Closed Bug 146873 Opened 23 years ago Closed 22 years ago

JavaScript disabling can be bypassed by Java applets

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.4alpha

People

(Reporter: binard, Assigned: security-bugs)

References

(
URL
)

Details

(Whiteboard: patch)

Attachments

(1 file)

Patch - call CanExecuteScripts before calling from Java to JS.
4.78 KB, patch
jst
: review+
hjtoi-bugzilla
: superreview+
Details | Diff | Splinter Review
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc3) Gecko/20020523 BuildID: 2002052316 JavaScript code can be called from a Java applet, regardless of whether or not JavaScript is disabled in Mozilla's preferences menu. This seems to apply to any JavaScript code in general, and it should also be noted that opening a window works even if "Open unrequested windows" is unchecked in Mozilla's preferences menu. The provided URL shows a demo of this exploit (if one can call it that). Reproducible: Always Steps to Reproduce: 1.Go to http://www.california.com/~binard/java/J2Js.html 2. 3. Actual Results: JavaScript code was run by the Java applet, even though JavaScript was disabled in Preferences, and new windows were popped up even though that should have been disabled as well. Expected Results: No JavaScript code should have been allowed to run, and no new windows allowed to be open.
I'm not seeing any popups or alerts. 2002052306 - win98 Though I have this feeling my java is borked...
related bug 150340
Status: UNCONFIRMED → NEW
Depends on: 103843
Ever confirmed: true
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.2beta
Target Milestone: mozilla1.2beta → mozilla1.3alpha
Mozilla crashes when the demo URL (http://www.california.com/~binard/java/J2Js.html) is visited. Mozilla info: Mozilla 1.2a Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2a) Gecko/20020910 Plugins info: Java Plug-in1.3.1_04 FileName: libjavaplugin_oji.so
Got it - the JSObject functions in NSCLiveConnect.cpp need to call nsIScriptSecurityManager::CanExecuteScripts. I should probably refactor some getService calls; probably cache the security manager service here. Patch coming soon.
Target Milestone: mozilla1.3alpha → mozilla1.4alpha
Attachment #114833 - Flags: superreview?(heikki)
Attachment #114833 - Flags: review?(beard)
Whiteboard: patch
For Netscape folks, there's a simplified testcase at http://warp.mcom.com/u/mstoltz/bugs/CallJS.html
Attachment #114833 - Flags: superreview?(heikki) → superreview+
Attachment #114833 - Flags: review?(beard) → review?(jst)
Comment on attachment 114833 [details] [diff] [review] Patch - call CanExecuteScripts before calling from Java to JS. sr=jst
Attachment #114833 - Flags: review?(jst) → review+
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
No longer depends on: 103843
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: