311619 - Fix for Bug 311024 does not block (new Script(code)).exec(window)

Status: RESOLVED FIXED

(Core :: Security, defect)

Description

[moz_bug_r_a4]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050916
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051007 Firefox/1.6a1

I've tested on the hourly build 2005100718 that includes the fix for Bug 311024.
(new Script(code)).exec(window) is still executed with the outer window scope.

Reproducible: Always

Steps to Reproduce:

Comment 1

[moz_bug_r_a4]

Attachment: testcase - steal cookie

Comment 2

[Daniel Veditz [:dveditz]]

Blake may have caught this when working on bug 311025 and/or bug 311403 (see bug
311025 comment 12), or at least we noticed some inconsistency when I was
reviewing one of the patches.

Comment 3

[Blake Kaplan (:mrbkap) (inactive)]

I missed script_exec, patch soon.

Comment 4

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: Wrong patch file

Comment 5

[Blake Kaplan (:mrbkap) (inactive)]

Comment on attachment 198887 [details] [diff] [review]
Wrong patch file

Sorry, wrong patch.

Comment 6

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: This should really do it.

Comment 7

[Daniel Veditz [:dveditz]]

The 1.0 branch will also need this fix

Comment 8

[Blake Kaplan (:mrbkap) (inactive)]

Fix checked into trunk.

Dan, this is a splitwindow sort of fix. Porting it to 1.0.x might be hard. Do I
need to look into a 1.0.x fix for this?

Comment 9

[Daniel Veditz [:dveditz]]

(In reply to comment #8)
> Dan, this is a splitwindow sort of fix. Porting it to 1.0.x might be hard. Do I
> need to look into a 1.0.x fix for this?

Not now. I've linked it to the splitwindows bug and we'll deal with backporting
those as a group when it's done and we round up the manpower to do it.

Comment 10

[Brendan Eich [:brendan]]

(In reply to comment #8)
> Fix checked into trunk.
> 
> Dan, this is a splitwindow sort of fix. Porting it to 1.0.x might be hard. Do I
> need to look into a 1.0.x fix for this?

Is there an exploit based on this bug's testcase that works in 1.0.x?  Please
attach a testcase demonstrating that attack, if possible.  I thought this bug
and bug 311024 were predicated on split windows.  We have already added
principals subsumption tests to 1.0.x and 1.7.y to handle eval and Script.

Say this bug does bite 1.0.x.  If we do not backport all of the split window
work, we might instead try to do something that will hurt performance, and that
doesn't fix all non-security bugs, but that does ensure security -- something
like adding principals holding and dropping to cloned function objects.  That
could hurt DHTML or AJAX perf, for sure.  It might be enough to ensure security,
and it would be a smaller patch.  Comments?

/be

Comment 11

[Blake Kaplan (:mrbkap) (inactive)]

Checked into MOZILLA_1_8_BRANCH.

Comment 12

[Daniel Veditz [:dveditz]]

Comment on attachment 198888 [details] [diff] [review]
This should really do it.

Do we need this patch on old branches if we're going with mrbkap's splitwindow alternative?

Comment 13

[Daniel Veditz [:dveditz]]

Fixed on the aviary1.0/mozilla1.7 branches by the split-window alternative (bug 316589)

Comment 14

[Daniel Veditz [:dveditz]]

Comment on attachment 198888 [details] [diff] [review]
This should really do it.

No longer needed on old branches with split-windows alternative

Comment 15

[Jay Patel [:jay]]

v.fixed on 1.0.1 Aviary branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060220 Firefox/1.0.8, permission denied with cookie testcase.