Closed Bug 290036 Opened 16 years ago Closed 16 years ago
Link tag allows to execute arbitrary code without user interaction
Confirming. Looks like it would work in the Suite, too, with a little quote tweaking -- it got as far as the delayedOpenWindow() call so it's already running with chrome privs.
Assignee: firefox → dveditz
Status: UNCONFIRMED → NEW
Component: General → Security
Ever confirmed: true
Comment on attachment 180499 [details] [diff] [review] possible patch This doesn't actually work; I fixed the testcase by making the Linux line look like the others (changing "\\\'" to "\'").
I knew this \\\' was fishy. It turned out i tested linux on a really old 0.9 build that required that encoding (for whatever reason). Tested again with a 1.0 and it requires a \' only. Changed the PoC accordingly.
Comment on attachment 180499 [details] [diff] [review] possible patch I also had a zombie firefox process running earlier. This patch works fine.
We really shouldn't block data:, though, since it's useful for favicons.
Comment on attachment 180541 [details] [diff] [review] alternative patch sr=me if you can prove we're not vulnerable to data: URLs encoding script (in a data: text/html URL, or otherwise). /be
Attachment #180541 - Flags: superreview?(brendan) → superreview+
Comment on attachment 180499 [details] [diff] [review] possible patch Neither dveditz nor I have been able to write an exploit using data: URLs, so I think the alternative patch is ok.
A bunch of stuff wasn't on the 1.7 branch; this merges it.
Attachment #180544 - Attachment is obsolete: true
Comment on attachment 180541 [details] [diff] [review] alternative patch a=chase pending dbaron's review
Attachment #180541 - Flags: approval-aviary1.0.3+
Moving to Core.
Product: Firefox → Core
Version: unspecified → 1.0 Branch
Comment on attachment 180545 [details] [diff] [review] patch for 1.7 branch assuming this is the patch you want to go with, a=chase pending r/sr
Attachment #180545 - Flags: approval1.7.7+
Comment on attachment 180541 [details] [diff] [review] alternative patch r=dveditz I was worried about data: urls, but after a bunch of debugging it looks like this is never used in a context that would parse it as html and run scripts. I'm still a little nervous
Attachment #180541 - Flags: review?(dveditz) → review+
Comment on attachment 180545 [details] [diff] [review] patch for 1.7 branch r=dveditz carrying over sr on the grounds that this makes 1.7 match already-reviewed aviary.
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.