Closed
Bug 1373042
Opened 7 years ago
Closed 5 years ago
ExportHelpers has a nice long comment about FileList that doesn't match reality
Categories
(Core :: XPConnect, enhancement, P3)
Tracking
()
RESOLVED
FIXED
mozilla76
People
(Reporter: bzbarsky, Assigned: bzbarsky)
References
(Blocks 1 open bug)
Details
(Keywords: sec-audit, Whiteboard: [post-critsmash-triage][adv-main76-][adv-ESR68.8-])
Attachments
(1 file)
The comment at talks about how we can rely on FileList being implemented as an XPCWN and so on, but they haven't been XPCWN in a while. Sadly, UnwrapReflectorToISupports() still works on Web IDL objects, so this codepath is still returning true for FileList.
Does that mean we're doing unsafe things when mOptions->wrapReflectors is false? Should we just remove this FileList special-case? Something else?
Flags: needinfo?(bobbyholley)
Assignee | ||
Updated•7 years ago
|
See Also: → CVE-2017-7801
Assignee | ||
Updated•7 years ago
|
Summary: ExportHelpers has a nice long column about FileList that doesn't match reality → ExportHelpers has a nice long comment about FileList that doesn't match reality
Assignee | ||
Comment 1•7 years ago
|
||
Comment 2•7 years ago
|
||
Nice catch - I think this is ok though. The impact of the bug is that we'll effectively always have the wrapReflectors=true behavior for FileList, which potentially means that somebody cloning an object graph containing a FileList might get have the error appear lazily (via a security wrapper denial when content tries to access the object) rather than eagerly (when the clone happens).
In other words, security wrappers save us. So the safest thing is just to leave this be for the next two cycles and then remove the special case once XPCOM addons go away.
Flags: needinfo?(bobbyholley)
Updated•7 years ago
|
Priority: -- → P3
Assignee | ||
Comment 3•7 years ago
|
||
Do we have a tracking bug for things we can do post-57?
Flags: needinfo?(overholt)
Comment 4•7 years ago
|
||
Assignee | ||
Updated•7 years ago
|
Blocks: post-57-api-changes
Flags: needinfo?(overholt)
Comment 5•7 years ago
|
||
I searched for at least 15 minutes and couldn't find bug 1347507. Thanks, Andrew!
Assignee | ||
Comment 6•5 years ago
|
||
Updated•5 years ago
|
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Assignee | ||
Comment 7•5 years ago
|
||
Comment 8•5 years ago
|
||
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox76:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
Updated•5 years ago
|
status-firefox73:
--- → wontfix
status-firefox74:
--- → wontfix
status-firefox75:
--- → wontfix
status-firefox-esr68:
--- → wontfix
Updated•5 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•5 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main76-][adv-ESR68.8-]
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•