Last Comment Bug 313724 - Scripts can nullify explicit local roots by setting caller.arguments[n]
: Scripts can nullify explicit local roots by setting caller.arguments[n]
Status: RESOLVED FIXED
[sg:critical?]
: fixed-aviary1.0.8, fixed1.7.13, fixed1.8
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- normal (vote)
: ---
Assigned To: Brendan Eich [:brendan]
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-25 02:20 PDT by Jesse Ruderman
Modified: 2006-06-16 18:03 PDT (History)
0 users
dveditz: blocking1.7.13+
dveditz: blocking‑aviary1.0.8+
dveditz: blocking1.8rc1+
bob: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
brendan's patch (977 bytes, patch)
2005-10-25 02:26 PDT, Jesse Ruderman
no flags Details | Diff | Splinter Review
backported for the 1.7 branch (1.21 KB, patch)
2006-02-10 19:32 PST, Blake Kaplan (:mrbkap)
brendan: review+
timr: approval‑aviary1.0.8+
timr: approval1.7.13+
Details | Diff | Splinter Review

Description Jesse Ruderman 2005-10-25 02:20:01 PDT
Some explicit local roots are available to scripts through caller.arguments[n] (see bug 313370 comment 8).  Furthermore, scripts can modify caller.arguments[n], nullifying such a local root.  The resulting lack of a local root creates the potential for a security hole (see bug 311497 comment 10).
Comment 1 Jesse Ruderman 2005-10-25 02:26:24 PDT
Created attachment 200717 [details] [diff] [review]
brendan's patch

"Prevent setting args of natives (natives are what use local roots)"

Checked into trunk and MOZILLA_1_8_BRANCH half an hour ago.  This is the MOZILLA_1_8_BRANCH version of the patch.
Comment 2 Bob Clary [:bc:] 2005-12-23 17:35:01 PST
needs to go in the "security" suite, not the js test library.
Comment 3 Blake Kaplan (:mrbkap) 2006-02-10 19:32:50 PST
Created attachment 211457 [details] [diff] [review]
backported for the 1.7 branch
Comment 4 Brendan Eich [:brendan] 2006-02-10 23:22:28 PST
Comment on attachment 211457 [details] [diff] [review]
backported for the 1.7 branch

r=me, didn't seem hard ;-).

/be
Comment 5 Tim Riley [:timr] 2006-02-13 16:57:31 PST
Comment on attachment 211457 [details] [diff] [review]
backported for the 1.7 branch

a=timr for drivers
Comment 6 Blake Kaplan (:mrbkap) 2006-02-13 17:41:27 PST
Fixed version of the patch checked into the 1.7 branches.
Comment 7 Marcia Knous [:marcia - use ni] 2006-02-16 17:09:02 PST
QA could use some help with the best way to verify this bug for 1.0.8. Thanks.
Comment 8 Marcia Knous [:marcia - use ni] 2006-02-21 14:27:38 PST
Jesse mentioned that we don't have a test case for this and he wasn't certain how to put one together, so doubtful QA can verify this bug.

(In reply to comment #7)
> QA could use some help with the best way to verify this bug for 1.0.8. Thanks.
> 


Note You need to log in before you can comment on or make changes to this bug.