12 years ago
Nominating for 1.0.7 -- if we don't fix the split-window issues in this branch release then this potentially could be combined with one of those into an arbitrary execution exploit.
The trunk is not vulnerable, the document URI remains the about: url. I'll start looking for the fix.
bzbarsky and dveditz seem to have found the bug that fixed this on the trunk: bug 269827.
The reason the trunk/1.8 is not vulnerable is that this was fixed in bug 289827 in November 2004. I'll attach a merged patch here, the old one doesn't apply cleanly. It also doesn't fully solve the problem, I still don't get the correct about: URI, but at least I get a non-privileged jar: uri instead of the chrome: uri. Many thanks to bz and his awesome cache of nightly builds for fingering exactly when the trunk got fixed.
Created attachment 195951 [details] [diff] [review] trunk fix merged to aviary branch As mentioned this doesn't make it work entirely correctly but it does stop the privilege escalation.
Nominating for security bounty despite this being a dupe, obviously we didn't recognize the security implications.
Comment on attachment 195951 [details] [diff] [review] trunk fix merged to aviary branch So the reason we get a jar: URI on branch (but not trunk) is that now the original URI is an about: URI. On trunk, the fix for bug 251368 makes us just leave it at that, while on branch we go and get the current channel URI, which is the jar: URI. I guess this is fine since it fixes the security hole and the cosmetic stuff is fixed on trunk...
Comment on attachment 195951 [details] [diff] [review] trunk fix merged to aviary branch sr=darin
Comment on attachment 195951 [details] [diff] [review] trunk fix merged to aviary branch Per 1.0.7 triage meeting, plussing patch.
Fix checked into the aviary and 1.7 branches. Trunk is already fixed by bug 269827
Created attachment 196092 [details] testcase With 1.0.6/winxp dragging the link to the new window shows the alert and changes the url to chrome://global/content/mozilla.xhtml. With 1.0.7/winxp 20050914 dragging the link to the new window shows the alert and changes the url to jar:resource:///chrome/toolkit.jar!/content/global/mozilla.xhtml. With 1.5b/winxp 20050914 dragging the link to the new window shows the document.write and does not alert.
Have we got final verification on this?
Firefox 1.0.7 20050915 Windows XP and Linux show and alert the jar:resource url. Any Mac users to test this?