Closed
Bug 184618
Opened 23 years ago
Closed 22 years ago
window.opener is not read-only and can be overwritten, which enables a user to close windows he did not open by changing the opener property
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
FIXED
People
(Reporter: pcvandam, Assigned: security-bugs)
References
()
Details
(Keywords: testcase)
Attachments
(1 file)
|
2.88 KB,
patch
|
hjtoi-bugzilla
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2.1) Gecko/20021130
window.opener is not read-only and can be overwritten, which enables a user to
close windows he did not open by changing the opener property. All versions of
Mozilla and Internet Explorer have this flaw, so let Mozilla be the first to
fix it ;). You can simply simulate it by doing (opener=self).close() for
example. (Check the URL for a working example).
Reproducible: Always
Steps to Reproduce:
just execute the given js-code
Actual Results:
Windows closed that should not have.
Expected Results:
Give an error message about changing a read-only property. or ignore the fact
and give an error about closing a window you did not open.
|
||
Comment 1•23 years ago
|
||
To mitch.
Assignee: jst → mstoltz
Status: UNCONFIRMED → NEW
Component: DOM HTML → Security: General
Ever confirmed: true
Keywords: testcase
QA Contact: stummala → bsharma
|
|
||
Comment 2•23 years ago
|
||
Oh, the js in question is simply:
(opener=self).close()
|
|
Assignee | |
Comment 3•23 years ago
|
||
Cool...jst, would it be kosher to make this read-only (for content)?
|
||
Comment 4•23 years ago
|
||
This is a known problem. window.opener was settable in 4x too, but it was only
settable to null (see
http://lxr.mozilla.org/classic/source/lib/libmocha/lm_win.c#445). IOW, we should
do the same, the JS property window.opener should be settable only to null, at
least from untrusted code. The reason for null being a special case was IIRC
that in 4x you needed to set opener to null in order to let your opene's window
be collected while your window was open, IOW, if you open a window, that opens a
window, that opens a window and so on, even if you close the old windows and
just leave the newest one around, every window that was opened will still be in
memory due to the window.opener reference. In Mozilla the same doesn't apply, at
least not in the same way, due to the fact that window.opener is not a JS
property, it's a property with a getter/setter that sets a native reference
internally and that reference can be cleaned up when a window is closed.
So, IOW, let's let content code only set it to null in Mozilla too. But no
exception throwing, just fail silently if someone sets it to something other
than null.
|
|
Assignee | |
Comment 5•23 years ago
|
||
The problem is that setting it to null will allow the window to be closed by
script, and that's what we don't want. Do I need to add an extra bit of state
"PRBool wasOpenedByScript" apart from the opener property to control closing? Or
can we make "opener" completely non-settable (failing silently is OK).
Status: NEW → ASSIGNED
|
||
Comment 6•23 years ago
|
||
*** Bug 196678 has been marked as a duplicate of this bug. ***
|
|
||
Comment 7•23 years ago
|
||
*** Bug 199980 has been marked as a duplicate of this bug. ***
|
||
Comment 8•23 years ago
|
||
It's well known hole in many browsers. Starting from IE, Opera, KHTML and
Mozilla too.
I think that opener should be not settable. I dont see any situation when it'd
be needed.
|
|
Assignee | |
Comment 9•22 years ago
|
||
Opener is now settable only to null, which doesn't eliminate this problem. I'm
going to have to add another flag on the window to keep the opened-by-script state.
|
|
||
Comment 10•22 years ago
|
||
Yes, it only eliminates secutiry hole. There is still posibility to loose
connection with parent window.
Is there any word in documentation of JS or ECMA about possiblity to overwrite
opener? I'm not sure if we should fix this. At least opener cannot be
overwritten by accident.
|
|
Assignee | |
Comment 11•22 years ago
|
||
This bug is basically fixed, except for one nit - if a script-opened window
sets its opener to null, it can't be closed by script. This patch remembers
that the window is script-opened and allows the close().
|
|
Assignee | |
Comment 12•22 years ago
|
||
Comment on attachment 124852 [details] [diff] [review]
Patch - allow closing windows when opener has been nulled
Requesting reviews, but no hurry, this one isn't serious.
Attachment #124852 -
Flags: superreview?(jst)
Attachment #124852 -
Flags: review?(heikki)
|
||
Updated•22 years ago
|
Attachment #124852 -
Flags: review?(heikki) → review+
|
|
||
Comment 13•22 years ago
|
||
Comment on attachment 124852 [details] [diff] [review]
Patch - allow closing windows when opener has been nulled
sr=jst
Attachment #124852 -
Flags: superreview?(jst) → superreview+
|
|
Assignee | |
Comment 14•22 years ago
|
||
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•