Closed Bug 289171 Opened 19 years ago Closed 19 years ago

Chrome JS code injection possible using pluginspage attribute

Categories

(Toolkit Graveyard :: Plugin Finder Service, defect)

Product:
Toolkit Graveyard
Component:
Plugin Finder Service
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: doronr, Assigned: doronr)

References

Details

(Keywords: fixed-aviary1.0.3)

Attachments

(2 files, 3 obsolete files)

new testcase
259 bytes, text/html
Details
fix theoretical issue and remove onclick attribute
2.75 KB, patch
dbaron
: review+
jst
: superreview+
dbaron
: approval-aviary1.0.3+
dbaron
: approval-aviary1.1a1+
Details | Diff | Splinter Review 
Similar to bug 288556 (not fixed by the patch though) :

Code injection into an xul:button's oncommand for manual urls is possible
because a oncommand attribute is set.

Solution: use event listeners.
Attached file testcase (obsolete) — 

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch (obsolete)
        — Splinter Review
      

    


  

        Attachment #179737 -
        Flags: superreview?(jst)

    
  
Flags: blocking-aviary1.0.3+
Depends on: 289175

    
    

    
  
Steps to reproduce:

- Load testcase
- Click on the missing plugin piece
- It should say no suitable plugins found, and give a manual install button.
- Clicking the manual install button will open a new window and an dialog saying
"Code Injection!".

When fixed, the dialog should now show (new window is fine).
Status: NEW → ASSIGNED

    
    

    
  
Correction to above:
  When fixed, the dialog should _NOT_ show (new window is fine).

    
  
Flags: blocking-aviary1.0.3+ → blocking-aviary1.0.3?

    
    

    
  
Doron:  I can't reproduce this with your testcase using Mozilla/5.0 (Windows; U;
Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050403 Firefox/1.0.3 .  Do I need any
special prefs set to see this problem?

    
    

    
  

      
      
      
      

        Attached file
          
        new testcase
      

    


  
The patch to 288556 made this a bit harder to exploit after all, new testcase
attached.

        Attachment #179733 -
        Attachment is obsolete: true

    
  
Flags: blocking-aviary1.0.3? → blocking-aviary1.0.3+

    
  
Blocks: 289187

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix another theoretical issue (obsolete)
        — Splinter Review
      

    


  
Fixed the theoretical issue of injection via the link to update for missing
plugins.  In reality, the server chokes on the malformed url though :)

        Attachment #179737 -
        Attachment is obsolete: true

        Attachment #179748 -
        Flags: superreview?(jst)

    
  

        Attachment #179737 -
        Flags: superreview?(jst)

    
    

    
  
Comment on attachment 179748 [details] [diff] [review]
fix another theoretical issue

sorry, missed a file.

        Attachment #179748 -
        Attachment is obsolete: true

        Attachment #179748 -
        Flags: superreview?(jst)

    
    

    
  
Comment on attachment 179737 [details] [diff] [review]
patch

sr=jst

        Attachment #179737 -
        Flags: superreview+

        Attachment #179737 -
        Flags: review?(dbaron)

    
    

    
  
Comment on attachment 179737 [details] [diff] [review]
patch

r=dbaron too, although worth noting that this currently leaks (bug 241518).  We
can live with that, though.

        Attachment #179737 -
        Flags: review?(dbaron) → review+

    
    

    
  
I could remove the listeners onunload if needed.

    
    

    
  
Comment on attachment 179756 [details] [diff] [review]
fix theoretical issue and remove onclick attribute

sr=jst

        Attachment #179756 -
        Flags: superreview?(jst) → superreview+

    
  

        Attachment #179756 -
        Flags: review+

    
    

    
  
You (In reply to comment #12)
> I could remove the listeners onunload if needed.

You actually can't, since you don't have the listener object anymore.  But don't
worry about it -- we have this leak all over, and plugin install is basically a
one-time thing.

    
  
Keywords: fixed-aviary1.0.3

    
    

    
  
Fix released
Group: security

    
    

    
  
Comment on attachment 179756 [details] [diff] [review]
fix theoretical issue and remove onclick attribute

Please don't forget to land this on the trunk.

        Attachment #179756 -
        Flags: approval-aviary1.1a+

        Attachment #179756 -
        Flags: approval-aviary1.0.3+

    
    

    
  
fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Product: Firefox → Toolkit
Product: Toolkit → Toolkit Graveyard

          You need to log in
          before you can comment on or make changes to this bug.