Closed Bug 327063 Opened 15 years ago Closed 15 years ago

nsXFormsUtils::CheckSameOrigin should use the principal's URI, not the document's

Categories

(Core Graveyard :: XForms, defect)

x86
Linux
defect
Not set
major

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: bzbarsky, Assigned: doronr)

Details

(Keywords: fixed1.8.0.2, fixed1.8.1, Whiteboard: [sg:nse])

Attachments

(1 file)

When doing security checks, you want to use the URI (or domain? not sure; no one's ever clearly explained the difference to me) from the principal, not the document's URI.  nsXFormsUtils::CheckSameOrigin passes the document URI as the URI to the permission manager, however.

This can definitely lead to things not getting the permissions they should (eg with data: URIs).

It can also lead to privilege escalation once we have non-principals in place.
Attached patch like this?Splinter Review
Assignee: aaronr → doronr
Status: NEW → ASSIGNED
Attachment #211786 - Flags: review?
Attachment #211786 - Flags: review? → review?(bzbarsky)
Comment on attachment 211786 [details] [diff] [review]
like this?

Like I said, I don't know whether you want GetURI or GetDomain.  I suggest asking someone who knows the difference (caillon? dveditz?) for review.
Attachment #211786 - Flags: review?(bzbarsky)
Comment on attachment 211786 [details] [diff] [review]
like this?

is this really a security issue though?
Attachment #211786 - Flags: review?(dveditz)
If it's not one now (which is possible, I guess), it sure will be one once bug 326506 lands!
Comment on attachment 211786 [details] [diff] [review]
like this?

r=dveditz
Yeah, this is what we want.
Attachment #211786 - Flags: review?(dveditz) → review+
Attachment #211786 - Flags: review?(allan)
Attachment #211786 - Flags: review?(allan) → review+
checked into trunk
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Fixed on 1.8 branch.  Does this need to go into 1.8.0?
Keywords: fixed1.8.1
Comment on attachment 211786 [details] [diff] [review]
like this?

a=mkaply
Attachment #211786 - Flags: approval1.8.0.2+
Keywords: fixed1.8.0.2
I don't believe this was a security issue absent changes that haven't yet happened. What might happen with a non-http/ftp base URL is that there will be no host part, so the Permission Manager should not have an "approval" entry for it. The failure mode would seem to be that we'll block valid connections (data urls would appear to have no host) and not allowing connections we shouldn't.
Whiteboard: [sg:nse]
Group: security
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.