Closed Bug 377356 Opened 15 years ago Closed 15 years ago

Security checks in nsEventReceiverSH::AddEventListenerHelper can be circumvented

Categories

(Core :: DOM: Core & HTML, defect)

defect
Not set
normal

Tracking

()

VERIFIED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: jst)

Details

(Keywords: testcase, verified1.8.0.12, verified1.8.1.4, Whiteboard: [sg:high])

Attachments

(1 file)

Please see bug 376987.

Security checks in nsEventReceiverSH::AddEventListenerHelper can be
circumvented in the following way.

  <iframe src="target site"/>
  function X() {}
  X.prototype = frames[0];
  var x = new X();
  addEventListener.call(x, ...);
Attached file testcase
This tries to get cookies for www.mozilla.com.
Assignee: dveditz → general
Component: Security → DOM
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
OS: Windows XP → All
QA Contact: toolkit → ian
Hardware: PC → All
Whiteboard: [sg:high]
Version: unspecified → Trunk
Assignee: general → jst
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
Attachment #261730 - Flags: superreview?(bzbarsky)
Attachment #261730 - Flags: review?(bzbarsky)
Comment on attachment 261730 [details] [diff] [review]
Do the security checks against the right object.

Fun....
Attachment #261730 - Flags: superreview?(bzbarsky)
Attachment #261730 - Flags: superreview+
Attachment #261730 - Flags: review?(bzbarsky)
Attachment #261730 - Flags: review+
Flags: in-testsuite?
Attachment #261730 - Flags: approval1.8.1.4?
Attachment #261730 - Flags: approval1.8.0.12?
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Comment on attachment 261730 [details] [diff] [review]
Do the security checks against the right object.

approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #261730 - Flags: approval1.8.1.4?
Attachment #261730 - Flags: approval1.8.1.4+
Attachment #261730 - Flags: approval1.8.0.12?
Attachment #261730 - Flags: approval1.8.0.12+
Verified on the branches and trunk using the following builds:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.12pre) Gecko/20070430 Firefox/1.5.0.12pre

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.4) Gecko/20070501 Firefox/2.0.0.4

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a5pre) Gecko/20070428 Minefield/3.0a5pre
Status: RESOLVED → VERIFIED
Group: security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.