Closed Bug 1702608 Opened 3 years ago Closed 3 years ago

nsDSURIContentListener::DoContent's use of mDocShell is suspicious

Categories

(Core :: DOM: Navigation, defect, P2)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
89 Branch
Tracking Flags:
Tracking Status
firefox-esr78 88+ fixed
firefox87 --- wontfix
firefox88 + fixed
firefox89 + fixed

People

(Reporter: smaug, Assigned: smaug)

Details

Attachments

(1 file)

Bug 1702608, ensure the same docshell is used in nsDSURIContentListener, r=kmag
48 bytes, text/x-phabricator-request
tjr
: approval-mozilla-beta+
tjr
: approval-mozilla-esr78+
tjr
: sec-approval+
Details | Review

Bug 67721 added effectively a null check for mDocShell later in the method.
mDocShell will be null there, but while mDocShell is used to call some method, nothing seems to keep it alive.

And bug 523260 is possibly related to this bug.

Comment on attachment 9213170 [details]
Bug 1702608, ensure the same docshell is used in nsDSURIContentListener, r=kmag

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: There is no known exploit, but the change does pinpoint a bit where an issue might be.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: (The relevant code up to 78 looks the same https://searchfox.org/mozilla-esr78/source/docshell/base/nsDSURIContentListener.cpp#119)
  • How likely is this patch to cause regressions; how much testing does it need?: Should be very safe. Unlikely to cause regressions.
Attachment #9213170 - Flags: sec-approval?

I'm going to let this one sit a little bit longer until after pwn2own.

Comment on attachment 9213170 [details]
Bug 1702608, ensure the same docshell is used in nsDSURIContentListener, r=kmag

Approved to land and uplift

Attachment #9213170 - Flags: sec-approval?
Attachment #9213170 - Flags: sec-approval+
Attachment #9213170 - Flags: approval-mozilla-esr78+
Attachment #9213170 - Flags: approval-mozilla-beta+

ensure the same docshell is used in nsDSURIContentListener, r=kmag
https://hg.mozilla.org/integration/autoland/rev/6dcf9156484f47f390e57819340fe948396b803d
https://hg.mozilla.org/mozilla-central/rev/6dcf9156484f

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox89: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch
Flags: qe-verify-
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: