Last Comment Bug 311619 - Fix for Bug 311024 does not block (new Script(code)).exec(window)
: Fix for Bug 311024 does not block (new Script(code)).exec(window)
Status: RESOLVED FIXED
[sg:high] xss (splitwindows)
: fixed1.7.13, fixed1.8
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: x86 Windows XP
: -- normal (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
:
Mentors:
Depends on: splitwindows
Blocks: 311024
  Show dependency treegraph
 
Reported: 2005-10-07 20:59 PDT by moz_bug_r_a4
Modified: 2007-04-01 15:25 PDT (History)
8 users (show)
dveditz: blocking1.7.13+
dveditz: blocking‑aviary1.0.8+
brendan: blocking1.8rc1+
bob: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase - steal cookie (573 bytes, text/html)
2005-10-07 21:02 PDT, moz_bug_r_a4
no flags Details
Wrong patch file (980 bytes, patch)
2005-10-07 21:47 PDT, Blake Kaplan (:mrbkap)
no flags Details | Diff | Splinter Review
This should really do it. (1.39 KB, patch)
2005-10-07 21:48 PDT, Blake Kaplan (:mrbkap)
brendan: review+
dveditz: approval‑aviary1.0.8-
dveditz: approval1.7.13-
brendan: approval1.8rc1+
Details | Diff | Splinter Review

Description moz_bug_r_a4 2005-10-07 20:59:16 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050916
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051007 Firefox/1.6a1

I've tested on the hourly build 2005100718 that includes the fix for Bug 311024.
(new Script(code)).exec(window) is still executed with the outer window scope.

Reproducible: Always

Steps to Reproduce:
Comment 1 moz_bug_r_a4 2005-10-07 21:02:45 PDT
Created attachment 198885 [details]
testcase - steal cookie
Comment 2 Daniel Veditz [:dveditz] 2005-10-07 21:18:39 PDT
Blake may have caught this when working on bug 311025 and/or bug 311403 (see bug
311025 comment 12), or at least we noticed some inconsistency when I was
reviewing one of the patches.
Comment 3 Blake Kaplan (:mrbkap) 2005-10-07 21:45:51 PDT
I missed script_exec, patch soon.
Comment 4 Blake Kaplan (:mrbkap) 2005-10-07 21:47:19 PDT
Created attachment 198887 [details] [diff] [review]
Wrong patch file
Comment 5 Blake Kaplan (:mrbkap) 2005-10-07 21:47:44 PDT
Comment on attachment 198887 [details] [diff] [review]
Wrong patch file

Sorry, wrong patch.
Comment 6 Blake Kaplan (:mrbkap) 2005-10-07 21:48:14 PDT
Created attachment 198888 [details] [diff] [review]
This should really do it.
Comment 7 Daniel Veditz [:dveditz] 2005-10-08 15:23:54 PDT
The 1.0 branch will also need this fix
Comment 8 Blake Kaplan (:mrbkap) 2005-10-09 00:50:51 PDT
Fix checked into trunk.

Dan, this is a splitwindow sort of fix. Porting it to 1.0.x might be hard. Do I
need to look into a 1.0.x fix for this?
Comment 9 Daniel Veditz [:dveditz] 2005-10-09 11:18:04 PDT
(In reply to comment #8)
> Dan, this is a splitwindow sort of fix. Porting it to 1.0.x might be hard. Do I
> need to look into a 1.0.x fix for this?

Not now. I've linked it to the splitwindows bug and we'll deal with backporting
those as a group when it's done and we round up the manpower to do it.

Comment 10 Brendan Eich [:brendan] 2005-10-09 13:05:37 PDT
(In reply to comment #8)
> Fix checked into trunk.
> 
> Dan, this is a splitwindow sort of fix. Porting it to 1.0.x might be hard. Do I
> need to look into a 1.0.x fix for this?

Is there an exploit based on this bug's testcase that works in 1.0.x?  Please
attach a testcase demonstrating that attack, if possible.  I thought this bug
and bug 311024 were predicated on split windows.  We have already added
principals subsumption tests to 1.0.x and 1.7.y to handle eval and Script.

Say this bug does bite 1.0.x.  If we do not backport all of the split window
work, we might instead try to do something that will hurt performance, and that
doesn't fix all non-security bugs, but that does ensure security -- something
like adding principals holding and dropping to cloned function objects.  That
could hurt DHTML or AJAX perf, for sure.  It might be enough to ensure security,
and it would be a smaller patch.  Comments?

/be
Comment 11 Blake Kaplan (:mrbkap) 2005-10-11 14:58:56 PDT
Checked into MOZILLA_1_8_BRANCH.
Comment 12 Daniel Veditz [:dveditz] 2006-02-06 12:36:50 PST
Comment on attachment 198888 [details] [diff] [review]
This should really do it.

Do we need this patch on old branches if we're going with mrbkap's splitwindow alternative?
Comment 13 Daniel Veditz [:dveditz] 2006-02-06 19:30:01 PST
Fixed on the aviary1.0/mozilla1.7 branches by the split-window alternative (bug 316589)
Comment 14 Daniel Veditz [:dveditz] 2006-02-07 15:24:04 PST
Comment on attachment 198888 [details] [diff] [review]
This should really do it.

No longer needed on old branches with split-windows alternative
Comment 15 Jay Patel [:jay] 2006-02-20 16:22:49 PST
v.fixed on 1.0.1 Aviary branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060220 Firefox/1.0.8, permission denied with cookie testcase.

Note You need to log in before you can comment on or make changes to this bug.