arbitrary code execution via sidebar (part 3)

VERIFIED FIXED

Status

()

defect
--
critical
VERIFIED FIXED
14 years ago
8 years ago

People

(Reporter: u115577, Assigned: u115577)

Tracking

({fixed-aviary1.0.5, testcase})

Trunk
Points:
---
Dependency tree / graph
Bug Flags:
blocking-aviary1.0.5 +
blocking1.8b3 +
blocking-aviary1.5 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix])

Attachments

(2 attachments)

My bug 284627 has not been fully fixed. "data:" url check is missing. Augh.

Then, bug 226548 becomes a problem. Links on the sidebar panel send wrong
referer. This could be used for cross-site scripting.

If you are on about:config or chrome url, referer is set to that privileged
content, not to the sidebar panel itself. This allows an attacker to execute
arbitrary code.
Posted file testcase
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.0.5?
Keywords: testcase
Assignee: nobody → mconnor
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.5?
Flags: blocking-aviary1.0.5+
Whiteboard: [sg:fix]
Blocks: sbb?
Comment on attachment 183536 [details] [diff] [review]
patch to check "data:" url as well as "javascript:" url

ok, fair enough.  I'm sure this will break something, but people can deal.
Attachment #183536 - Flags: review+
Whiteboard: [sg:fix] → [sg:fix] have patch
Assignee: mconnor → bugzilla
Comment on attachment 183536 [details] [diff] [review]
patch to check "data:" url as well as "javascript:" url

Let's get this checked in on the Aviary branch. a=jay
Attachment #183536 - Flags: approval-aviary1.0.5+
Are we taking this on the Trunk as well?
Whiteboard: [sg:fix] have patch → [sg:fix] need landing
yeah, needs trunk landing too, I'll get approvals and do that.
Attachment #183536 - Flags: approval-aviary1.1a2?
Whiteboard: [sg:fix] need landing → [sg:fix]
Attachment #183536 - Flags: approval-aviary1.1a2? → approval-aviary1.1a2+
Please land on the trunk, you have the approvals now
Flags: blocking1.8b3+
Whiteboard: [sg:fix] → [sg:fix] needs trunk landing
fixed on trunk
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: [sg:fix] needs trunk landing → [sg:fix]
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9)
Gecko/20050706 Firefox/1.0.5 using attached testcase.
Adding distributors
Security advisories published
Group: security
Flags: testcase+
Verified fixed using Win FF 1.5.
Status: RESOLVED → VERIFIED
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.