Security checks in nsEventReceiverSH::AddEventListenerHelper can be circumvented

VERIFIED FIXED

Status

()

Core
DOM
VERIFIED FIXED
10 years ago
10 years ago

People

(Reporter: moz_bug_r_a4, Assigned: jst)

Tracking

({testcase, verified1.8.0.12, verified1.8.1.4})

Trunk
testcase, verified1.8.0.12, verified1.8.1.4
Points:
---
Bug Flags:
blocking1.8.1.4 +
wanted1.8.1.x +
blocking1.8.0.12 +
wanted1.8.0.x +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:high])

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
Please see bug 376987.

Security checks in nsEventReceiverSH::AddEventListenerHelper can be
circumvented in the following way.

  <iframe src="target site"/>
  function X() {}
  X.prototype = frames[0];
  var x = new X();
  addEventListener.call(x, ...);
(Reporter)

Comment 1

10 years ago
Created attachment 261437 [details]
testcase

This tries to get cookies for www.mozilla.com.
Assignee: dveditz → general
Component: Security → DOM
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
OS: Windows XP → All
QA Contact: toolkit → ian
Hardware: PC → All
Whiteboard: [sg:high]
Version: unspecified → Trunk
Assignee: general → jst
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Keywords: testcase
(Assignee)

Comment 2

10 years ago
Created attachment 261730 [details] [diff] [review]
Do the security checks against the right object.
Attachment #261730 - Flags: superreview?(bzbarsky)
Attachment #261730 - Flags: review?(bzbarsky)
Comment on attachment 261730 [details] [diff] [review]
Do the security checks against the right object.

Fun....
Attachment #261730 - Flags: superreview?(bzbarsky)
Attachment #261730 - Flags: superreview+
Attachment #261730 - Flags: review?(bzbarsky)
Attachment #261730 - Flags: review+
Flags: in-testsuite?
(Assignee)

Updated

10 years ago
Attachment #261730 - Flags: approval1.8.1.4?
Attachment #261730 - Flags: approval1.8.0.12?
(Assignee)

Comment 4

10 years ago
Fixed on trunk.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Comment on attachment 261730 [details] [diff] [review]
Do the security checks against the right object.

approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #261730 - Flags: approval1.8.1.4?
Attachment #261730 - Flags: approval1.8.1.4+
Attachment #261730 - Flags: approval1.8.0.12?
Attachment #261730 - Flags: approval1.8.0.12+
(Assignee)

Updated

10 years ago
Keywords: fixed1.8.0.12, fixed1.8.1.4
Verified on the branches and trunk using the following builds:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.12pre) Gecko/20070430 Firefox/1.5.0.12pre

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.4) Gecko/20070501 Firefox/2.0.0.4

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a5pre) Gecko/20070428 Minefield/3.0a5pre
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.12, fixed1.8.1.4 → verified1.8.0.12, verified1.8.1.4
Group: security
You need to log in before you can comment on or make changes to this bug.