Faulty embedding could lead to Code execution or suspicious application behavior

VERIFIED INVALID

Status

Rhino
Core
VERIFIED INVALID
15 years ago
13 years ago

People

(Reporter: Mathew McBride, Assigned: Norris Boyd)

Tracking

Details

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Build Identifier: All releases with LiveConnect

As the leader of the Jazilla project, it has come to my attention that in the 
future, someone might slip some JS code in which executes applications via 
LiveConnect. I have not been able to verify this, but LiveConnect is proposed 
to be allowed within my application

Reproducible: Couldn't Reproduce

Steps to Reproduce:
Insert JavaScript code executing applications via LiveConnect



Expected Results:  
Haven't tried, but Rhino should deny it

This problem is trivial, but could happen in open source projects or ones that 
load external JS files and have LiveConnect enabled

Comment 1

15 years ago
cc'ing Igor -

Comment 2

15 years ago
To disable LiveConnect, use org.mozilla.javascript.ClassShutter,
http://lxr.mozilla.org/mozilla/source/js/rhino/src/org/mozilla/javascript/ClassShutter.java
, that prevent any class from been load and set it on instances to any Context
object you use:

static public final ClassShutter disableLiveConnect = new ClassShutter() 
{
    public boolean visibleToScripts(String fullClassName)
    {
        return false;
    }
};

...
    Context cx = Context.entrer();
    cx.setClussShutter(disableLiveConnect);
...


You can even disable it from JavaScript itself:

var cx = Packages.org.mozilla.javascript.Context.getCurrentContext();
var disableLC = { visibleToScripts: function(className) { return false; } };
cx.setClassShutter(new Packages.org.mozilla.javascript.ClassShutter(disableLC));

Then anything like new java.lang.Integer(0) should give an exception.


Moreover, you should restrict scripts by enabling SecurityManager and probably
implement org.mozilla.javascript.SecurityController to provide different
privileges to different scripts.
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → INVALID

Comment 3

15 years ago
Marking Verified -
Status: RESOLVED → VERIFIED

Comment 4

14 years ago
Targeting as resolved against 1.5R5
Target Milestone: --- → 1.5R5
Removing confidential flag from bugs resolved INVALID
Group: security
You need to log in before you can comment on or make changes to this bug.