Closed
Bug 333539
Opened 18 years ago
Closed 17 years ago
[1.0.x] Fix for Bug 293527 can be circumvented by using <object> element
Categories
(Core :: Security, defect, P5)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: moz_bug_r_a4, Unassigned)
Details
(Whiteboard: [sg:low spoof] aviary1.0/moz1.7 only)
Attachments
(2 files)
420 bytes,
text/html
|
Details | |
3.71 KB,
patch
|
Details | Diff | Splinter Review |
This is a variant of Bug 333428. <object id="o" type="image/png" data="a.png"> o.data = "http://otherdomain/x.exe"; Changing an <object>'s .data property does not trigger a new image loading. Thus, the state of .onLoadedImage does not change.
Reporter | ||
Comment 1•18 years ago
|
||
Reporter | ||
Comment 2•18 years ago
|
||
> o.data = "http://otherdomain/x.exe"; Ah, please ignore "otherdomain". I inadvertently did copy and pasete from Bug 333428.
Updated•18 years ago
|
Flags: blocking1.7.14?
Flags: blocking1.7.13?
Flags: blocking-aviary1.0.9?
Flags: blocking-aviary1.0.8?
Whiteboard: aviary1.0/moz1.7 only
Comment 3•18 years ago
|
||
I think this fixes this bug without regressing any of the other bugs, but I need to test more. At this point, I don't think this should block 1.0.8: it's a case of bug 293527 that's still present, but I don't think that bug is severe enough that it should block 1.0.8, especially considering the arbitrary code execution vulnerability that was fixed in bug 333305.
Assignee: dveditz → gavin.sharp
Status: NEW → ASSIGNED
Updated•18 years ago
|
Priority: -- → P5
Updated•18 years ago
|
Flags: blocking1.7.13?
Flags: blocking1.7.13-
Flags: blocking-aviary1.0.8?
Flags: blocking-aviary1.0.8-
Whiteboard: aviary1.0/moz1.7 only → [sg:low spoof] aviary1.0/moz1.7 only
Comment 4•18 years ago
|
||
Looks good ... so far no regressions. Who will take care for advisories etc. for such 1.0.x only issues? Daniel, are there other issues for 1.5.0.4 that we (vendors) might want to backport to 1.0.x branch?
Updated•18 years ago
|
Summary: Fix for Bug 293527 can be circumvented by using <object> element → [1.0.x] Fix for Bug 293527 can be circumvented by using <object> element
Comment 5•18 years ago
|
||
Chris, can you please review/checkin? I would like to take this for 1.0.9/1.7.14.
Updated•17 years ago
|
Assignee: gavin.sharp → nobody
Status: ASSIGNED → NEW
Comment 6•17 years ago
|
||
Sounds like this is WONTFIX, given that it only affects a now-unsupported branch.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
Updated•17 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•