My bug 284627 has not been fully fixed. "data:" url check is missing. Augh. Then, bug 226548 becomes a problem. Links on the sidebar panel send wrong referer. This could be used for cross-site scripting. If you are on about:config or chrome url, referer is set to that privileged content, not to the sidebar panel itself. This allows an attacker to execute arbitrary code.
Attachment #183536 - Flags: review+
Attachment #183536 - Flags: approval-aviary1.0.5+
Are we taking this on the Trunk as well?
Whiteboard: [sg:fix] have patch → [sg:fix] need landing
yeah, needs trunk landing too, I'll get approvals and do that.
Whiteboard: [sg:fix] need landing → [sg:fix]
Attachment #183536 - Flags: approval-aviary1.1a2? → approval-aviary1.1a2+
Please land on the trunk, you have the approvals now
Whiteboard: [sg:fix] → [sg:fix] needs trunk landing
fixed on trunk
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: [sg:fix] needs trunk landing → [sg:fix]
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050706 Firefox/1.0.5 using attached testcase.
Security advisories published
Verified fixed using Win FF 1.5.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.