Last Comment Bug 369211 - content can pollute implicit XPCNativeWrapper
: content can pollute implicit XPCNativeWrapper
[sg:moderate?] keep private until 363...
: verified1.8.0.13, verified1.8.1.5
Product: Core
Classification: Components
Component: Security (show other bugs)
: Trunk
: x86 Windows XP
-- major (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
: David Keeler [:keeler] (use needinfo?)
Depends on: 363891
  Show dependency treegraph
Reported: 2007-02-03 13:20 PST by shutdown
Modified: 2008-10-10 14:27 PDT (History)
16 users (show)
jonas: blocking1.9+
dveditz: blocking1.8.1.5+
dveditz: wanted1.8.1.x+
dveditz: blocking1.8.0.13+
dveditz: wanted1.8.0.x+
dsicore: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (948 bytes, text/html)
2007-02-03 13:20 PST, shutdown
no flags Details
testcase 2 (1017 bytes, text/html)
2007-06-15 01:34 PDT, moz_bug_r_a4
no flags Details
Proposed fix (1.20 KB, patch)
2007-06-15 13:18 PDT, Blake Kaplan (:mrbkap)
brendan: review+
dveditz: approval1.8.1.5+
dveditz: approval1.8.0.13+
Details | Diff | Splinter Review

Description User image shutdown 2007-02-03 13:20:45 PST
Created attachment 253882 [details]

Implicit XPCNativeWrapper, a wrapper object to provide a safe way to access
untrusted content DOM from chrome, can be polluted by that untrusted content.

1. load the attached testcase.
2. middle click on the content to start auto scrolling.
3. you will see an alert if there is a bug.

Mozilla/5.0 (Windows; U; Win98; en-US; rv:
 Gecko/20070203 BonEcho/
Comment 1 User image Johnny Stenback (:jst, 2007-03-20 17:10:02 PDT
This is basically another variant of what's discussed in bug 363891. Content fools chrome code into calling eval indirectly, and gets it to eval untrusted script from chrome.
Comment 2 User image Johnny Stenback (:jst, 2007-06-14 18:03:23 PDT
While the testcase in this bug is fixed by mrbkap's eval() changes we think it's still vulnerable to alternatives. Reassigning to mrbkap for him to have a deeper look at this.
Comment 3 User image Blake Kaplan (:mrbkap) 2007-06-14 21:24:58 PDT
In particular, we were wondering if we could replace 'eval' with a location setter, or something, which would allow similar access to the implicit XPCNativeWrapper. I'm CCing moz_bug_r_a4 since he seems to eat these sort of testcases for breakfast.
Comment 4 User image moz_bug_r_a4 2007-06-15 01:34:34 PDT
Created attachment 268472 [details]
testcase 2

It's possible to use 'eval' with a window.

(If I replace 'eval' with a location setter, |window[0].parent.document| is not
the implicit XPCNativeWrapper.)
Comment 5 User image Blake Kaplan (:mrbkap) 2007-06-15 13:18:11 PDT
Created attachment 268528 [details] [diff] [review]
Proposed fix

This patch is a bit of a hack but it works. The main problem here is that the script that eval creates inherits its scripted caller's script filename. Because of this, even though we find the right principals for the script, we still think that it's from the chrome XBL binding. This patch makes us use the codebase of the principals that we're using if we didn't end up using the caller's. I'm hoping that this situation is rare enough that nobody is going to care.
Comment 6 User image Brendan Eich [:brendan] 2007-06-15 13:30:53 PDT
Comment on attachment 268528 [details] [diff] [review]
Proposed fix

r=me, wondering what the possible values of principals->codebase, e.g., for the system principal?

Comment 7 User image Blake Kaplan (:mrbkap) 2007-06-15 13:58:58 PDT
I looked into this, and the system principal uses the string "[System Principal]" for its codebase. It's not a great filename, but I don't think that we can get into this codepath with the system principal anyway.
Comment 8 User image Blake Kaplan (:mrbkap) 2007-06-15 14:01:22 PDT
Fix checked into trunk.

I noticed that this doesn't have security markings ([sg:*]) but is in the security group. These two facts seem disjoint to me.
Comment 9 User image Daniel Veditz [:dveditz] 2007-06-26 17:49:51 PDT
As a member of the security group feel free to take your best shot at a sg: marking without waiting for me to do it. Your evaluation is likely to involve less guessing than mine.

Is this OK to take on branch?
Comment 10 User image Damon Sicore (:damons) 2007-07-06 11:06:26 PDT
Test for this in test suite?  What's the process for adding tests for sg: bugs?
Comment 11 User image Blake Kaplan (:mrbkap) 2007-07-10 17:53:03 PDT
Comment on attachment 268528 [details] [diff] [review]
Proposed fix

This applies to the 1.8 and 1.8.0 branches as-is.
Comment 12 User image Daniel Veditz [:dveditz] 2007-07-10 18:07:07 PDT
Comment on attachment 268528 [details] [diff] [review]
Proposed fix

approved for and, a=dveditz
Comment 13 User image Blake Kaplan (:mrbkap) 2007-07-10 18:29:04 PDT
Fix checked into the 1.8 branches.
Comment 14 User image Carsten Book [:Tomcat] 2007-07-13 16:53:07 PDT
verified fixed using Build identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/2007071216 Firefox/ and the testcases from this bug.
Comment 15 User image juan becerra [:juanb] 2007-08-22 17:44:24 PDT
Verified on Thunderbird version (20070809) on an XP (vm) with testcases in comment #0 and comment #4. 

Note You need to log in before you can comment on or make changes to this bug.