Prevent web content from accessing non-XBL anonymous content

RESOLVED DUPLICATE of bug 164086

Status

()

RESOLVED DUPLICATE of bug 164086
17 years ago
16 years ago

People

(Reporter: john, Assigned: john)

Tracking

Trunk
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Assignee)

Description

17 years ago
Some of our inputs use anonymous content, particularly input type=text input
type=file.  It is a Bad Thing when users access this stuff.  We should put a
check in the JS wrapper / classinfo code that prevents creation of a wrapper if:

(1) the content is anonymous (this could be a bit in mFlags for efficient checking)
(2) the content is non-XBL (we think bindingParent will tell us this--need to
ensure that bindingParent is null in the case of anonymous children of an input
type=file that is itself an anonymous child of XBL)
(3) web content is accessing it

This preemptively strikes a whole class of input type=file exploits and prevents
users from meddling where they aren't wanted.  Chrome could create a JS wrapper
and hand it to web content, but that is a less likely situation (at least in the
current world).
(Assignee)

Comment 1

17 years ago
Also, when this gets fixed we should get rid of the fix for bug 163598 since it
will be redundant.
Status: NEW → ASSIGNED
Depends on: 163598
Since this alludes to what the fix is for 163598 (and thus making guessing the
security bug easier), marking this security sensitive to be on the safe side.
Group: security?
(Assignee)

Comment 3

16 years ago
We went with this solution for bug 164086.

*** This bug has been marked as a duplicate of 164086 ***
Status: ASSIGNED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → DUPLICATE
Group: security
You need to log in before you can comment on or make changes to this bug.