Closed
Bug 305335
Opened 19 years ago
Closed 19 years ago
E4X: possibly exploitable crash in XML instance methods
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.8beta4
People
(Reporter: sync2d, Assigned: brendan)
References
()
Details
(Keywords: js1.5, verified1.8, Whiteboard: [sg:fix])
Attachments
(2 files)
|
18.98 KB,
patch
|
mrbkap
:
review+
shaver
:
superreview+
brendan
:
approval1.8b4+
|
Details | Diff | Splinter Review |
|
2.18 KB,
text/plain
|
Details |
XML instance methods use JS_GetPrivate() without any type checking.
Especially, xml_parent() may allow one to create
false JSObject with malicious JSObjectMap.
This is similar to bug 290162 and bug 295854.
javascript: o=new Number(0); o.__proto__=XML(); o.parent();
TB8553505H
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b4) Gecko/20050820 Firefox/1.0+
|
||
Comment 1•19 years ago
|
||
Brendan, can you look at this?
|
Assignee | |
Updated•19 years ago
|
Assignee: general → brendan
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.8beta4
|
|
Assignee | |
Comment 2•19 years ago
|
||
The non-standard way E4X hides methods in the prototype, making them not be
[[Get]]able, was supposed to save us here. More soon.
/be
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•19 years ago
|
||
I didn't see a chokepoint way of doing this.
/be
Attachment #193491 -
Flags: superreview?(shaver)
Attachment #193491 -
Flags: review?(mrbkap)
Attachment #193491 -
Flags: approval1.8b4+
|
||
Comment 4•19 years ago
|
||
Comment on attachment 193491 [details] [diff] [review]
fix
sr=shaver
Attachment #193491 -
Flags: superreview?(shaver) → superreview+
|
||
Comment 5•19 years ago
|
||
Comment on attachment 193491 [details] [diff] [review]
fix
r=mrbkap
Attachment #193491 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 6•19 years ago
|
||
Fixed on trunk and branch.
/be
|
|
||
Updated•19 years ago
|
Whiteboard: [sg:fix]
|
||
Comment 7•19 years ago
|
||
|
|
||
Updated•19 years ago
|
Flags: testcase?
|
|
||
Comment 8•19 years ago
|
||
no crash firefox 1.5 rc2 linux/win32 2005-11-07-12 in shell/browser
Keywords: fixed1.8 → verified1.8
|
|
||
Comment 9•19 years ago
|
||
testcase+ to get this off my radar. when this is made public, i will check in the test.
Flags: testcase? → testcase+
|
||
Updated•19 years ago
|
Group: security
|
|
||
Comment 10•19 years ago
|
||
RCS file: /cvsroot/mozilla/js/tests/e4x/Regress/regress-305335.js,v
done
Checking in regress-305335.js;
/cvsroot/mozilla/js/tests/e4x/Regress/regress-305335.js,v <-- regress-305335.js
initial revision: 1.1
You need to log in
before you can comment on or make changes to this bug.
Description
•