Show Only This Frame XSS (SeaMonkey)

RESOLVED FIXED in seamonkey2.0

Status

SeaMonkey
Security
RESOLVED FIXED
12 years ago
3 years ago

People

(Reporter: dveditz, Assigned: neil@parkwaycc.co.uk)

Tracking

1.8 Branch
seamonkey2.0
Dependency tree / graph
Bug Flags:
blocking1.7.14 ?
blocking-seamonkey1.0.2 +
blocking-seamonkey1.1a +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:moderate])

Attachments

(1 attachment, 2 obsolete attachments)

SeaMonkey-tracking pointer to bug 329468 -- see discussion and patches in that bug. This is a placeholder to allow me to set appropriate release flags since it is now no longer possible to have both Firefox and SeaMonkey blocking flags on the same bug, even a core bug.
Presumptively marking blocking for sm1.0.2 so this doesn't drop off the radar when I close the other bug.
Flags: blocking1.7.14?
Flags: blocking-seamonkey1.1a+
Flags: blocking-seamonkey1.0.2+
No longer depends on: 329468
Depends on: 329468
Whiteboard: [sg:moderate]
(Assignee)

Comment 2

11 years ago
Created attachment 257156 [details] [diff] [review]
Original patch

From bug 329468, but with case-insensitive regexp so as to correctly match any URIs which might be javascript or data.
Attachment #257156 - Flags: superreview?
Attachment #257156 - Flags: review?(cbiesinger)
(Assignee)

Comment 3

11 years ago
Geez, now bugzilla silently removes the requestee if they're not CC'd :-(
(Assignee)

Comment 4

11 years ago
Created attachment 257157 [details] [diff] [review]
With fixup

Because jag asked for it (although I fail to see why it's necessary).
Attachment #257157 - Flags: superreview?(jag)
Attachment #257157 - Flags: review?(cbiesinger)
(Assignee)

Comment 5

11 years ago
Comment on attachment 257157 [details] [diff] [review]
With fixup

>-        window.loadURI(this.target.ownerDocument.location.href);
>+        openTopWin( this.bgImageURL, this.target.ownerDocument.defaultView );
Whoops. Copy & paste error :-[
Attachment #257157 - Flags: superreview?(jag)
Attachment #257157 - Flags: superreview?(cbiesinger)
Attachment #257157 - Flags: review?(jag)
Attachment #257157 - Flags: review?(cbiesinger)
(Assignee)

Comment 6

11 years ago
Comment on attachment 257156 [details] [diff] [review]
Original patch

Fixing review flags here too.
Attachment #257156 - Flags: superreview?(cbiesinger)
Attachment #257156 - Flags: superreview?
Attachment #257156 - Flags: review?(jag)
Attachment #257156 - Flags: review?(cbiesinger)
Attachment #257156 - Flags: superreview?(cbiesinger) → superreview+
Comment on attachment 257157 [details] [diff] [review]
With fixup

whichever version you check in, please fix that copy/paste error :)
Attachment #257157 - Flags: superreview?(cbiesinger) → superreview+
Comment on attachment 257157 [details] [diff] [review]
With fixup

actually... you should probably pass 0 as flags, like docshell:
http://lxr.mozilla.org/seamonkey/source/docshell/base/nsDocShell.cpp#2760

Otherwise, a string "foo" would become "http://www.foo.com". while this may make no difference here, it still seems better to do the same as docshell (docshell only passes the alternate URI flag when the load failed)
(Assignee)

Comment 9

11 years ago
Created attachment 278232 [details] [diff] [review]
Addressed biesi's comments

* Fixed copy/paste error in previous patches
* Changed to use FIXUP_FLAG_NONE
* Changed to focus the content window
Attachment #257156 - Attachment is obsolete: true
Attachment #257157 - Attachment is obsolete: true
Attachment #278232 - Flags: superreview+
Attachment #278232 - Flags: review?(jag)
Attachment #257156 - Flags: review?(jag)
Attachment #257157 - Flags: review?(jag)

Comment 10

11 years ago
Comment on attachment 278232 [details] [diff] [review]
Addressed biesi's comments

+    var uriFixup = Components.classes["@mozilla.org/docshell/urifixup;1"]
+                            .getService(nsIURIFixup);

Nit: indentation, just fix that before checking in.
Attachment #278232 - Flags: review?(jag) → review+
(Assignee)

Updated

11 years ago
Attachment #278232 - Flags: approval-seamonkey1.1.5?

Comment 11

9 years ago
Neil, has this landed anywhere yet?
(Assignee)

Comment 12

9 years ago
(In reply to comment #11)
> Neil, has this landed anywhere yet?
It landed on CVS trunk.

Comment 13

8 years ago
Neil, from what I see, with that EOLing of SeaMonkey 1.x, can we mark this one FIXED as having landed on cvs trunk should mean it's also fixed in both comm-1.9.1 and comm-central, right?

Comment 14

8 years ago
Comment on attachment 278232 [details] [diff] [review]
Addressed biesi's comments

1.x has been EOLed, so canceling 1.1.5 approval request. Looks like I didn't see that one back then. :(
Attachment #278232 - Flags: approval-seamonkey1.1.5?
(Assignee)

Comment 15

8 years ago
Marking as fixed for 2.0 (well 1.5 really!)
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → seamonkey2.0
(Assignee)

Updated

6 years ago
Depends on: 738601

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.