Scripts in attachments (e.g. forwards) run and can access content of message (wiretap variant)

RESOLVED FIXED

Status

MailNews Core
Security
RESOLVED FIXED
12 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

Trunk
PowerPC
Mac OS X
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low])

(Reporter)

Description

12 years ago
Scripts in attachments, including messages forwarded as attachments, can access
the content of the main message.  They should be isolated or not allowed to run
at all.  Tested using SeaMonkey 1.0 Alpha on Mac.

Fixing this bug would eliminate wiretap-style exploits for messages forwarded as
attachments (which is the default for Thunderbird) regardless of the state of
the capability.policy.mailnews.*.* blacklist (often ineffective due to omissions).
(Reporter)

Comment 1

12 years ago
See also bug 67702, a sender-side solution for the forward-inline mode.
(Reporter)

Updated

12 years ago
Blocks: 84545
(Assignee)

Updated

9 years ago
Product: Core → MailNews Core
(Reporter)

Updated

9 years ago
Summary: Scripts in attachments (e.g. forwards) run and can access content of message → Scripts in attachments (e.g. forwards) run and can access content of message (wiretap variant)
Whiteboard: [sg:low]
This was fixed by bug 374577.
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Depends on: 374577
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.