Closed
Bug 336313
Opened 19 years ago
Closed 19 years ago
Dynamic this binding is biting PAC
Categories
(Core :: Networking, defect, P1)
Core
Networking
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: mrbkap, Assigned: mrbkap)
References
()
Details
(Keywords: verified1.8.0.4, verified1.8.1, Whiteboard: [sg:moderate][patch])
Attachments
(1 file)
|
1.23 KB,
patch
|
darin.moz
:
review+
dveditz
:
superreview+
dveditz
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.4+
|
Details | Diff | Splinter Review |
I'm splitting this bug off of bug 321101 since there are two bugs reported there, and they're unrelated. This bug is about attachment 206496 [details], which I described as simple "highway robbery".
moz_bug_r_a4's clever testcase exploits the fact that when we call FindProxyForURL |this| is the nsProxyAutoConfig object itself and since there aren't any security checks once you're in JS-only land, the evil PAC script is able to trick the proxy auto config object into calling eval with its evil code (oh, how I hate seeing Components.stack in an alert ;-)).
|
Assignee | |
Updated•19 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: [patch]
|
|
Assignee | |
Comment 1•19 years ago
|
||
This is the smallest fix I can come up with for this bug. It uses Function.prototype.call to force the |this| object to be the sandbox object, so doing evil things to the |this| object doesn't end up in privilege escalation.
Attachment #220560 -
Flags: review?(darin)
|
|
Assignee | |
Comment 2•19 years ago
|
||
By the way, I also considered a patch to call this._sandBox.FindProxyForURL directly instead of storing the function in a member property; however, that would have changed behavior (if the PAC script did something weird), so I decided against it.
|
|
Assignee | |
Updated•19 years ago
|
Flags: blocking1.8.0.4?
|
||
Updated•19 years ago
|
Attachment #220560 -
Flags: review?(darin) → review+
|
|
Assignee | |
Updated•19 years ago
|
Attachment #220560 -
Flags: superreview?(dveditz)
|
||
Comment 3•19 years ago
|
||
Comment on attachment 220560 [details] [diff] [review]
Proposed minimal fix
sr=dveditz
approved for 1.8.0 branch, a=dveditz for drivers
Attachment #220560 -
Flags: superreview?(dveditz)
Attachment #220560 -
Flags: superreview+
Attachment #220560 -
Flags: approval1.8.0.4+
Attachment #220560 -
Flags: approval-branch-1.8.1+
|
|
||
Updated•19 years ago
|
Flags: blocking1.8.0.4? → blocking1.8.0.4+
|
|
Assignee | |
Comment 4•19 years ago
|
||
Fix checked in everywhere.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8.0.4,
fixed1.8.1
Resolution: --- → FIXED
|
|
||
Updated•19 years ago
|
Whiteboard: [patch] → [sg:moderate][patch]
|
||
Updated•19 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Updated•19 years ago
|
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
|
|
||
Updated•18 years ago
|
Group: security
|
||
Updated•18 years ago
|
Flags: in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•