20 years ago
Ok, I think I misunderstood the problem. Ignore my raving.
Assignee

Comment 3

20 years ago
We should prevent <SCRIPT> from being saved in bookmark titles,
descriptions, etc... that should plug the security hole.

Updated

20 years ago
Assignee: norris → rjc
Blocks: 12633

Comment 4

20 years ago
Yes, the same issue came up on 4.x (from Guninski as well) and I just made sure
to escape the text that's saved so that the SCRIPT tag doesn't execute. We also
need to make sure that JavaScript entities are quoted as well.

See http://scopus.mcom.com/bugsplat/show_bug.cgi?id=351591 for the 4.x exploit.
Assignee

Updated

20 years ago
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Assignee

Comment 5

20 years ago
Fixed.

Comment 6

20 years ago
verified fixed.
Status: RESOLVED → VERIFIED

Comment 7

20 years ago
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in before you can comment on or make changes to this bug.