A part of the fix for bug 352124 can be circumvented

RESOLVED FIXED in Firefox 2

Status

()

Firefox
RSS Discovery and Preview
P1
normal
RESOLVED FIXED
12 years ago
9 years ago

People

(Reporter: moz_bug_r_a4, Assigned: mano)

Tracking

({fixed1.8.1})

unspecified
Firefox 2
fixed1.8.1
Points:
---
Bug Flags:
blocking-firefox2 +
blocking1.8.0.8 -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] post FF1.5, testcase similar to 344494)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

12 years ago
1. Load a feed page in another window (W).
2. Create a FeedWiter object (F).
3. Call F.write(W).

From here on, F._window is W.  Thus, |if (!this._window)| test in handleEvent
method cannot block an exploit.

  frames[0].location = "feed url";
  f = new BrowserFeedWriter();
  try { f.write(frames[0]); } catch (e) {}
  f.QueryInterface(Components.interfaces.nsIDOMEventListener)
   .handleEvent(untrusted_object);
Flags: blocking-firefox2?
Created attachment 238985 [details] [diff] [review]
patch
Assignee: nobody → mano
Status: NEW → ASSIGNED
Attachment #238985 - Flags: review?(mconnor)
Attachment #238985 - Flags: approval1.8.1?
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → Firefox 2
Created attachment 238986 [details] [diff] [review]
patch

Actually, for the Observe method, the subject in the normal case is expected to be null, and we do use it. Also, content can pass a dom element here anyway, so |this._window| is the preferable check since then we would access the document of  a window which was considered safe for the write method.
Attachment #238985 - Attachment is obsolete: true
Attachment #238986 - Flags: review?(mconnor)
Attachment #238986 - Flags: approval1.8.1?
Attachment #238985 - Flags: review?(mconnor)
Attachment #238985 - Flags: approval1.8.1?
Comment on attachment 238986 [details] [diff] [review]
patch

ok, looks good from here, but let's get jst to SR as time is short.
Attachment #238986 - Flags: superreview?(jst)
Attachment #238986 - Flags: review?(mconnor)
Attachment #238986 - Flags: review+
Comment on attachment 238986 [details] [diff] [review]
patch

sr=jst
Attachment #238986 - Flags: superreview?(jst) → superreview+
Comment on attachment 238986 [details] [diff] [review]
patch

a=mconnor on behalf of drivers for 1.8 branch checkin
Attachment #238986 - Flags: approval1.8.1? → approval1.8.1+

Updated

12 years ago
Whiteboard: [checkin needed (1.8 branch)]
1.8:
mozilla/browser/components/feeds/src/FeedWriter.js 1.2.2.23
Keywords: fixed1.8.1
Whiteboard: [checkin needed (1.8 branch)]
trunk: mozilla/browser/components/feeds/src/FeedWriter.js 1.19
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED

Updated

12 years ago
Flags: blocking-firefox2? → blocking-firefox2+
Flags: blocking1.8.0.8-
Whiteboard: [sg:critical] post FF1.5
Group: security
Group: security
Whiteboard: [sg:critical] post FF1.5 → [sg:critical] post FF1.5, testcase similar to 344494
Group: core-security
You need to log in before you can comment on or make changes to this bug.