Closed Bug 313724 Opened 14 years ago Closed 14 years ago

Scripts can nullify explicit local roots by setting caller.arguments[n]

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: jruderman, Assigned: brendan)

Details

(Keywords: fixed-aviary1.0.8, fixed1.7.13, fixed1.8, Whiteboard: [sg:critical?])

Attachments

(2 files)

Some explicit local roots are available to scripts through caller.arguments[n] (see bug 313370 comment 8).  Furthermore, scripts can modify caller.arguments[n], nullifying such a local root.  The resulting lack of a local root creates the potential for a security hole (see bug 311497 comment 10).
Attached patch brendan's patchSplinter Review
"Prevent setting args of natives (natives are what use local roots)"

Checked into trunk and MOZILLA_1_8_BRANCH half an hour ago.  This is the MOZILLA_1_8_BRANCH version of the patch.
Status: NEW → RESOLVED
Closed: 14 years ago
Keywords: fixed1.8
OS: Windows XP → All
Hardware: PC → All
Resolution: --- → FIXED
Whiteboard: [sg:critical?]
Flags: blocking1.8rc1+
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
needs to go in the "security" suite, not the js test library.
Flags: testcase?
Comment on attachment 211457 [details] [diff] [review]
backported for the 1.7 branch

r=me, didn't seem hard ;-).

/be
Attachment #211457 - Flags: review?(brendan) → review+
Comment on attachment 211457 [details] [diff] [review]
backported for the 1.7 branch

a=timr for drivers
Attachment #211457 - Flags: approval1.7.13+
Attachment #211457 - Flags: approval-aviary1.0.8+
Fixed version of the patch checked into the 1.7 branches.
QA could use some help with the best way to verify this bug for 1.0.8. Thanks.
Jesse mentioned that we don't have a test case for this and he wasn't certain how to put one together, so doubtful QA can verify this bug.

(In reply to comment #7)
> QA could use some help with the best way to verify this bug for 1.0.8. Thanks.
> 

Group: security
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.