Closed
Bug 313724
Opened 19 years ago
Closed 19 years ago
Scripts can nullify explicit local roots by setting caller.arguments[n]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: brendan)
Details
(Keywords: fixed-aviary1.0.8, fixed1.7.13, fixed1.8, Whiteboard: [sg:critical?])
Attachments
(2 files)
|
977 bytes,
patch
|
Details | Diff | Splinter Review | |
|
1.21 KB,
patch
|
brendan
:
review+
timr
:
approval-aviary1.0.8+
timr
:
approval1.7.13+
|
Details | Diff | Splinter Review |
Some explicit local roots are available to scripts through caller.arguments[n] (see bug 313370 comment 8). Furthermore, scripts can modify caller.arguments[n], nullifying such a local root. The resulting lack of a local root creates the potential for a security hole (see bug 311497 comment 10).
|
Reporter | |
Comment 1•19 years ago
|
||
"Prevent setting args of natives (natives are what use local roots)"
Checked into trunk and MOZILLA_1_8_BRANCH half an hour ago. This is the MOZILLA_1_8_BRANCH version of the patch.
|
|
Reporter | |
Updated•19 years ago
|
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
OS: Windows XP → All
Hardware: PC → All
Resolution: --- → FIXED
Whiteboard: [sg:critical?]
|
||
Updated•19 years ago
|
Flags: blocking1.8rc1+
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
|
||
Comment 2•19 years ago
|
||
needs to go in the "security" suite, not the js test library.
|
|
||
Updated•19 years ago
|
Flags: testcase?
|
||
Comment 3•19 years ago
|
||
Attachment #211457 -
Flags: review?(brendan)
|
Assignee | |
Comment 4•19 years ago
|
||
Comment on attachment 211457 [details] [diff] [review]
backported for the 1.7 branch
r=me, didn't seem hard ;-).
/be
Attachment #211457 -
Flags: review?(brendan) → review+
|
||
Comment 5•19 years ago
|
||
Comment on attachment 211457 [details] [diff] [review]
backported for the 1.7 branch
a=timr for drivers
Attachment #211457 -
Flags: approval1.7.13+
Attachment #211457 -
Flags: approval-aviary1.0.8+
|
|
||
Comment 6•19 years ago
|
||
Fixed version of the patch checked into the 1.7 branches.
Keywords: fixed-aviary1.0.8,
fixed1.7.13
|
||
Comment 7•19 years ago
|
||
QA could use some help with the best way to verify this bug for 1.0.8. Thanks.
|
|
||
Comment 8•19 years ago
|
||
Jesse mentioned that we don't have a test case for this and he wasn't certain how to put one together, so doubtful QA can verify this bug.
(In reply to comment #7)
> QA could use some help with the best way to verify this bug for 1.0.8. Thanks.
>
|
|
||
Updated•19 years ago
|
Group: security
|
|
||
Updated•19 years ago
|
Flags: in-testsuite? → in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•