I guess the bugs are: * Bug 230606, Tighten the same-origin policy for local files. * Manually opening a popup should not get around CheckLoadURI. * Predictable random numbers are used for creating filenames that are intended to be unpredictable. Is there another bug on the missing CheckLoadURI? Is it already fixed on trunk?
See also bug 322529 ("Upgrade Math.random() to a better algorithm, such as Mersenne Twister"). Looks like wtc is interested in this for NSPR too. We should use MT in the tempname equivalent or whatever it is. jst says he doesn't know of a CheckLoadURI vs. popup manual open bug. /be
Jesse, please file bugs if you can. The stupid reseeding one should be easy to fix ASAP. Thanks, /be
Wikipedia says "Unlike Blum Blum Shub, [Mersenne twister] in its native form is not suitable for cryptography. Observing a sufficient number of iterates (624 in the case of MT19937) allows one to predict all future iterates." So switching to MT won't help against this attack.
Blum Blum Shub, a play on Jar Jar Binks? What a world. Ok, but please to be updating the other bug ;-). /be
Michal said simply seeding earlier (at startup) would help already.
Ok, there are now bugs on each part of this exploit: * Bug 230606, Tighten the same-origin policy for local files. * Bug 369427, Showing a blocked pop-up bypasses CheckLoadURI (can load file: URLs) * Bug 369428, nsExternalAppHandler::SetUpTempFile uses a poor source of randomness, resulting in predictable filenames
Two of the three sub-bugs are fixed on the branches, any one of them stops this exploit. Calling this "fixed".