Last Comment Bug 293671 - nsScriptSecurityManager::GetBaseURIScheme doesn't handle jar:view-source:
: nsScriptSecurityManager::GetBaseURIScheme doesn't handle jar:view-source:
Status: RESOLVED FIXED
[patch]
: fixed-aviary1.0.4, fixed1.7.8
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: All All
: P1 critical (vote)
: mozilla1.8beta2
Assigned To: David Baron :dbaron: ⌚️UTC-7 (busy September 14-25)
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-10 14:20 PDT by David Baron :dbaron: ⌚️UTC-7 (busy September 14-25)
Modified: 2006-03-12 18:32 PST (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (4.68 KB, text/html; charset=UTF-8)
2005-05-10 14:21 PDT, David Baron :dbaron: ⌚️UTC-7 (busy September 14-25)
no flags Details
patch (use recursion) (3.30 KB, patch)
2005-05-10 14:33 PDT, David Baron :dbaron: ⌚️UTC-7 (busy September 14-25)
caillon: review+
dveditz: superreview+
asa: approval‑aviary1.0.4+
asa: approval1.7.8+
asa: approval1.8b2+
Details | Diff | Splinter Review

Description David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2005-05-10 14:20:18 PDT
nsScriptSecurityManager::GetBaseURIScheme doesn't handle jar:view-source:...
correctly because the jar: and view-source: cases don't use recursion as they
ought to.  This provides a way to get around
nsIScriptSecurityManager.DISALLOW_JAVASCRIPT or DISALLOW_JAVASCRIPT_OR_DATA checks.

Testcase to be attached, variant of bug 290036 and bug 290949.
Comment 1 David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2005-05-10 14:21:51 PDT
Created attachment 183196 [details]
testcase
Comment 2 David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2005-05-10 14:33:20 PDT
Created attachment 183198 [details] [diff] [review]
patch (use recursion)
Comment 3 Christopher Aillon (sabbatical, not receiving bugmail) 2005-05-10 14:51:19 PDT
Comment on attachment 183198 [details] [diff] [review]
patch (use recursion)

>Index: nsScriptSecurityManager.cpp

>-    while(PL_strcmp(scheme.get(), "view-source") == 0)
>+    if (PL_strcmp(scheme.get(), "view-source") == 0)

Since you're touching this, we should use libc's version of strcmp(), not the
PL version.

...

>-    //-- if uri is an about uri, distinguish 'safe' and 'unsafe' about URIs
>+    //-- if aURI is an about uri, distinguish 'safe' and 'unsafe' about URIs
>     static const char aboutScheme[] = "about";
>     if(nsCRT::strcasecmp(scheme.get(), aboutScheme) == 0)

The scheme is be normalized to all lowercase.  (Do we ever get schemes that
necko specifically knows about that are not lowercased?).  We can change this
to the libc strcmp() version.

r=caillon
Comment 4 David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2005-05-10 14:54:44 PDT
My goal here was to change as little as possible; it's already using
EqualsLiteral on the trunk.
Comment 5 Bob Clary [:bc:] 2005-05-10 15:25:03 PDT
<http://test.bclary.com/tests/mozilla.org/security/293671-01.html> version of
the testcase without code execution.
Comment 6 Daniel Veditz [:dveditz] 2005-05-10 15:57:31 PDT
Comment on attachment 183198 [details] [diff] [review]
patch (use recursion)

sr=dveditz
Comment 7 Asa Dotzler [:asa] 2005-05-10 16:07:20 PDT
Comment on attachment 183198 [details] [diff] [review]
patch (use recursion)

a=asa
Comment 8 David Baron :dbaron: ⌚️UTC-7 (busy September 14-25) 2005-05-12 11:27:49 PDT
Checked in to trunk (still matters for data:).
Comment 9 Daniel Veditz [:dveditz] 2005-05-18 13:09:47 PDT
Clearing security flag from announced vulnerabilities fixed in Firefox
1.0.4/Mozilla 1.7.8

Note You need to log in before you can comment on or make changes to this bug.