Closed Bug 346664 Opened 18 years ago Closed 16 years ago
Arbitrary code execution with Fire
Bug by using document .open or document .write
See also bug 344751. When document.open, or document.write on a document that has finished loading, is called by a script in a different security context, the document's principal is set to the caller's principal. In such case, if there are references to objects/functions that were created in that document's context, then the references also get the caller's principal. This can be used to escalate privilege in a similar way to bug 344751.
This does not work with the proposed patch in bug 344495 applied.
bug 344495 appears to be fixed. wonder if we should close this bug?
I think that this bug is fixed. Please see bug 346663 comment #4 and #5.
Marking FIXED based on last comment and testcases working.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.