Closed Bug 289171 Opened 20 years ago Closed 20 years ago

Chrome JS code injection possible using pluginspage attribute

Categories

(Toolkit Graveyard :: Plugin Finder Service, defect)

Product:
Toolkit Graveyard
Component:
Plugin Finder Service
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: doronr, Assigned: doronr)

References

Details

(Keywords: fixed-aviary1.0.3)

Attachments

(2 files, 3 obsolete files)

new testcase
259 bytes, text/html
Details
fix theoretical issue and remove onclick attribute
2.75 KB, patch
dbaron
: review+
jst
: superreview+
dbaron
: approval-aviary1.0.3+
dbaron
: approval-aviary1.1a1+
Details | Diff | Splinter Review
Similar to bug 288556 (not fixed by the patch though) : Code injection into an xul:button's oncommand for manual urls is possible because a oncommand attribute is set. Solution: use event listeners.
Attached file testcase (obsolete) —
Attached patch patch (obsolete) — Splinter Review
Attachment #179737 - Flags: superreview?(jst)
Flags: blocking-aviary1.0.3+
Depends on: 289175
Steps to reproduce: - Load testcase - Click on the missing plugin piece - It should say no suitable plugins found, and give a manual install button. - Clicking the manual install button will open a new window and an dialog saying "Code Injection!". When fixed, the dialog should now show (new window is fine).
Status: NEW → ASSIGNED
Correction to above: When fixed, the dialog should _NOT_ show (new window is fine).
Flags: blocking-aviary1.0.3+ → blocking-aviary1.0.3?
Doron: I can't reproduce this with your testcase using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050403 Firefox/1.0.3 . Do I need any special prefs set to see this problem?
Attached file new testcase
The patch to 288556 made this a bit harder to exploit after all, new testcase attached.
Attachment #179733 - Attachment is obsolete: true
Flags: blocking-aviary1.0.3? → blocking-aviary1.0.3+
Blocks: 289187
Attached patch fix another theoretical issue (obsolete) — Splinter Review
Fixed the theoretical issue of injection via the link to update for missing plugins. In reality, the server chokes on the malformed url though :)
Attachment #179737 - Attachment is obsolete: true
Attachment #179748 - Flags: superreview?(jst)
Attachment #179737 - Flags: superreview?(jst)
Comment on attachment 179748 [details] [diff] [review] fix another theoretical issue sorry, missed a file.
Attachment #179748 - Attachment is obsolete: true
Attachment #179748 - Flags: superreview?(jst)
Comment on attachment 179737 [details] [diff] [review] patch sr=jst
Attachment #179737 - Flags: superreview+
Attachment #179737 - Flags: review?(dbaron)
Comment on attachment 179737 [details] [diff] [review] patch r=dbaron too, although worth noting that this currently leaks (bug 241518). We can live with that, though.
Attachment #179737 - Flags: review?(dbaron) → review+
I could remove the listeners onunload if needed.
Comment on attachment 179756 [details] [diff] [review] fix theoretical issue and remove onclick attribute sr=jst
Attachment #179756 - Flags: superreview?(jst) → superreview+
You (In reply to comment #12) > I could remove the listeners onunload if needed. You actually can't, since you don't have the listener object anymore. But don't worry about it -- we have this leak all over, and plugin install is basically a one-time thing.
Keywords: fixed-aviary1.0.3
Fix released
Group: security
Comment on attachment 179756 [details] [diff] [review] fix theoretical issue and remove onclick attribute Please don't forget to land this on the trunk.
Attachment #179756 - Flags: approval-aviary1.1a+
Attachment #179756 - Flags: approval-aviary1.0.3+
fixed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Product: Firefox → Toolkit
Product: Toolkit → Toolkit Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: