Closed
Bug 314865
Opened 19 years ago
Closed 19 years ago
evalInSandbox()'s security is broken
Categories
(Core :: XPConnect, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: sync2d, Assigned: dbradley)
References
Details
(Keywords: fixed1.8, Whiteboard: [sg:critical] why we 313220; not in ff1.0/moz1.7)
Attachments
(1 file)
|
309 bytes,
text/javascript
|
Details |
See the bug 313220 comment 3. I file this bug for recording purpose. The underlying problem is already fixed on trunk, and the patch is waiting to be approved for b1.8 branch. Steps: 1. install Greasemonkey 0.6.3. http://www.mozdev.org/pipermail/greasemonkey/2005-October/006356.html 2. install the attached userscript. 3. browse http://www.mozilla.org/hackme NOTE: This is a Core/XPConnect problem which is exposed by Greasemonkey.
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20051102 Firefox/1.6a1 (nightly 2005110205) => alerts "[object nsXPCComponents_Classes]" Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20051102 Firefox/1.6a1 (hourly 2005110217) => "Error: uncaught exception: Permission denied to get property UnnamedClass.classes" in the JS console
|
||
Comment 2•19 years ago
|
||
I'm going to mark this as FIXED and fixed1.8 since the patch to fix this has been checked in everywhere. shutdown, please correct me if I'm wrong in doing so, and thanks for filing this.
|
||
Updated•19 years ago
|
|
||
Comment 3•19 years ago
|
||
flag cleanup for a bug we already took on the branch.
Flags: blocking1.8rc2?
|
|
||
Comment 4•19 years ago
|
||
The 1.0 branch with greasemonkey 0.5.3 does not appear to be vulnerable, moving back to "nominated" status for now. After we backport some other eval fixes we may in fact end up needing this.
Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
Whiteboard: why we need the 313220 fix → [sg:critical] why we need the 313220 fix
|
|
||
Updated•19 years ago
|
Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
|
||
Updated•19 years ago
|
Flags: testcase-
|
Assignee | |
Comment 5•18 years ago
|
||
Is there something here that still needs addressed for aviary1.0.8? Does the patch from 313220 need to be applied to that branch?
|
|
||
Comment 6•18 years ago
|
||
I just spent a while with mrbkap going through this and bug 313220 in light of the older branches and we're convinced we can pass on this one. GreaseMonkey cannot be exploited in 1.0 because the 1.0-compatible GM doesn't use this feature. The other known evalInSandbox() consumer, proxyAutoConfig, doesn't expose anything that can be exploited in this way. In addition, the PAC context doesn't expose the Components object so a script can't instantiate and use arbitrary components even if it did have the permissions.
Flags: blocking1.7.13-
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8-
Flags: blocking-aviary1.0.8+
|
|
||
Updated•18 years ago
|
Whiteboard: [sg:critical] why we need the 313220 fix → [sg:critical] why we 313220; not in ff1.0/moz1.7
|
|
||
Updated•18 years ago
|
Group: security
|
||
Comment 7•12 years ago
|
||
Marking this as verified based on comments and the length of time (over five years) since fix was taken.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•