Closed Bug 1770848 Opened 3 years ago Closed 3 years ago

ContentPrefService2._observers indexed by a content-controlled value

Categories

(Toolkit :: Preferences, defect)

Product:
Toolkit
Component:
Preferences
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
102 Branch
Tracking Flags:
Tracking Status
firefox-esr91 102+ fixed
firefox100 --- wontfix
firefox101 --- wontfix
firefox102 + fixed

People

(Reporter: mccr8, Assigned: Gijs)

References

Details

(Keywords: sec-want, Whiteboard: [adv-main102-][adv-esr91.11-])

Attachments

(1 file)

Bug 1770848, r?jaws!,mccr8!
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr91+
Details | Review

ContentPrefsParent::receiveMessage contains the following code, where prefName is msg.data.name, and thus controllable by the content process:

cps2.addObserverForName(prefName, this._observer);

I think that method is defined here. If prefName is "__proto__", then it'll end up with observers being Object.prototype (the proto of _observers), but then it will throw when it tries to call include on it, so nothing bad will happen. There's similar code in removeObserverForName, which will end up throwing in the same way.

In summary, no security issue right now, but maybe _observers could be changed to a Map to make this code a bit more resilient.

Assignee: nobody → gijskruitbosch+bugs
Status: NEW → ASSIGNED
Product: Firefox → Toolkit

It might be nice to backport this to ESR if we can.

status-firefox100: --- → wontfix
status-firefox101: --- → wontfix
status-firefox102: --- → affected
status-firefox-esr91: --- → affected

r=jaws,mccr8
https://hg.mozilla.org/integration/autoland/rev/d715b649f361b580d94fa0eed209e9006cda0219
https://hg.mozilla.org/mozilla-central/rev/d715b649f361

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox102: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch

Please nominate this for ESR91 approval when you get a chance.

Flags: needinfo?(gijskruitbosch+bugs)

Comment on attachment 9277851 [details]
Bug 1770848, r?jaws!,mccr8!

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: related to a fixed sec-high/crit
  • User impact if declined: Potential for more sec bugs
  • Fix Landed on Version: 102
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Straightforward same-behaviour refactor of some JS code that has integration level tests and has been on nightly+beta for a little while now.
Flags: needinfo?(gijskruitbosch+bugs)
Attachment #9277851 - Flags: approval-mozilla-esr91?

Comment on attachment 9277851 [details]
Bug 1770848, r?jaws!,mccr8!

Approved for 91.11esr.

Attachment #9277851 - Flags: approval-mozilla-esr91? → approval-mozilla-esr91+
Whiteboard: [adv-main102-]
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [adv-main102-] → [adv-main102-][adv-esr91.11-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: