Last Comment Bug 377356 - Security checks in nsEventReceiverSH::AddEventListenerHelper can be circumvented
: Security checks in nsEventReceiverSH::AddEventListenerHelper can be circumvented
Status: VERIFIED FIXED
[sg:high]
: testcase, verified1.8.0.12, verified1.8.1.4
Product: Core
Classification: Components
Component: DOM (show other bugs)
: Trunk
: All All
-- normal (vote)
: ---
Assigned To: Johnny Stenback (:jst, jst@mozilla.com)
: Hixie (not reading bugmail)
: Andrew Overholt [:overholt]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-12 21:55 PDT by moz_bug_r_a4
Modified: 2007-05-30 15:10 PDT (History)
6 users (show)
dveditz: blocking1.8.1.4+
dveditz: wanted1.8.1.x+
dveditz: blocking1.8.0.12+
dveditz: wanted1.8.0.x+
bzbarsky: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Do the security checks against the right object. (1.36 KB, patch)
2007-04-16 15:28 PDT, Johnny Stenback (:jst, jst@mozilla.com)
bzbarsky: review+
bzbarsky: superreview+
dveditz: approval1.8.1.4+
dveditz: approval1.8.0.12+
Details | Diff | Splinter Review

Description User image moz_bug_r_a4 2007-04-12 21:55:52 PDT
Please see bug 376987.

Security checks in nsEventReceiverSH::AddEventListenerHelper can be
circumvented in the following way.

  <iframe src="target site"/>
  function X() {}
  X.prototype = frames[0];
  var x = new X();
  addEventListener.call(x, ...);
Comment 1 User image moz_bug_r_a4 2007-04-12 21:56:54 PDT
Created attachment 261437 [details]
testcase

This tries to get cookies for www.mozilla.com.
Comment 2 User image Johnny Stenback (:jst, jst@mozilla.com) 2007-04-16 15:28:09 PDT
Created attachment 261730 [details] [diff] [review]
Do the security checks against the right object.
Comment 3 User image Boris Zbarsky [:bz] (still a bit busy) 2007-04-16 15:30:21 PDT
Comment on attachment 261730 [details] [diff] [review]
Do the security checks against the right object.

Fun....
Comment 4 User image Johnny Stenback (:jst, jst@mozilla.com) 2007-04-16 16:11:49 PDT
Fixed on trunk.
Comment 5 User image Daniel Veditz [:dveditz] 2007-04-18 16:23:04 PDT
Comment on attachment 261730 [details] [diff] [review]
Do the security checks against the right object.

approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Comment 6 User image Samuel Sidler (old account; do not CC) 2007-05-08 21:02:13 PDT
Verified on the branches and trunk using the following builds:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.12pre) Gecko/20070430 Firefox/1.5.0.12pre

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.4) Gecko/20070501 Firefox/2.0.0.4

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a5pre) Gecko/20070428 Minefield/3.0a5pre

Note You need to log in before you can comment on or make changes to this bug.