Closed Bug 353117 Opened 18 years ago Closed 18 years ago

A part of the fix for bug 352124 can be circumvented

Categories

(Firefox Graveyard :: RSS Discovery and Preview, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED
Firefox 2

People

(Reporter: moz_bug_r_a4, Assigned: asaf)

Details

(Keywords: fixed1.8.1, Whiteboard: [sg:critical] post FF1.5, testcase similar to 344494)

Attachments

(1 file, 1 obsolete file)

1. Load a feed page in another window (W). 2. Create a FeedWiter object (F). 3. Call F.write(W). From here on, F._window is W. Thus, |if (!this._window)| test in handleEvent method cannot block an exploit. frames[0].location = "feed url"; f = new BrowserFeedWriter(); try { f.write(frames[0]); } catch (e) {} f.QueryInterface(Components.interfaces.nsIDOMEventListener) .handleEvent(untrusted_object);
Attached patch patch (obsolete) — Splinter Review
Assignee: nobody → mano
Status: NEW → ASSIGNED
Attachment #238985 - Flags: review?(mconnor)
Attachment #238985 - Flags: approval1.8.1?
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → Firefox 2
Attached patch patchSplinter Review
Actually, for the Observe method, the subject in the normal case is expected to be null, and we do use it. Also, content can pass a dom element here anyway, so |this._window| is the preferable check since then we would access the document of a window which was considered safe for the write method.
Attachment #238985 - Attachment is obsolete: true
Attachment #238986 - Flags: review?(mconnor)
Attachment #238986 - Flags: approval1.8.1?
Attachment #238985 - Flags: review?(mconnor)
Attachment #238985 - Flags: approval1.8.1?
Comment on attachment 238986 [details] [diff] [review] patch ok, looks good from here, but let's get jst to SR as time is short.
Attachment #238986 - Flags: superreview?(jst)
Attachment #238986 - Flags: review?(mconnor)
Attachment #238986 - Flags: review+
Comment on attachment 238986 [details] [diff] [review] patch sr=jst
Attachment #238986 - Flags: superreview?(jst) → superreview+
Comment on attachment 238986 [details] [diff] [review] patch a=mconnor on behalf of drivers for 1.8 branch checkin
Attachment #238986 - Flags: approval1.8.1? → approval1.8.1+
Whiteboard: [checkin needed (1.8 branch)]
1.8: mozilla/browser/components/feeds/src/FeedWriter.js 1.2.2.23
Keywords: fixed1.8.1
Whiteboard: [checkin needed (1.8 branch)]
trunk: mozilla/browser/components/feeds/src/FeedWriter.js 1.19
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: blocking-firefox2? → blocking-firefox2+
Flags: blocking1.8.0.8-
Whiteboard: [sg:critical] post FF1.5
Group: security
Group: security
Whiteboard: [sg:critical] post FF1.5 → [sg:critical] post FF1.5, testcase similar to 344494
Group: core-security
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: