Closed
Bug 353117
Opened 18 years ago
Closed 18 years ago
A part of the fix for bug 352124 can be circumvented
Categories
(Firefox Graveyard :: RSS Discovery and Preview, defect, P1)
Firefox Graveyard
RSS Discovery and Preview
Tracking
(Not tracked)
RESOLVED
FIXED
Firefox 2
People
(Reporter: moz_bug_r_a4, Assigned: asaf)
Details
(Keywords: fixed1.8.1, Whiteboard: [sg:critical] post FF1.5, testcase similar to 344494)
Attachments
(1 file, 1 obsolete file)
1.06 KB,
patch
|
mconnor
:
review+
jst
:
superreview+
mconnor
:
approval1.8.1+
|
Details | Diff | Splinter Review |
1. Load a feed page in another window (W).
2. Create a FeedWiter object (F).
3. Call F.write(W).
From here on, F._window is W. Thus, |if (!this._window)| test in handleEvent
method cannot block an exploit.
frames[0].location = "feed url";
f = new BrowserFeedWriter();
try { f.write(frames[0]); } catch (e) {}
f.QueryInterface(Components.interfaces.nsIDOMEventListener)
.handleEvent(untrusted_object);
Flags: blocking-firefox2?
Assignee | ||
Comment 2•18 years ago
|
||
Assignee: nobody → mano
Status: NEW → ASSIGNED
Attachment #238985 -
Flags: review?(mconnor)
Attachment #238985 -
Flags: approval1.8.1?
Assignee | ||
Updated•18 years ago
|
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → Firefox 2
Assignee | ||
Comment 3•18 years ago
|
||
Actually, for the Observe method, the subject in the normal case is expected to be null, and we do use it. Also, content can pass a dom element here anyway, so |this._window| is the preferable check since then we would access the document of a window which was considered safe for the write method.
Attachment #238985 -
Attachment is obsolete: true
Attachment #238986 -
Flags: review?(mconnor)
Attachment #238986 -
Flags: approval1.8.1?
Attachment #238985 -
Flags: review?(mconnor)
Attachment #238985 -
Flags: approval1.8.1?
Comment 4•18 years ago
|
||
Comment on attachment 238986 [details] [diff] [review]
patch
ok, looks good from here, but let's get jst to SR as time is short.
Attachment #238986 -
Flags: superreview?(jst)
Attachment #238986 -
Flags: review?(mconnor)
Attachment #238986 -
Flags: review+
Comment 5•18 years ago
|
||
Comment on attachment 238986 [details] [diff] [review]
patch
sr=jst
Attachment #238986 -
Flags: superreview?(jst) → superreview+
Comment 6•18 years ago
|
||
Comment on attachment 238986 [details] [diff] [review]
patch
a=mconnor on behalf of drivers for 1.8 branch checkin
Attachment #238986 -
Flags: approval1.8.1? → approval1.8.1+
Updated•18 years ago
|
Whiteboard: [checkin needed (1.8 branch)]
Assignee | ||
Comment 7•18 years ago
|
||
1.8:
mozilla/browser/components/feeds/src/FeedWriter.js 1.2.2.23
Keywords: fixed1.8.1
Whiteboard: [checkin needed (1.8 branch)]
Assignee | ||
Comment 8•18 years ago
|
||
trunk: mozilla/browser/components/feeds/src/FeedWriter.js 1.19
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Updated•18 years ago
|
Flags: blocking-firefox2? → blocking-firefox2+
Updated•18 years ago
|
Flags: blocking1.8.0.8-
Whiteboard: [sg:critical] post FF1.5
Updated•18 years ago
|
Group: security
Updated•18 years ago
|
Group: security
Whiteboard: [sg:critical] post FF1.5 → [sg:critical] post FF1.5, testcase similar to 344494
Updated•16 years ago
|
Group: core-security
Updated•6 years ago
|
Product: Firefox → Firefox Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•