Last Comment Bug 294074 - arbitrary code execution via sidebar (part 3)
: arbitrary code execution via sidebar (part 3)
Status: VERIFIED FIXED
[sg:fix]
: fixed-aviary1.0.5, testcase
Product: Firefox
Classification: Client Software
Component: Security (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: bugzilla
:
:
Mentors:
Depends on:
Blocks: sbb?
  Show dependency treegraph
 
Reported: 2005-05-13 13:40 PDT by bugzilla
Modified: 2011-08-05 22:29 PDT (History)
11 users (show)
dveditz: blocking‑aviary1.0.5+
dveditz: blocking1.8b3+
dveditz: blocking‑aviary1.5+
bob: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (1018 bytes, text/html)
2005-05-13 13:41 PDT, bugzilla
no flags Details
patch to check "data:" url as well as "javascript:" url (944 bytes, patch)
2005-05-13 13:44 PDT, bugzilla
mconnor: review+
jaymoz: approval‑aviary1.0.5+
benjamin: approval‑aviary1.1a2+
Details | Diff | Splinter Review

Description bugzilla 2005-05-13 13:40:53 PDT
My bug 284627 has not been fully fixed. "data:" url check is missing. Augh.

Then, bug 226548 becomes a problem. Links on the sidebar panel send wrong
referer. This could be used for cross-site scripting.

If you are on about:config or chrome url, referer is set to that privileged
content, not to the sidebar panel itself. This allows an attacker to execute
arbitrary code.
Comment 1 bugzilla 2005-05-13 13:41:53 PDT
Created attachment 183535 [details]
testcase
Comment 2 bugzilla 2005-05-13 13:44:17 PDT
Created attachment 183536 [details] [diff] [review]
patch to check "data:" url as well as "javascript:" url
Comment 3 Mike Connor [:mconnor] 2005-05-30 21:29:05 PDT
Comment on attachment 183536 [details] [diff] [review]
patch to check "data:" url as well as "javascript:" url

ok, fair enough.  I'm sure this will break something, but people can deal.
Comment 4 Jay Patel [:jay] 2005-06-15 18:36:45 PDT
Comment on attachment 183536 [details] [diff] [review]
patch to check "data:" url as well as "javascript:" url

Let's get this checked in on the Aviary branch. a=jay
Comment 5 Jay Patel [:jay] 2005-06-15 18:37:28 PDT
Are we taking this on the Trunk as well?
Comment 6 Mike Connor [:mconnor] 2005-06-15 19:44:29 PDT
yeah, needs trunk landing too, I'll get approvals and do that.
Comment 7 Daniel Veditz [:dveditz] 2005-06-23 11:44:31 PDT
Please land on the trunk, you have the approvals now
Comment 8 Mike Connor [:mconnor] 2005-06-23 19:03:32 PDT
fixed on trunk
Comment 9 Jay Patel [:jay] 2005-07-06 18:11:46 PDT
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9)
Gecko/20050706 Firefox/1.0.5 using attached testcase.
Comment 10 Daniel Veditz [:dveditz] 2005-07-12 11:34:58 PDT
Adding distributors
Comment 11 Daniel Veditz [:dveditz] 2005-07-12 18:05:20 PDT
Security advisories published
Comment 12 Greg K. 2006-01-30 05:57:53 PST
Verified fixed using Win FF 1.5.

Note You need to log in before you can comment on or make changes to this bug.