Fix for Bug 311024 does not block (new Script(code)).exec(window)

RESOLVED FIXED

Status

()

Core
Security
RESOLVED FIXED
12 years ago
10 years ago

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Tracking

({fixed1.7.13, fixed1.8})

Trunk
x86
Windows XP
fixed1.7.13, fixed1.8
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.7.13 +
blocking-aviary1.0.8 +
blocking1.8rc1 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:high] xss (splitwindows))

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050916
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051007 Firefox/1.6a1

I've tested on the hourly build 2005100718 that includes the fix for Bug 311024.
(new Script(code)).exec(window) is still executed with the outer window scope.

Reproducible: Always

Steps to Reproduce:
(Reporter)

Comment 1

12 years ago
Created attachment 198885 [details]
testcase - steal cookie
Blake may have caught this when working on bug 311025 and/or bug 311403 (see bug
311025 comment 12), or at least we noticed some inconsistency when I was
reviewing one of the patches.
Assignee: dveditz → mrbkap
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:high]
Flags: blocking1.8rc1?
(Assignee)

Comment 3

12 years ago
I missed script_exec, patch soon.
Status: NEW → ASSIGNED
(Assignee)

Comment 4

12 years ago
Created attachment 198887 [details] [diff] [review]
Wrong patch file
Attachment #198887 - Flags: review?(brendan)
(Assignee)

Comment 5

12 years ago
Comment on attachment 198887 [details] [diff] [review]
Wrong patch file

Sorry, wrong patch.
Attachment #198887 - Attachment is obsolete: true
Attachment #198887 - Flags: review?(brendan)
(Assignee)

Comment 6

12 years ago
Created attachment 198888 [details] [diff] [review]
This should really do it.
Attachment #198888 - Flags: review?(brendan)
(Assignee)

Updated

12 years ago
Attachment #198887 - Attachment description: This should do it → Wrong patch file

Updated

12 years ago
Attachment #198888 - Flags: review?(brendan)
Attachment #198888 - Flags: review+
Attachment #198888 - Flags: approval1.8rc1+

Updated

12 years ago
Flags: blocking1.8rc1? → blocking1.8rc1+
The 1.0 branch will also need this fix
Depends on: 296639
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
Whiteboard: [sg:high] → [sg:high] xss (splitwindows?)
(Assignee)

Comment 8

12 years ago
Fix checked into trunk.

Dan, this is a splitwindow sort of fix. Porting it to 1.0.x might be hard. Do I
need to look into a 1.0.x fix for this?
Blocks: 311024
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
(In reply to comment #8)
> Dan, this is a splitwindow sort of fix. Porting it to 1.0.x might be hard. Do I
> need to look into a 1.0.x fix for this?

Not now. I've linked it to the splitwindows bug and we'll deal with backporting
those as a group when it's done and we round up the manpower to do it.

Whiteboard: [sg:high] xss (splitwindows?) → [sg:high] xss (splitwindows)
(In reply to comment #8)
> Fix checked into trunk.
> 
> Dan, this is a splitwindow sort of fix. Porting it to 1.0.x might be hard. Do I
> need to look into a 1.0.x fix for this?

Is there an exploit based on this bug's testcase that works in 1.0.x?  Please
attach a testcase demonstrating that attack, if possible.  I thought this bug
and bug 311024 were predicated on split windows.  We have already added
principals subsumption tests to 1.0.x and 1.7.y to handle eval and Script.

Say this bug does bite 1.0.x.  If we do not backport all of the split window
work, we might instead try to do something that will hurt performance, and that
doesn't fix all non-security bugs, but that does ensure security -- something
like adding principals holding and dropping to cloned function objects.  That
could hurt DHTML or AJAX perf, for sure.  It might be enough to ensure security,
and it would be a smaller patch.  Comments?

/be
(Assignee)

Comment 11

12 years ago
Checked into MOZILLA_1_8_BRANCH.
Keywords: fixed1.8

Updated

12 years ago
Flags: testcase+
Comment on attachment 198888 [details] [diff] [review]
This should really do it.

Do we need this patch on old branches if we're going with mrbkap's splitwindow alternative?
Attachment #198888 - Flags: approval1.7.13?
Attachment #198888 - Flags: approval-aviary1.0.8?
Fixed on the aviary1.0/mozilla1.7 branches by the split-window alternative (bug 316589)
Keywords: fixed-aviary1.0.8, fixed1.7.13
Comment on attachment 198888 [details] [diff] [review]
This should really do it.

No longer needed on old branches with split-windows alternative
Attachment #198888 - Flags: approval1.7.13?
Attachment #198888 - Flags: approval1.7.13-
Attachment #198888 - Flags: approval-aviary1.0.8?
Attachment #198888 - Flags: approval-aviary1.0.8-

Comment 15

12 years ago
v.fixed on 1.0.1 Aviary branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060220 Firefox/1.0.8, permission denied with cookie testcase.
Keywords: fixed-aviary1.0.8 → verified-aviary1.0.8
Group: security

Updated

10 years ago
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.