Closed
Bug 297543
Opened 19 years ago
Closed 19 years ago
Adblock is exploitable
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: jst)
References
Details
(Keywords: fixed-aviary1.0.5, fixed1.7.9, Whiteboard: [sg:fix])
Attachments
(3 files)
584 bytes,
text/html
|
Details | |
2.72 KB,
patch
|
benjamin
:
review+
brendan
:
superreview+
jay
:
approval-aviary1.0.5+
jay
:
approval1.7.9+
brendan
:
approval1.8b3+
|
Details | Diff | Splinter Review |
395 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050612 Firefox/1.0+ Even though Bug 294799 is fixed, Adblock is still exploitable by using almost the same way as attachment 184973 [details] in Bug 294799 comment 6. Content window can access the object created by Adblock (e.g. window._AdblockFiltered, node._AdblockData, ...), and can access its __parent__ that is the hiddenDOMWindow (or BackstagePass object if Adblock was installed in the browser root). thus, an attacker can use the same way as attachment 184973 [details] in order to run arbitrary code. I guess Bug 294799 should not be made public, until this problem is resolved. Reproducible: Always Steps to Reproduce: 1. Install Adblock. 2. Open the testcase.
Reporter | ||
Comment 1•19 years ago
|
||
Comment 2•19 years ago
|
||
Confirming, the fix for bug 294795/294799 did not fix this one. Granted that Adblock seems to do bad and unsafe stuff it still isn't right you can use its __parent__ to get back to a chrome window.
Assignee: dveditz → jst
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3+
Flags: blocking1.7.9+
Flags: blocking-aviary1.0.5+
Comment 3•19 years ago
|
||
I'll fix this with a revised approach in bug 296397. /be
Assignee | ||
Updated•19 years ago
|
Whiteboard: Fixed by bug 296397
Comment 4•19 years ago
|
||
Fixed by the landing for bug 296397. /be
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Updated•19 years ago
|
Keywords: fixed-aviary1.0.5,
fixed1.7.9
Reporter | ||
Comment 5•19 years ago
|
||
I've tested on: Firefox 2005-06-22-18-trunk Firefox 2005-06-22-04-aviary The fix for bug 296397 does not stop the testcase (attachment 186090 [details]). I guess, since the hiddenDOMWindow's URL is "about:blank" and the hiddenDOMWindow does not have chrome privilege, security manager's access-check succeeds.
Reporter | ||
Updated•19 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Reporter | ||
Comment 6•19 years ago
|
||
This bug is not fixed yet. Firefox 2005-06-30-13-trunk Firefox 2005-06-30-05-aviary
Assignee | ||
Comment 7•19 years ago
|
||
Yeah, indeed. The security check succeeds because of http://lxr.mozilla.org/mozilla/source/caps/src/nsScriptSecurityManager.cpp#870. We need to load something other than about:blank in our hidden window. Bsmedberg's got a patch that does that in bug 298478, but that makes the hidden window have chrome privs, which in and of itself scares me. We should do what bsmedberg did in that bug, but use a resource: URL instead so that it's not about:blank and does not have chrome privs.
Assignee | ||
Comment 8•19 years ago
|
||
Attachment #187952 -
Flags: superreview?(brendan)
Attachment #187952 -
Flags: review?(benjamin)
Comment 9•19 years ago
|
||
I don't understand why the patch in bug 298478 didn't fix this... is there code other than the JS component loader using the hiddenwindow script context?
Comment 10•19 years ago
|
||
Comment on attachment 187952 [details] [diff] [review] Make the hidden window load a resource: URL r=bsmedberg after an IRC discussion that left me slightly more confused tha enlightened. We should revisit all this hiddenwindow stuff in the 1.9 timeframe, giving xpconnect control over its own global objects.
Attachment #187952 -
Flags: review?(benjamin) → review+
Updated•19 years ago
|
Whiteboard: Fixed by bug 296397 → has patch, needs review brendan
Comment 11•19 years ago
|
||
Comment on attachment 187952 [details] [diff] [review] Make the hidden window load a resource: URL Looks ok, but I'm still concerned about a Ts hit -- we can watch for that and try a data: URL instead, if that's faster (or whatever is actually faster and not too ugly), for 1.8b4. /be
Attachment #187952 -
Flags: superreview?(brendan)
Attachment #187952 -
Flags: superreview+
Attachment #187952 -
Flags: approval1.8b3+
Updated•19 years ago
|
Whiteboard: has patch, needs review brendan
Assignee | ||
Updated•19 years ago
|
Attachment #187952 -
Flags: approval-aviary1.0.5?
Assignee | ||
Comment 12•19 years ago
|
||
Fix checked in.
Status: REOPENED → RESOLVED
Closed: 19 years ago → 19 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 13•19 years ago
|
||
Not fixed on the branches yet.
Keywords: fixed-aviary1.0.5,
fixed1.7.9
Comment 14•19 years ago
|
||
Comment on attachment 187952 [details] [diff] [review] Make the hidden window load a resource: URL Let's get this checked in on the branches. a=jay
Attachment #187952 -
Flags: approval1.7.9+
Attachment #187952 -
Flags: approval-aviary1.0.5?
Attachment #187952 -
Flags: approval-aviary1.0.5+
Assignee | ||
Comment 15•19 years ago
|
||
Fixed on both branches now too.
Keywords: fixed-aviary1.0.5,
fixed1.7.9
Assignee | ||
Comment 16•19 years ago
|
||
Oh, and no noticeable Ts hit evident on tinderbox (that I can see).
Comment 17•19 years ago
|
||
This caused bug 299449, which I fixed on trunk for the toolkit apps but needs fixing on the branches also for ffox/tbird/SM
Depends on: 299449
Updated•19 years ago
|
Whiteboard: [sg:fix]
Reporter | ||
Comment 18•19 years ago
|
||
Adblock is still exploitable by using eval. window._AdblockFiltered.eval( "adblockRemoveSlow(null, window, false, 'MALICIOUS_CODE');", window._AdblockFiltered ); I'm not sure if this can be fixed in Bug 300008 or not.
Reporter | ||
Comment 19•19 years ago
|
||
This works on: Firefox/1.0.4 Firefox/1.0.5 2005-07-09-04-aviary1.0.1 Firefox/1.0+ 2005-07-08-18-trunk Mozilla/1.7.8 Mozilla/1.7.9 2005-07-09-09-1.7
Reporter | ||
Updated•19 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 20•19 years ago
|
||
I think the burden is on adblock to avoid passing content-controlled strings to setTimeout and similar functions. /be
Comment 21•19 years ago
|
||
so i've reached out to the adblock development team to understand who we should be talking to, assuming no else had already done that. i'm told that the group is rather informal, but technical contacts are ben@eschew.org and rue@mac.com. they hang out on #adblock on irc.m.o. dveditz, i haven't told them anything, i'm only making the connection. they seemed quite receptive to doing whatever is needed.
Comment 22•19 years ago
|
||
Adding AdBlock developer web@eschew.org so he can take a look at this.
Comment 23•19 years ago
|
||
Actually, Adblock 0.6 (unreleased) already stores per-window data in properties (in content window objects) with names randomly-generated on browser launch. That particular masking measure was designed merely to hide Adblock's traces from anti-adblocking scripts, but it should also make this somewhat harder to exploit. Yeah, using random properties doesn't really fix this bug. A sophisticated script could store a list of all properties for the window object as defined by the DOM, and then simply inspect those properties that aren't in the predefined list. Ideally, there would be a way for scripts to mark properties with the dontenumerate flag, but AFAIK that's not in the standard. From the Location bar in DPA2, trying to access the .__parent__ properties of the 0.6 equivalents of the ._AdblockData and ._AdblockFiltered properties throws a "Permission denied to get property Object.__parent__" exception. Calling .eval() on the eqivalents does give access to the Adblock object, but trying to access Components.stack results in an exception, as does attempting to use the file/directory_service to instantiate a nsIFile. The call to eval() from within that particular function has been made obsolete in 0.6, but that doesn't really seem to matter much, since any and all of the Adblock object's properties and functions could be subject to modification. That is to say: I'm not seeing any priviledge-escalation here, but an attacker could screw up Adblock (and, from there, the rest of the browser-session -- replacing the [nsIContentPolicy] shouldLoad() function with function() { throw ""; } means no more content loading until restart). If moving storage of per-window data out of content windows is the only secure solution, as it looks to be, we could probably set up a system that uses a randomly- (or, I suppose, sequentially-)generated number as a unique per-window identifying key into a hash stored within the Adblock object in the hidden window.... That would reduce Adblock's content-window profile to a single randomly-named property with an integer value, and I don't see how that could be exploitable. It'll be some work, but I don't really see any way around it at this point. Thoughts?
Comment 24•19 years ago
|
||
(In reply to comment #23) > Ideally, there would be a way for scripts to mark properties with the > dontenumerate flag, but AFAIK that's not in the standard. Not in ECMA-262, but even then, a script with some knowledge of your PRNG could probe quickly. Storing adblock info on content-accessible DOM wrapped-native JS objects is not a good plan, period, full stop. You really don't want to mix adblock chrome-parented objects with content. If you can use the xpcnativewrappers=yes option in your chrome manifest for 1.1, and fix adblock to cope with the XPCNativeWrapper automation that results from that wise default (getting the .wrappedJSObject from the XPCNativeWrapper only when you *really* need to see the content DOM node as it is, not operate on it via the well-known DOM interfaces), then adblock will be secure. As it is, saying that content could mess up adblock but not exploit it is making a large bet, and from our experience with the same bet for other chrome, not a good bet. /be
Comment 25•19 years ago
|
||
So bug 281988 was where the XPCNativeWrapper automation work finally occurred. The doc for XPCNativeWrapper automation is http://developer-test.mozilla.org/en/docs/Safely_accessing_content_DOM_from_chrome /be
Comment 26•19 years ago
|
||
Ben, does adblock intend to continue storing data on the content nodes? That is, do you need a way to do so safely, or do you plan to move to some other system?
Comment 27•19 years ago
|
||
Per clarity: when xpcnativewrappers=yes: . a.) properties set by chrome on content are set on a wrapper? b.) the properties cannot be accessed by content? c.) the wrapper is persisted for the native's life? d.) all subsequent chrome-calls see the exact same wrapper? . On that last point (d), I've seen mention that wrapper-sharing is "per script filename". Adblock sets things from component.js, but later accesses them from filterall.js. Would xpcnativewrappers=yes break this?
Comment 28•19 years ago
|
||
(In reply to comment #27) > a.) properties set by chrome on content are set on a wrapper? No, properties cannot be set on a wrapper at all at the moment, hence my question. See bug 300325. > b.) the properties cannot be accessed by content? If they were set on a wrapper this would be true. > c.) the wrapper is persisted for the native's life? See bug 295937. This is a non-issue as long as you can't set properties at all, but if we do allow property sets we'll also make sure this works. > d.) all subsequent chrome-calls see the exact same wrapper? Given (c) this would be correct. > On that last point (d), I've seen mention that wrapper-sharing is "per script > filename". I'm not aware of this... if you could point me to said mention, I would appreciate it.
Comment 29•19 years ago
|
||
Adding distributors
Comment 30•19 years ago
|
||
bz: The third paragraph in comment 24 concludes: "..then adblock will be secure." But, its proposal would only solve things if wrapper-retention were implemented. Which is why I asked. . The mention of filename-based wrapper-sharing is here -- ironically, under 'Resolved Issues': http://wiki.mozilla.org/User:Brendan Regarding deliberations on whether or not to add wrapper+prop retention: Adblock might be the only one. Anticipating no further support/progress, I've come up with an alternate solution, extension-side -- reflecting shaver's Sandbox out through a dummy-module, then instantiating an array/object-generating function inside its "clean" environment: . new Script("var generator=function(){return []}").exec(mySandbox) mySandbox.generator() . Not as simple as the manifest-flag, but it works. Ideally, Sandbox would be frozen.
Comment 31•19 years ago
|
||
(In reply to comment #30) > The mention of filename-based wrapper-sharing is here -- ironically, under > 'Resolved Issues': http://wiki.mozilla.org/User:Brendan You're misreading that -- it says nothing about wrapper identity/lifetime being scoped by source files. It says that deciding whether to share wrappers, or use automated XPCNativeWrapper protection, must be configurable by source file, or at least by "content package" in the chrome sense. > Regarding deliberations on whether or not to add wrapper+prop retention: > Adblock might be the only one. Anticipating no further support/progress, Why did you jump to that conclusion? > I've come up with an alternate solution, extension-side -- reflecting shaver's > Sandbox out through a dummy-module, then instantiating an > array/object-generating function inside its "clean" environment: > . > new Script("var generator=function(){return []}").exec(mySandbox) > mySandbox.generator() > . > Not as simple as the manifest-flag, but it works. Ideally, Sandbox would be > frozen. Please don't do this if you can use xpcnativewrappers=yes. We are not going to freeze Sandbox because you assumed no progress on the questions you raised. We are not going to support other extensions rolling their own solutions when the general, long-standing patterns can be made to work in most cases with the XPCNativeWrapper automation. /be
Comment 32•19 years ago
|
||
rue, Ben: we're just trying to get a sense of what usage patterns extensions (like adblock) have so we can decide what to do with bug 300325. The goal here is to have maximum usability while remaining usefully secure. We're not out to screw extensions over, by any means!
Comment 33•19 years ago
|
||
bz's more diplomatic than I am. ;-) Rue, Ben: we are here to help. Adblock is not alone. The shared-DOM (with protection from JS overrides) model you enjoy today is something we want to support, not break. Let's work together. I think bug 300025 should be fixed, not WONTFIXed. jst may be convinced too, by your testimony here. /be
Comment 34•19 years ago
|
||
Well, ideally, usage patterns should be reflective of requirements, so... Currently, in order for filterall to work properly, we need a way of uniquely associating a |window| object with a list of nodes that Adblock has procesed from that window. Currently, it's done implicitly, by storing objects as properties of each window; it could be done with a single integer, but even integer literals have the .eval() method, making them insecure (what if we clobbered .eval on whatever we store in content?). More to the point, I'm not currently aware of any way to differentiate between window objects (URL alone is not enough) without marking them in some way. Any suggestions? If not, then yes, we'd pretty much require the ability to set new properties on wrappers / continue storing data in content. (We also, in 0.6, tag nodes that pass through shouldLoad(), but we could move back to the 0.5 model of storing such data in a separate array indexed by URL. Again, identifying windows uniquely is the key.) And /be is of course right about access-exploitability, since arbitrary code could be injected into, say, shouldLoad(), which runs with full chrome privs IIRC.
Comment 35•19 years ago
|
||
What sort of differentiate? You can tell them apart via == of course, but if you're trying to match up a window object with some random data then you need to either have the data on the object or the data/object pair somewhere (and do a search through the somewhere for the right pair).
Comment 36•19 years ago
|
||
(In reply to comment #34) > Well, ideally, usage patterns should be reflective of requirements, so... Even better if we didn't break any existing patterns of usage, based on whatever requirements existed when an extension was written. The hard case with split wrappers (xpcnativewrappers=yes automation) is when chrome wants to get or set a JS property that content sets or gets -- not a DOM attribute mapped to a property. That can be handled by using .wrappedJSObject carefully. > Currently, in order for filterall to work properly, we need a way of uniquely > associating a |window| object with a list of nodes that Adblock has procesed > from that window. Currently, it's done implicitly, by storing objects as > properties of each window; it could be done with a single integer, but even > integer literals have the .eval() method, making them insecure (what if we > clobbered .eval on whatever we store in content?). It sounds like there's some misunderstanding of the security hazards here. First, what do you mean by "single integer"? JS does not create an object for each primitive-typed value, so 1.eval evals against a temporary Number instance created on the fly. There's no persistent harm, and the eval runs in the scope of its caller, so if content calls it there is no cross-trust-domain scripting hole. What's more, with bug 300008, the eval native method does its own checks and should not be usable to attack chrome, unless chrome blindly calls a method on a content DOM node. That's why we recommend xpcnativewrappers=yes. You can't be tricked if your chrome uses its own wrappers for the underlying DOM natives. > More to the point, I'm not currently aware of any way to differentiate between > window objects (URL alone is not enough) without marking them in some way. Any > suggestions? Object identity, as bz pointed out; or just decorate the chrome wrapper for the window object with ad-hoc JS properties, with xpcnativewrappers=yes. Those JS properties won't be seen by content, and can't be spoofed by content. > If not, then yes, we'd pretty much require the ability to set new properties > on wrappers That should be possible, I agree. > / continue storing data in content. That doesn't follow. If you can store your data on chrome wrappers, use them to safely call into the content DOM, and not be tricked by content manipulations of its wrappers, everyone wins. To actually block ads, you'll need to do some mutating operations, but these are DOM ops -- not ad-hoc JS property gets or sets on the content wrappers, right? > (We also, in 0.6, tag nodes that pass through shouldLoad(), but we could move > back to the 0.5 model of storing such data in a separate array indexed by URL. > Again, identifying windows uniquely is the key.) I don't see a problem here in the xpcnativewrappers=yes model, unless content scripts are *supposed* to see your ad-hoc properties. But that's not safe, so it can't be the case. If the devmo docs on XPCNativeWrapper are unclear, we should fix them -- please list any questions left unanswered, so we can get this sorted out for you guys and for others. Thanks for your help, /be
Comment 37•19 years ago
|
||
> each primitive-typed value, so 1.eval evals against a temporary Number instance
I mean (1).eval(program) or 1..eval(program), of course (think about precedence
of the lexical grammar production for floating point literal vs. syntactic
production for the dot operator.
/be
Comment 38•19 years ago
|
||
bz: Differentiate meaning to "match a window object with some random data". Right -- currently, we store data on the window, but unless/until bug 300325 is fixed, that won't be secure. | If I understand you correctly, the "other" way of doing it would involve keeping a referenced copy of *every* window object in a given browser session. According to rue, from his experience with SessionSaver, there's no non-hackish and -fragile way to detect tab closings, which means that this method would effectively involve leaking every single window. In general, it just seems like an awfully unintuitive and "wrong" solution. /be: Wait, now I'm somewhat confused: >just decorate the chrome wrapper for the >window object with ad-hoc JS properties, with xpcnativewrappers=yes. Those JS >properties won't be seen by content, and can't be spoofed by content. Unless there is a persistent one-to-one mapping between a window object and its chrome wrapper, as fetched from XPCNativeWrapper(), this doesn't work, as it's the window object that we are given to differentiate, not the chrome wrapper. You seem to be implying that after the following theoretical code is executed, var wrapper = new XPCNativeWrapper(window, 'myProperty'); wrapper.myProperty = 'myValue'; wrapper = new XPCNativeWrapper(window, 'myProperty'); then wrapper.myProperty should equal 'myValue', and window.eval('alert(typeof(window.myProperty))') should alert "undefined"? Looking through the devmo docs, I don't see any mention of the consequences of passing non-DOM-properties as arguments. This (the fact that it doesn't work) seems like bug 300325, or is that something else? As noted earlier, it would be ideal to have an "invisible" profile from content JS, so that Adblock isn't (directly) detectable by anti-adblocking scripts. If it's OK security-wise to mark the content window object with an integer, then that's good, but it still leaves the issue of leaks and how to know when to dispose of the obsolete data now being kept in chrome, which was automatically handled when data was stored within the content windows. Re: blocking ads: in 0.6, all display mutations are done by setting a given value on a (randomly-chosen-on-first-run-after-install) attribute on a given node; code injected into userContent.css does the rest.
Comment 39•19 years ago
|
||
(In reply to comment #38) > /be: > Wait, now I'm somewhat confused: > > >just decorate the chrome wrapper for the > >window object with ad-hoc JS properties, with xpcnativewrappers=yes. Those > >JS properties won't be seen by content, and can't be spoofed by content. > > Unless there is a persistent one-to-one mapping between a window object and > its chrome wrapper, as fetched from XPCNativeWrapper(), this doesn't work, as > it's the window object that we are given to differentiate, not the chrome > wrapper. Who gives you (you == chrome script) the window object? Isn't really adblock's chrome scripts/functions that inspect content window objects? If so, then by setting xpcnativewrappers=yes, those scripts will get their own persistently associated XPCNativeWrappers for the content DOM objects. > You seem to be implying that after the following theoretical code is executed, > > var wrapper = new XPCNativeWrapper(window, 'myProperty'); > wrapper.myProperty = 'myValue'; > wrapper = new XPCNativeWrapper(window, 'myProperty'); > > then wrapper.myProperty should equal 'myValue', and > window.eval('alert(typeof(window.myProperty))') should alert "undefined"? > Looking through the devmo docs, I don't see any mention of the consequences of > passing non-DOM-properties as arguments. This (the fact that it doesn't work) > seems like bug 300325, or is that something else? That bug will be fixed, but even then, if you set xpcnativewrappers=yes, you don't have to explicitly construct XPCNativeWrappers. Your chrome script will get an XPCNativeWrapper automatically created, one for one, with the underlying wrapped native. > As noted earlier, it would be ideal to have an "invisible" profile from > content JS, so that Adblock isn't (directly) detectable by anti-adblocking > scripts. It won't be, once the JS properties it sets go on its own automatically created XPCNativeWrappers, where content scripts cannot see them. > If it's OK security-wise to mark the content window object with an integer, Mark the chrome XPCNativeWrapper for the content window *native*. I think I see the confusion. Here's some ASCII art (and I love the tall textareas bookmarklet!): +----------------+ +----------------+ *-----------------* |XPCNativeWrapper|========|XPCWrappedNative|*~~~~~~~|native DOM window| +-----+----------+ +----------------+| *-----------------* V / *----------------* |_wrappedJSObject_/ +---+ borders bound JS objects; *---* borders bound native XPCOM objects. The XPCNativeWrapper is a JS object; so is the wrapped native whose private data is of type XPCWrappedNative (these names are obscurely different; history, and a reminder to think clearly about which is which). That XPCOM object is mapped via a hashtable per "scope" (window JS object, essentially) to the root XPCOM interface pointer of the native DOM window instance. So when you use xpcnativewrappers=yes in your chrome manifest, you get automatic wrapping of the JS object the content sees (the XPCWrappedNative's JS object), namely the XPCNativeWrapper on the left. If you set properties on that object (once bug 300325 is fixed), content scripts can't see them -- there is no path available to scripts from right to left above. The only path available, and only to chrome scripts, is from the XPCNativeWrapper to the XPCWrappedNative's JS object, the property arc labeled wrappedJSObject above. > then > that's good, but it still leaves the issue of leaks and how to know when to > dispose of the obsolete data now being kept in chrome, which was automatically > handled when data was stored within the content windows. There's no leak issue. The XPCNativeWrappers created automatically, and any properties you set on them, will live as long as their XPCWrappedNatives live (bz, remind me if there's a bug to fix here still). > Re: blocking ads: in 0.6, all display mutations are done by setting a given > value on a (randomly-chosen-on-first-run-after-install) attribute on a given > node; code injected into userContent.css does the rest. Do you mean DOM attribute, or JS property not named in any w3c or Mozilla DOM IDL? /be
Comment 40•19 years ago
|
||
Just to be super clear:
> namely the XPCNativeWrapper on the left. If you set properties on that object
> (once bug 300325 is fixed), content scripts can't see them -- ....
I'm talking about JS properties, not DOM attributes. So when you use an
XPCNativeWrapper to operate on the native XPCOM object underlying the
XPCWrappedNative, by getting or setting attributes, or calling methods, you
indeed affect the underlying DOM or other data -- which is exactly what it
sounds as if Adblock needs to do so the userContent.css rules can block certain
ad content nodes.
I hope there's no case where Adblock needs to set non-DOM-attribute ("ad-hoc")
JS properties on content DOM nodes.
/be
Comment 41•19 years ago
|
||
(In reply to comment #38) > In general, it just seems like an awfully unintuitive and "wrong" solution. Agreed. That's why I filed bug 300325... ;) If adblock is aiming to affect styles, it would be calling setAttribute(), I assume -- setting a random property on a content node won't create a corresponding attribute that can be styled. So that part sounds like it should be ok.
Comment 42•19 years ago
|
||
Noting new dependencies. Sort of morphing this bug, hope no one minds. /be
Comment 43•19 years ago
|
||
/be: For better or worse, any solution implemented to fix this issue *must* be backwards compatible to at least Mozilla 1.3.1, which is the highest-versioned Gecko application available under Mac OS 9, which happens to be rue's platform of choice. As far as I can tell, no force on this earth short of Jesus Christ Himself is going to convince rue to change platforms (and even then he might hold out for the real deal). Anyways, said solution doesn't technically have to be *secure* on pre-1.1 platforms, though that would be an obvious plus. That's why I'd only mentioned explicitly-created XPCNativeWrappers -- consistency of behavior for 1.1 *and* older builds. ==================== From what I've seen, I think the most obvious "correct" course of action is this: have bug 300325 fixed [edit: marked fixed while writing], and Adblock will use xpcnativewrappers=yes and not explicitly construct wrappers. This will leave 1.1 users secure, while maintaining full functionality -- if not full security -- on older builds. Which is, incidentally, your original recommendation, no? :) ==================== (We can try experimenting with things like clobbering .eval on our properties and other such tricks, I guess, to try to make exploits as difficult as possible to discover on older builds... which somewhat reminds me -- will this bug be un-sensitivised in the future? The vulnerabilities, after all, still exist in older builds with Adblock installed.) When you say "I hope there's no case where Adblock needs to set non-DOM-attribute ("ad-hoc") JS properties on content DOM nodes.", I assume you mean "set JS properties that are meant to be seen by content"? That is correct. >It won't be, once the JS properties it sets go on its own automatically >created XPCNativeWrappers, where content scripts cannot see them. But bug 300325 is about the fact that that will not work in pre-1.1 builds, right? -- and that would be an issue if we tried using XPCNativeWrappers explicitly in all builds, as noted above. The hypothetical "leak" issue would be because we'd (have been) caching the window objects -- XPCWrappedNatives, if you will -- so as to retain backwards-compatibility and consistency of behavior across all Mozilla platforms. re: the code example in comment 38 -- I assume the answer is "undefined"? bz (and /be): "attribute" implies DOM attribute, property implies JS property.
Comment 44•19 years ago
|
||
(In reply to comment #43) Everything sounds cool -- just wanted clarity on this item: > >It won't be, once the JS properties it sets go on its own automatically > >created XPCNativeWrappers, where content scripts cannot see them. > > But bug 300325 is about the fact that that will not work in pre-1.1 builds, > right? No, because before 1.1, XPCNativeWrapper was implemented in JS, and you could add "expandos" to it. > -- and that would be an issue if we tried using XPCNativeWrappers > explicitly in all builds, as noted above. No, you could do that. But I agree it's better to use xpcnativewrappers=yes and implicit wrappers. /be
Comment 45•19 years ago
|
||
> That's why I'd only mentioned explicitly-created XPCNativeWrappers --
> consistency of behavior for 1.1 *and* older builds.
That got me thinking... What if, in 1.1, explicit XPCNativeWrapper constructors
that are:
1) Called from code that uses xpcnativewrappers=yes
2) Called on an XPCNativeWrapper (usual, given #1)
just return the XPCNativeWrapper they're called on? I can't think of reasons
why such code would want to create explicit wrappers, really; if it does, it can
do so by getting the wrappedJSObject first and calling new XPCNativeWrapper() on
that...
That would let code be safe in both 1.1 and pre-1.1 releases and all that good
stuff. jst, shaver, brendan, what do you think?
Comment 46•19 years ago
|
||
Actually, comment 45 makes no sense -- in pre-1.8 (Gecko) builds you couldn't set props on an XPCNativeWrapper and expect them to stick around, so that wouldn't be a viable solution anyway....
Comment 47•19 years ago
|
||
(In reply to comment #46) > Actually, comment 45 makes no sense -- in pre-1.8 (Gecko) builds you couldn't > set props on an XPCNativeWrapper and expect them to stick around, so that > wouldn't be a viable solution anyway.... You mean because XPCNativeWrapper creation before 1.8 (1.8b2, IIRC) was explicit. But an explicit 'new XPCNativeWrapper(...)' could be kept alive via any strong ref (a global var, e.g.) that the chrome script maintained. But in any case, the point I thought you were making is that an explicitly created XPCNativeWrapper that is given another XPCNW should not double-wrap. Once we fix the implicit-lifetime bug. /be
Comment 48•19 years ago
|
||
That was sorta the point I was making, but the point was based on trying to solve a specific problem, and it doesn't solve it. At the moment it doesn't double-wrap -- it just unwraps and rewraps, which is fine and gives very consistent behavior for explicit wrappers.
Reporter | ||
Comment 49•19 years ago
|
||
.eval exploit has been blocked by the fix for Bug 300867. Content window can no longer execute eval using the scope of the hidden window. I've tested on: Firefox 1.0.6 2005-07-17-05 Firefox 1.0+ 2005-07-17-07 Mozilla 1.7.10 2005-07-17-09 Exploit (attachment 188804 [details]) failed with this error: Error: function eval must be called directly, and not by way of a function of another name
Updated•19 years ago
|
Flags: blocking1.8b4?
Comment 50•19 years ago
|
||
Fixed, again. Any similar recurrence should be reported under a new bug. /be
Status: REOPENED → RESOLVED
Closed: 19 years ago → 19 years ago
Resolution: --- → FIXED
Updated•19 years ago
|
Flags: blocking1.8b4?
Updated•19 years ago
|
Flags: testcase+
Updated•18 years ago
|
Group: security
Updated•17 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•