Closed Bug 333539 Opened 18 years ago Closed 17 years ago

[1.0.x] Fix for Bug 293527 can be circumvented by using <object> element

Categories

(Core :: Security, defect, P5)

1.7 Branch
defect

Tracking

()

RESOLVED WONTFIX

People

(Reporter: moz_bug_r_a4, Unassigned)

Details

(Whiteboard: [sg:low spoof] aviary1.0/moz1.7 only)

Attachments

(2 files)

This is a variant of Bug 333428.

  <object id="o" type="image/png" data="a.png">
  o.data = "http://otherdomain/x.exe";

Changing an <object>'s .data property does not trigger a new image loading.
Thus, the state of .onLoadedImage does not change.
Attached file testcase
> o.data = "http://otherdomain/x.exe";

Ah, please ignore "otherdomain".  I inadvertently did copy and pasete from Bug 333428.
Flags: blocking1.7.14?
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.9?
Flags: blocking-aviary1.0.8?
Whiteboard: aviary1.0/moz1.7 only
Attached patch patchSplinter Review
I think this fixes this bug without regressing any of the other bugs, but I need to test more. At this point, I don't think this should block 1.0.8: it's a case of bug 293527 that's still present, but I don't think that bug is severe enough that it should block 1.0.8, especially considering the arbitrary code execution vulnerability that was fixed in bug 333305.
Assignee: dveditz → gavin.sharp
Status: NEW → ASSIGNED
Priority: -- → P5
Flags: blocking1.7.13?
Flags: blocking1.7.13-
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8-
Whiteboard: aviary1.0/moz1.7 only → [sg:low spoof] aviary1.0/moz1.7 only
Looks good ... so far no regressions. Who will take care for advisories etc. for such 1.0.x only issues? 

Daniel, are there other issues for 1.5.0.4 that we (vendors) might want to backport to 1.0.x branch?
Summary: Fix for Bug 293527 can be circumvented by using <object> element → [1.0.x] Fix for Bug 293527 can be circumvented by using <object> element
Chris, can you please review/checkin? I would like to take this for 1.0.9/1.7.14.
Assignee: gavin.sharp → nobody
Status: ASSIGNED → NEW
Sounds like this is WONTFIX, given that it only affects a now-unsupported branch.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
Group: security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: