Closed Bug 314865 Opened 19 years ago Closed 19 years ago

evalInSandbox()'s security is broken

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: sync2d, Assigned: dbradley)

References

Details

(Keywords: fixed1.8, Whiteboard: [sg:critical] why we 313220; not in ff1.0/moz1.7)

Attachments

(1 file)

testcase userscript
309 bytes, text/javascript
Details
See the bug 313220 comment 3. I file this bug for recording purpose. The underlying problem is already fixed on trunk, and the patch is waiting to be approved for b1.8 branch. Steps: 1. install Greasemonkey 0.6.3. http://www.mozdev.org/pipermail/greasemonkey/2005-October/006356.html 2. install the attached userscript. 3. browse http://www.mozilla.org/hackme NOTE: This is a Core/XPConnect problem which is exposed by Greasemonkey.
Attached file testcase userscript
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20051102 Firefox/1.6a1 (nightly 2005110205) => alerts "[object nsXPCComponents_Classes]" Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.9a1) Gecko/20051102 Firefox/1.6a1 (hourly 2005110217) => "Error: uncaught exception: Permission denied to get property UnnamedClass.classes" in the JS console
I'm going to mark this as FIXED and fixed1.8 since the patch to fix this has been checked in everywhere. shutdown, please correct me if I'm wrong in doing so, and thanks for filing this.
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
Blocks: sbb?
Depends on: 313220
Flags: blocking1.8rc2?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8+
Whiteboard: why we need the 313220 fix
flag cleanup for a bug we already took on the branch.
Flags: blocking1.8rc2?
The 1.0 branch with greasemonkey 0.5.3 does not appear to be vulnerable, moving back to "nominated" status for now. After we backport some other eval fixes we may in fact end up needing this.
Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
Whiteboard: why we need the 313220 fix → [sg:critical] why we need the 313220 fix
Flags: blocking1.7.13?
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8+
Flags: testcase-
Is there something here that still needs addressed for aviary1.0.8? Does the patch from 313220 need to be applied to that branch?
I just spent a while with mrbkap going through this and bug 313220 in light of the older branches and we're convinced we can pass on this one. GreaseMonkey cannot be exploited in 1.0 because the 1.0-compatible GM doesn't use this feature. The other known evalInSandbox() consumer, proxyAutoConfig, doesn't expose anything that can be exploited in this way. In addition, the PAC context doesn't expose the Components object so a script can't instantiate and use arbitrary components even if it did have the permissions.
Flags: blocking1.7.13-
Flags: blocking1.7.13+
Flags: blocking-aviary1.0.8-
Flags: blocking-aviary1.0.8+
Whiteboard: [sg:critical] why we need the 313220 fix → [sg:critical] why we 313220; not in ff1.0/moz1.7
Group: security
Marking this as verified based on comments and the length of time (over five years) since fix was taken.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: