Closed
Bug 372075
Opened 17 years ago
Closed 17 years ago
javascript: URI evaluation should use sandboxed context for toString, etc
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: bzbarsky, Assigned: mrbkap)
References
Details
(Keywords: fixed1.8.0.15, verified1.8.1.12, Whiteboard: [sg:moderate] spun off an sg:critical bug, reveals bug 344495)
Attachments
(5 files)
7.54 KB,
patch
|
bzbarsky
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
9.20 KB,
patch
|
Details | Diff | Splinter Review | |
16.80 KB,
patch
|
jst
:
review+
bzbarsky
:
superreview+
samuel.sidler+old
:
approval1.8.1.12+
caillon
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
120.35 KB,
image/png
|
Details | |
43.74 KB,
image/png
|
Details |
See bug 368763 comment 9. Basically, if someone manages to run an unprivileged javascript: URI against a privileged iframe they can possibly escalate their privileges. I bet moz_bug_r_a4@yahoo.com can provide an exploit if people need convincing... ;) We should probably either duplicate the context-creation stuff in XPConnect or somehow expose it.
Flags: blocking1.9?
Flags: blocking1.8.1.3?
Flags: blocking1.8.0.11?
Reporter | ||
Updated•17 years ago
|
Group: security
Assignee | ||
Comment 1•17 years ago
|
||
Would using a safe object wrapper work here? Can we use them from C++?
Reporter | ||
Comment 2•17 years ago
|
||
Hmm... That might work... Especially if XPConnect returned that wrapper to start with (I bet XPConnect can use them from C++ if it wants!).
Comment 3•17 years ago
|
||
Wanted on the branches, but without an assignee or patch doesn't seem likely to happen any time soon. If we get a trunk solution renominate for a specific branch release at that time.
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
Updated•17 years ago
|
Whiteboard: [sg:investigate] spun off an sg:critical bug
Flags: blocking1.9? → blocking1.9+
Reporter | ||
Comment 4•17 years ago
|
||
So I'm not sure whether a safe object wrapper would work here, to be honest. I guess it might because we'll never be looking at the context... Just creating a new JSContext won't work -- a JSContext without an nsIScriptContext is treated as all-powerful.
Reporter | ||
Comment 5•17 years ago
|
||
Or we could just compile a scripted function with the right principal and use that to stringify the value... Do we need any sort of protection around JS_ReportPendingException, though?
Assignee | ||
Comment 6•17 years ago
|
||
(In reply to comment #4) > So I'm not sure whether a safe object wrapper would work here, to be honest. I > guess it might because we'll never be looking at the context... Right, that was why I suggested it.
Reporter | ||
Comment 7•17 years ago
|
||
So is JS_ReportPendingException safe? e.g. if toString() or valueOf() throws some object defined by the javascript: URI, what happens?
Comment 8•17 years ago
|
||
(In reply to comment #7) JS_ReportPendingException seems to be not safe. Exploits work even with throw.
Comment 9•17 years ago
|
||
Comment 10•17 years ago
|
||
Comment 11•17 years ago
|
||
Reporter | ||
Comment 12•17 years ago
|
||
Hmm... Throwing in the sandbox _also_ works? How do those exceptions end up on our "outer" context anyway?
Assignee | ||
Comment 13•17 years ago
|
||
See http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/js/src/xpconnect/src/xpccomponents.cpp&rev=1.108&&mark=3518-3526&root=/cvsroot#3512
Reporter | ||
Comment 14•17 years ago
|
||
Ah, I see... By the way, this seems to be basically a duplicate of bug 363597, no? I wonder whether we could create the sandbox context together with the sandbox object and have xpconnect's API here return both or something?
Blocks: 363597
Comment 15•17 years ago
|
||
Old testcases no longer work on trunk. They use strObj.eval.valueOf to access Object.prototype.valueOf, but now strObj.eval is undefined on trunk. (see bug 382509.) I'll attach new testcases, which use strObj.valueOf.valueOf to access Object.prototype.valueOf.
Comment 16•17 years ago
|
||
Comment 17•17 years ago
|
||
Comment 18•17 years ago
|
||
Assignee | ||
Comment 19•17 years ago
|
||
This should now be fixed by the checkin for bug 386635.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 21•17 years ago
|
||
The patch that fixed this was backed out.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 22•17 years ago
|
||
This patch makes the sandbox itself convert the return value (and exception) to a string, using good scope chains, etc. The only "problem" with the patch, is that if the sandbox throws an object whose toString throws an exception, that exception will get lost. I'm pretty confident that this will only happen to those developers who are up to no good, so I'm fine with that.
Assignee: general → mrbkap
Status: REOPENED → ASSIGNED
Attachment #272584 -
Flags: superreview?(jst)
Attachment #272584 -
Flags: review?(bzbarsky)
Reporter | ||
Comment 23•17 years ago
|
||
Comment on attachment 272584 [details] [diff] [review] Proposed fix >+++ b/js/src/xpconnect/idl/nsIXPConnect.idl >+ in PRBool returnString); Please document. Same for the declaration of xpc_EvalInSandbox. And maybe name it returnStringOnly? r=bzbarsky other than that.
Attachment #272584 -
Flags: review?(bzbarsky) → review+
Updated•17 years ago
|
Attachment #272584 -
Flags: superreview?(jst) → superreview+
Assignee | ||
Comment 24•17 years ago
|
||
Assignee | ||
Comment 25•17 years ago
|
||
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago → 17 years ago
Resolution: --- → FIXED
Comment 26•17 years ago
|
||
Is this fix appropriate for the 1.8.1.8 release or is it tied up with XOW?
Flags: blocking1.8.1.8?
Assignee | ||
Comment 27•17 years ago
|
||
In general, PAC doesn't interface with XOW. This should be easy to backport.
Updated•17 years ago
|
Flags: blocking1.8.1.8? → blocking1.8.1.8+
Whiteboard: [sg:investigate] spun off an sg:critical bug → [sg:moderate] spun off an sg:critical bug
Comment 28•17 years ago
|
||
Blake: this didn't make 1.8.1.8, but please back-port when you get time so this doesn't miss 1.8.1.9 as well.
Flags: blocking1.8.1.8+ → blocking1.8.1.9+
Assignee | ||
Comment 29•17 years ago
|
||
Yeah, sorry about that. I have a backport, but wasn't able to test it.
Assignee | ||
Comment 30•17 years ago
|
||
This backports this patch to the 1.8 branch. The conflicts come from API compat (nsIXPConnect_MOZILLA_1_8_BRANCH2) and the fact that the request stuff never landed on the 1.8 branch.
Attachment #283810 -
Flags: superreview?(bzbarsky)
Attachment #283810 -
Flags: review?(jst)
Reporter | ||
Comment 31•17 years ago
|
||
Comment on attachment 283810 [details] [diff] [review] Backport to 1.8 sr=bzbarsky
Attachment #283810 -
Flags: superreview?(bzbarsky) → superreview+
Updated•17 years ago
|
Whiteboard: [sg:moderate] spun off an sg:critical bug → [sg:moderate][need r=jst on branch] spun off an sg:critical bug
Assignee | ||
Comment 32•17 years ago
|
||
jst: Ping? The branch patch still needs review.
Updated•17 years ago
|
Attachment #283810 -
Flags: review?(jst) → review+
Assignee | ||
Updated•17 years ago
|
Attachment #283810 -
Flags: approval1.8.1.12?
Updated•17 years ago
|
Whiteboard: [sg:moderate][need r=jst on branch] spun off an sg:critical bug → [sg:moderate] spun off an sg:critical bug
Comment 33•17 years ago
|
||
Comment on attachment 283810 [details] [diff] [review] Backport to 1.8 approved for 1.8.1.12, a=dveditz for release-drivers
Updated•17 years ago
|
Attachment #283810 -
Flags: approval1.8.1.12? → approval1.8.1.12+
Assignee | ||
Updated•17 years ago
|
Keywords: fixed1.8.1.12
Assignee | ||
Comment 34•17 years ago
|
||
Fixed on the 1.8 branch.
Verified FIXED on the 1.8 branch using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080128 Firefox/2.0.0.12. Replacing fixed1.8.1.12 with verified1.8.1.12.
Keywords: fixed1.8.1.12 → verified1.8.1.12
Comment 38•16 years ago
|
||
I forgot to mention that all testcases in this bug (testcase 1-6) use bug 344495's trick.
Updated•16 years ago
|
Depends on: 344495
Whiteboard: [sg:moderate] spun off an sg:critical bug → [sg:moderate] spun off an sg:critical bug, reveals bug 344495
Updated•16 years ago
|
Group: security
Comment 40•16 years ago
|
||
Comment on attachment 283810 [details] [diff] [review] Backport to 1.8 unmodified distro patch. caillon, please sign off.
Attachment #283810 -
Flags: approval1.8.0.15?
Comment 41•16 years ago
|
||
Comment on attachment 283810 [details] [diff] [review] Backport to 1.8 a=caillon
Attachment #283810 -
Flags: approval1.8.0.15? → approval1.8.0.15+
Comment 42•16 years ago
|
||
MOZILLA_1_8_0_BRANCH: Checking in dom/src/jsurl/nsJSProtocolHandler.cpp; /cvsroot/mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp,v <-- nsJSProtocolHandler.cpp new revision: 1.113.2.2.2.6; previous revision: 1.113.2.2.2.5 done Checking in js/src/xpconnect/idl/nsIXPConnect.idl; /cvsroot/mozilla/js/src/xpconnect/idl/nsIXPConnect.idl,v <-- nsIXPConnect.idl new revision: 1.35.4.1.4.3; previous revision: 1.35.4.1.4.2 done Checking in js/src/xpconnect/src/nsXPConnect.cpp; /cvsroot/mozilla/js/src/xpconnect/src/nsXPConnect.cpp,v <-- nsXPConnect.cpp new revision: 1.73.4.3.2.5; previous revision: 1.73.4.3.2.4 done Checking in js/src/xpconnect/src/xpccomponents.cpp; /cvsroot/mozilla/js/src/xpconnect/src/xpccomponents.cpp,v <-- xpccomponents.cpp new revision: 1.75.2.6.2.9; previous revision: 1.75.2.6.2.8 done Checking in js/src/xpconnect/src/xpcprivate.h; /cvsroot/mozilla/js/src/xpconnect/src/xpcprivate.h,v <-- xpcprivate.h new revision: 1.162.2.4.2.9; previous revision: 1.162.2.4.2.8 done
Keywords: fixed1.8.0.15
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•