Closed Bug 165110 Opened 23 years ago Closed 17 years ago

Make textnodes and XUL elements work properly with IsNativeAnonymous

Categories

(Core :: Security, defect, P2)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.4beta

People

(Reporter: john, Assigned: john)

References

Details

Attachments

(1 file)

Fix for XUL elements
1.49 KB, patch
sicking
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
Neither textnodes nor XUL elements store information about whether they are anonymous, and this makes it possible for people to access them when they should not be able to. Related to bug 164086, which created this check in the first place.
Depends on: 164086
jkeiser says this is security sensitive
Group: security?
Eww is one word to describe this. TextNode and GenericDOMDataNode are saturated to the max with bits already. We are even reusing the lower two bits. DOMSlots seems like a bad idea but maybe that's where we have to go.
Status: NEW → ASSIGNED
You still have two bits in nsIDocument* mDocument that you can steal :-). Let's do it. Wow, some of these elements must be burning a lot of space on vtable pointers. So many interfaces...
Whiteboard: [sg:mustfix]
Also, offtopic question: why don't we remove the nsIDocument* mDocument pointer from all the content nodes, and move it to DOMSlots? For those nodes that don't have an mDocument pointer, GetDocument can walk the parent chain to until we find a node that has the pointer. Plus of course we'd force all nodes without a parent to hold the mDocument pointer in their slots. This would force all content nodes to support DOMSlots, I guess.
Would work, except that we do GetDocument *constantly*. However, we should do some tests to see if we can remove it from text nodes, since those would be able to just get the document from their parent and return that.
CC'ing roc, whose comments seem to make him an interested party
Is it possible to get this fixed for 1.3a, next Tuesday?
Priority: -- → P2
Target Milestone: --- → mozilla1.3beta
John, I get the impression that there's no security problem here that we know about, and that making this change would be difficult. Is this accurate? If so, please remove the sg:mustfix from the status whiteboard. If not, we need this fixed by 1.4b.
There is no known security vulnerability and the fix is not perfectly trivial. The fix could be done with a couple days' work, though; and is probably worth it in terms of future-proofing. I plan to do it asap after I get my current high priority item off my plate.
Target Milestone: mozilla1.3beta → mozilla1.4beta
Great, thanks John.
jkeiser, any progress on the fix for landing early 1.5 alpha?
added jst and caillon to the cc list...
Could we just reopen this so people who run into comments in the code about this can at least see what the bug is about and try to fix it? I see no reason for keeping this closed....
removing confidential flag per discussion by the security group.
Group: security
This does not completely address bug 251197 comment 11; although it does not regress the test case Modern scrollbars still do not follow Mac preferences.
Attachment #171457 - Flags: superreview?(bzbarsky)
Attachment #171457 - Flags: review?(bugmail)
Comment on attachment 171457 [details] [diff] [review] Fix for XUL elements sr=bzbarsky
Attachment #171457 - Flags: superreview?(bzbarsky) → superreview+
XUL element fix checked in.
Depends on: 198533
Note, that patch caused bug 280541
Whiteboard: [sg:mustfix] → [sg:fix]
Whiteboard: [sg:fix]
This should be fixed now. (Bug 334075, Bug 411054, Bug 410119)
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: