Closed Bug 310373 Opened 19 years ago Closed 19 years ago

Dragging & Dropping a link on the "New Window"/"New Tab" buttons can load priviliged xul

Categories

(Firefox :: Security, defect, P1)

Product:
Firefox
Component:
Security
Version:
1.5.0.x Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox1.5

People

(Reporter: asaf, Assigned: asaf)

Details

(Keywords: fixed1.8, Whiteboard: [sg:low] hidden by default, user interaction)

Attachments

(2 files)

testcase
208 bytes, text/html
Details
patch
1.94 KB, patch
mconnor
: review+
asa
: approval1.8b5+
Details | Diff | Splinter Review 
Dragging & Dropping a link on the "New Window"/"New Tab" buttons can load
priviliged xul.

STR:
 1. Add the "New Window" button to one of the toolbars.
 2. Load the attached testcase.
 3. d&d "chrome link" to the "New Window" button.
Status: NEW → ASSIGNED
Flags: blocking1.8b5?
Priority: -- → P1
Target Milestone: --- → Firefox1.5
Attached file testcase 

  

  



    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  

  

  



        Attachment #197773 -
        Flags: review?(mconnor)

    
    

    
  
Comment on attachment 197773 [details] [diff] [review]
patch

as discussed, this isn't really exploitable as-is, since it doesn't allow priv
escalation as far as I can see, but its certainly a consistency issue.

  

  



        Attachment #197773 -
        Flags: review?(mconnor) → review+

    
    

    
  
Checking in browser.js;
/cvsroot/mozilla/browser/base/content/browser.js,v  <--  browser.js
new revision: 1.518; previous revision: 1.517
done

  

  


Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
  

        Attachment #197773 -
        Flags: approval1.8b5?

    
  

        Attachment #197773 -
        Flags: approval1.8b5? → approval1.8b5+

    
    

    
  
1.8 branch:
Checking in browser.js;
/cvsroot/mozilla/browser/base/content/browser.js,v  <--  browser.js
new revision: 1.479.2.36; previous revision: 1.479.2.35
done

  

  


Keywords: fixed1.8

    
  
Flags: blocking1.8b5? → blocking1.8b5+

    
  
Whiteboard: [sg:fix]
Whiteboard: [sg:fix] → [sg:low] hidden by default, user interaction
Flags: testcase+
Group: security
Flags: in-testsuite+ → in-testsuite?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: