JavaScript disabling can be bypassed by Java applets

RESOLVED FIXED in mozilla1.4alpha

Status

()

Core
Security
RESOLVED FIXED
16 years ago
14 years ago

People

(Reporter: David Binard, Assigned: Mitchell Stoltz (not reading bugmail))

Tracking

Trunk
mozilla1.4alpha
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: patch, URL)

Attachments

(1 attachment)

(Reporter)

Description

16 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc3) Gecko/20020523
BuildID:    2002052316

JavaScript code can be called from a Java applet, regardless of whether or not
JavaScript is disabled in Mozilla's preferences menu.
This seems to apply to any JavaScript code in general, and it should also be
noted that opening a window works even if "Open unrequested windows" is
unchecked in Mozilla's preferences menu.

The provided URL shows a demo of this exploit (if one can call it that).

Reproducible: Always
Steps to Reproduce:
1.Go to http://www.california.com/~binard/java/J2Js.html
2.
3.

Actual Results:  JavaScript code was run by the Java applet, even though
JavaScript was disabled in Preferences, and new windows were popped up even
though that should have been disabled as well.

Expected Results:  No JavaScript code should have been allowed to run, and no
new windows allowed to be open.

Comment 1

16 years ago
I'm not seeing any popups or alerts. 2002052306 - win98
Though I have this feeling my java is borked...

Comment 2

15 years ago
related bug 150340
Status: UNCONFIRMED → NEW
Depends on: 103843
Ever confirmed: true
(Assignee)

Updated

15 years ago
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.2beta
(Assignee)

Updated

15 years ago
Target Milestone: mozilla1.2beta → mozilla1.3alpha

Comment 3

15 years ago
Mozilla crashes when the demo URL
(http://www.california.com/~binard/java/J2Js.html) is visited.
Mozilla info:
   Mozilla 1.2a
   Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2a) Gecko/20020910

Plugins info:
   Java Plug-in1.3.1_04 FileName: libjavaplugin_oji.so
   
(Assignee)

Comment 4

15 years ago
Got it - the JSObject functions in NSCLiveConnect.cpp need to call
nsIScriptSecurityManager::CanExecuteScripts. I should probably refactor some
getService calls; probably cache the security manager service here. Patch coming
soon.
Target Milestone: mozilla1.3alpha → mozilla1.4alpha
(Assignee)

Comment 5

15 years ago
Created attachment 114833 [details] [diff] [review]
Patch - call CanExecuteScripts before calling from Java to JS.
(Assignee)

Updated

15 years ago
Attachment #114833 - Flags: superreview?(heikki)
Attachment #114833 - Flags: review?(beard)
(Assignee)

Updated

15 years ago
Whiteboard: patch
(Assignee)

Comment 6

15 years ago
For Netscape folks, there's a simplified testcase at
http://warp.mcom.com/u/mstoltz/bugs/CallJS.html
Attachment #114833 - Flags: superreview?(heikki) → superreview+
(Assignee)

Updated

15 years ago
Attachment #114833 - Flags: review?(beard) → review?(jst)
Comment on attachment 114833 [details] [diff] [review]
Patch - call CanExecuteScripts before calling from Java to JS.

sr=jst
Attachment #114833 - Flags: review?(jst) → review+
(Assignee)

Comment 8

15 years ago
Fix checked in.
Status: ASSIGNED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED

Updated

14 years ago
No longer depends on: 103843
You need to log in before you can comment on or make changes to this bug.