nsDSURIContentListener::DoContent's use of mDocShell is suspicious
Categories
(Core :: DOM: Navigation, defect, P2)
Tracking
()
People
(Reporter: smaug, Assigned: smaug)
Details
Attachments
(1 file)
48 bytes,
text/x-phabricator-request
|
tjr
:
approval-mozilla-beta+
tjr
:
approval-mozilla-esr78+
tjr
:
sec-approval+
|
Details | Review |
mDocShell is a raw pointer[1], yet it is used to call methods which may run scripts [2].
[1] https://searchfox.org/mozilla-central/rev/4fa18c26fa907f38d56b599571b9846af1506f3c/docshell/base/nsDSURIContentListener.h#87
[2] https://searchfox.org/mozilla-central/rev/4fa18c26fa907f38d56b599571b9846af1506f3c/docshell/base/nsDSURIContentListener.cpp#156,178
Assignee | ||
Comment 1•3 years ago
•
|
||
Bug 67721 added effectively a null check for mDocShell later in the method.
mDocShell will be null there, but while mDocShell is used to call some method, nothing seems to keep it alive.
And bug 523260 is possibly related to this bug.
Assignee | ||
Comment 2•3 years ago
|
||
Assignee | ||
Comment 3•3 years ago
|
||
Comment on attachment 9213170 [details]
Bug 1702608, ensure the same docshell is used in nsDSURIContentListener, r=kmag
Security Approval Request
- How easily could an exploit be constructed based on the patch?: There is no known exploit, but the change does pinpoint a bit where an issue might be.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: (The relevant code up to 78 looks the same https://searchfox.org/mozilla-esr78/source/docshell/base/nsDSURIContentListener.cpp#119)
- How likely is this patch to cause regressions; how much testing does it need?: Should be very safe. Unlikely to cause regressions.
Comment 4•3 years ago
|
||
I'm going to let this one sit a little bit longer until after pwn2own.
Comment 5•3 years ago
|
||
Comment on attachment 9213170 [details]
Bug 1702608, ensure the same docshell is used in nsDSURIContentListener, r=kmag
Approved to land and uplift
Updated•3 years ago
|
Comment 6•3 years ago
|
||
ensure the same docshell is used in nsDSURIContentListener, r=kmag
https://hg.mozilla.org/integration/autoland/rev/6dcf9156484f47f390e57819340fe948396b803d
https://hg.mozilla.org/mozilla-central/rev/6dcf9156484f
Comment 7•3 years ago
|
||
uplift |
Comment 8•3 years ago
|
||
uplift |
Updated•3 years ago
|
Updated•3 years ago
|
Description
•