Scripts can nullify explicit local roots by setting caller.arguments[n]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
12 years ago
11 years ago

People

(Reporter: Jesse Ruderman, Assigned: brendan)

Tracking

({fixed-aviary1.0.8, fixed1.7.13, fixed1.8})

Trunk
fixed-aviary1.0.8, fixed1.7.13, fixed1.8
Points:
---
Bug Flags:
blocking1.7.13 +
blocking-aviary1.0.8 +
blocking1.8rc1 +
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?])

Attachments

(2 attachments)

(Reporter)

Description

12 years ago
Some explicit local roots are available to scripts through caller.arguments[n] (see bug 313370 comment 8).  Furthermore, scripts can modify caller.arguments[n], nullifying such a local root.  The resulting lack of a local root creates the potential for a security hole (see bug 311497 comment 10).
(Reporter)

Comment 1

12 years ago
Created attachment 200717 [details] [diff] [review]
brendan's patch

"Prevent setting args of natives (natives are what use local roots)"

Checked into trunk and MOZILLA_1_8_BRANCH half an hour ago.  This is the MOZILLA_1_8_BRANCH version of the patch.
(Reporter)

Updated

12 years ago
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Keywords: fixed1.8
OS: Windows XP → All
Hardware: PC → All
Resolution: --- → FIXED
Whiteboard: [sg:critical?]
Flags: blocking1.8rc1+
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+

Comment 2

12 years ago
needs to go in the "security" suite, not the js test library.

Updated

12 years ago
Flags: testcase?
Created attachment 211457 [details] [diff] [review]
backported for the 1.7 branch
Attachment #211457 - Flags: review?(brendan)
(Assignee)

Comment 4

12 years ago
Comment on attachment 211457 [details] [diff] [review]
backported for the 1.7 branch

r=me, didn't seem hard ;-).

/be
Attachment #211457 - Flags: review?(brendan) → review+

Comment 5

12 years ago
Comment on attachment 211457 [details] [diff] [review]
backported for the 1.7 branch

a=timr for drivers
Attachment #211457 - Flags: approval1.7.13+
Attachment #211457 - Flags: approval-aviary1.0.8+
Fixed version of the patch checked into the 1.7 branches.
Keywords: fixed-aviary1.0.8, fixed1.7.13
QA could use some help with the best way to verify this bug for 1.0.8. Thanks.
Jesse mentioned that we don't have a test case for this and he wasn't certain how to put one together, so doubtful QA can verify this bug.

(In reply to comment #7)
> QA could use some help with the best way to verify this bug for 1.0.8. Thanks.
> 

Group: security

Updated

11 years ago
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.