Closed
Bug 257431
Opened 20 years ago
Closed 20 years ago
Tabbrowser accepts non-trusted events
Categories
(Core :: XUL, defect)
Core
XUL
Tracking
()
RESOLVED
FIXED
People
(Reporter: jwkbugzilla, Assigned: jst)
Details
(Keywords: fixed-aviary1.0, fixed1.7.5, Whiteboard: [sg:dos])
Attachments
(6 files, 2 obsolete files)
|
402 bytes,
text/html
|
Details | |
|
3.97 KB,
patch
|
jwkbugzilla
:
review+
jst
:
superreview+
asa
:
approval-aviary+
asa
:
approval1.7.5+
|
Details | Diff | Splinter Review |
|
4.78 KB,
patch
|
Details | Diff | Splinter Review | |
|
18.87 KB,
patch
|
jwkbugzilla
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
|
4.83 KB,
patch
|
Details | Diff | Splinter Review | |
|
18.85 KB,
patch
|
Details | Diff | Splinter Review |
XBL doesn't allow XUL-nodes to receive non-trusted events, but tabbox installs listeners in non-XBL components where you don't have these checks anymore. As a result, an HTML page can send a Ctrl-Tab event that will be processed by the tabbrowser component.
|
Reporter | |
Comment 1•20 years ago
|
||
|
||
Comment 2•20 years ago
|
||
->jst for investigation Wladimir: is this a spin-off from bug 252326 comment 38? At one point it sounded like you guys were contemplating fixing the trusted event bugs under that umbrella. Can you do more damage than switch to (and probably close) tabs? I don't think this gives you any access to the contents of the other tabs. You could try to switch focus to yourself and hope the victim was typing something juicy in another tab at the time.
Assignee: jag → jst
Whiteboard: [sg:needinfo]
|
Assignee | |
Comment 3•20 years ago
|
||
|
|
Assignee | |
Updated•20 years ago
|
Attachment #157585 -
Flags: superreview?(bzbarsky)
Attachment #157585 -
Flags: review?(trev)
|
||
Comment 4•20 years ago
|
||
Is there a good reason to have access points for this member on both nsIDOMNSEvent and nsIPrivateDOMEvent?
|
|
Assignee | |
Comment 5•20 years ago
|
||
Not really, other than the fact that some people might be using nsIPrivateDOMEvent outside our codebase... which isn't really much of an excuse. Forgot to update the IID for nsIDOMNSEvent btw. Let me know if you think I should go through the code and eliminate this getter from nsIPrivateDOMEvent, maybe do that for the trunk only, and leave it on the aviary branch just to keep the regression risk down?
|
|
||
Comment 6•20 years ago
|
||
Yeah, I'm fine with eliminating the other getter on trunk only; I agree that we shouldn't touch it on branch. sr=bzbarsky with that (and the iid change; good catch!)
|
|
Reporter | |
Comment 7•20 years ago
|
||
(In reply to comment #2) > Wladimir: is this a spin-off from bug 252326 comment 38? At one point it sounded > like you guys were contemplating fixing the trusted event bugs under that umbrella. Not quite. The trusted events mentioned there don't seem to be abusable. The current issue came up when testing for this bug, but this is a proper non-trusted event that shouldn't be accepted by trusted content.
|
|
Reporter | |
Comment 8•20 years ago
|
||
Comment on attachment 157585 [details] [diff] [review] Expose whether an event is trusted or not, and make the tabbrowser code only listen to trusted events. Argh, this will conflict with my changes for bug 252326. But yes, the patch looks fine for me with Boris' corrections. Maybe we want to have a general solution for this in the long term. EventListenerManager shouldn't be triggering trusted event handlers on non-trusted events, though I'm not quite sure how this can be implemented.
|
||
Comment 9•20 years ago
|
||
could untrusted events override .isTrusted somehow? maybe via __defineGetter__ or somesuch?
|
|
Reporter | |
Comment 10•20 years ago
|
||
Tried it - yes, they can.
event.__defineGetter__("isTrusted", function(){return "This is a fake"});
I seem to remember that things like this wouldn't work for events a couple of
versions ago...|
|
Reporter | |
Comment 11•20 years ago
|
||
Comment on attachment 157585 [details] [diff] [review] Expose whether an event is trusted or not, and make the tabbrowser code only listen to trusted events. Can't have it this way, any attribute or method of the event can be easily faked.
Attachment #157585 -
Flags: review?(trev) → review-
|
|
||
Comment 12•20 years ago
|
||
we have an XPCNativeWrapper (sp) which is designed to help cases like this.
|
|
Assignee | |
Comment 13•20 years ago
|
||
Wladimir, did you test that defining a getter for isTrusted actually makes the patch not work? Unless I missed something that shouldn't be the case since the event should be re-wrapped when it's accessed in the event handler in the chrome code, and thus it should get a new fresh JS object that doesn't have the getter on it.
|
|
Reporter | |
Comment 14•20 years ago
|
||
Comment on attachment 157585 [details] [diff] [review] Expose whether an event is trusted or not, and make the tabbrowser code only listen to trusted events. You are right, I've only tested it with untrusted content. r+ then, with Boris' corrections.
Attachment #157585 -
Flags: review- → review+
|
|
Assignee | |
Comment 15•20 years ago
|
||
Comment on attachment 157585 [details] [diff] [review] Expose whether an event is trusted or not, and make the tabbrowser code only listen to trusted events. Marking bz's sr+
Attachment #157585 -
Flags: superreview?(bzbarsky) → superreview+
|
|
Assignee | |
Comment 16•20 years ago
|
||
Comment on attachment 157585 [details] [diff] [review] Expose whether an event is trusted or not, and make the tabbrowser code only listen to trusted events. Requesting aviary and 1.7 approval.
Attachment #157585 -
Flags: approval1.7.x?
Attachment #157585 -
Flags: approval-aviary?
|
|
Assignee | |
Comment 17•20 years ago
|
||
|
|
Assignee | |
Comment 18•20 years ago
|
||
|
|
Assignee | |
Comment 19•20 years ago
|
||
Forgot to diff toolkit.
Attachment #157626 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 20•20 years ago
|
||
Oh, and then there's SeaMonkey too. I think that's is it for now, realy :-)
Attachment #157633 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•20 years ago
|
Attachment #157634 -
Flags: superreview?(bzbarsky)
Attachment #157634 -
Flags: review?(trev)
|
|
||
Comment 21•20 years ago
|
||
Comment on attachment 157634 [details] [diff] [review] Trunk patch sr=bzbarsky
Attachment #157634 -
Flags: superreview?(bzbarsky) → superreview+
|
||
Comment 22•20 years ago
|
||
Comment on attachment 157585 [details] [diff] [review] Expose whether an event is trusted or not, and make the tabbrowser code only listen to trusted events. a=asa for branch checkin.
Attachment #157585 -
Flags: approval1.7.x?
Attachment #157585 -
Flags: approval1.7.x+
Attachment #157585 -
Flags: approval-aviary?
Attachment #157585 -
Flags: approval-aviary+
|
|
Assignee | |
Comment 23•20 years ago
|
||
|
|
Assignee | |
Comment 24•20 years ago
|
||
Fixed on aviary and 1.7 branches.
Keywords: fixed-aviary1.0,
fixed1.7.x
|
|
Reporter | |
Updated•20 years ago
|
Attachment #157634 -
Flags: review?(trev) → review+
|
|
Assignee | |
Comment 25•20 years ago
|
||
|
|
Assignee | |
Comment 26•20 years ago
|
||
Fixed.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
|
||
Comment 27•20 years ago
|
||
I've tested this in the 1.7.3 candidate Windows build on XP (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910) and it appears to not be fixed. Either that or I don't understand the testcase. When I open the testcase in another tab, my two tabs flash back and forth really fast for about 5 seconds. Is that expected after the fix?
|
|
Assignee | |
Comment 28•20 years ago
|
||
Hmm, looking.
|
|
Assignee | |
Comment 29•20 years ago
|
||
This was never checked in on the 1.7.2 branch (but it's on the 1.7 branch).
|
|
||
Comment 30•20 years ago
|
||
This was not landed on the 1_7_2 branch (for the immanent 1.7.3 security release), just the 1.7x branch. The 1.7.3 fixes are flagged with "fixed1.7.2+" in the status whiteboard. (now that the fixed1.7.3 keyword was changed to 1.7.x I could update the whiteboard text, but that would just generate bugspam.) The bug allows abuse, but unless we find something worse than swapping your tabs around it doesn't appear to allow exploits. The patch looks small enough, we probably could safely take it in 1.7.3 if you want it.
Whiteboard: [sg:needinfo] → [sg:dos]
|
||
Comment 31•19 years ago
|
||
Hmm, is there a reason why security flag was never cleared ?
|
|
||
Updated•19 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•