Closed
Bug 377356
Opened 18 years ago
Closed 18 years ago
Security checks in nsEventReceiverSH::AddEventListenerHelper can be circumvented
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: jst)
Details
(Keywords: testcase, verified1.8.0.12, verified1.8.1.4, Whiteboard: [sg:high])
Attachments
(1 file)
|
1.36 KB,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
dveditz
:
approval1.8.1.4+
dveditz
:
approval1.8.0.12+
|
Details | Diff | Splinter Review |
Please see bug 376987.
Security checks in nsEventReceiverSH::AddEventListenerHelper can be
circumvented in the following way.
<iframe src="target site"/>
function X() {}
X.prototype = frames[0];
var x = new X();
addEventListener.call(x, ...);
|
Reporter | |
Comment 1•18 years ago
|
||
This tries to get cookies for www.mozilla.com.
|
||
Updated•18 years ago
|
Assignee: dveditz → general
Component: Security → DOM
Flags: blocking1.8.1.4?
Flags: blocking1.8.0.12?
OS: Windows XP → All
QA Contact: toolkit → ian
Hardware: PC → All
Whiteboard: [sg:high]
Version: unspecified → Trunk
|
||
Updated•18 years ago
|
Assignee: general → jst
Flags: blocking1.8.1.4?
Flags: blocking1.8.1.4+
Flags: blocking1.8.0.12?
Flags: blocking1.8.0.12+
|
Assignee | |
Comment 2•18 years ago
|
||
Attachment #261730 -
Flags: superreview?(bzbarsky)
Attachment #261730 -
Flags: review?(bzbarsky)
|
||
Comment 3•18 years ago
|
||
Comment on attachment 261730 [details] [diff] [review]
Do the security checks against the right object.
Fun....
Attachment #261730 -
Flags: superreview?(bzbarsky)
Attachment #261730 -
Flags: superreview+
Attachment #261730 -
Flags: review?(bzbarsky)
Attachment #261730 -
Flags: review+
|
|
||
Updated•18 years ago
|
Flags: in-testsuite?
|
|
Assignee | |
Updated•18 years ago
|
Attachment #261730 -
Flags: approval1.8.1.4?
Attachment #261730 -
Flags: approval1.8.0.12?
|
|
Assignee | |
Comment 4•18 years ago
|
||
Fixed on trunk.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
||
Updated•18 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
|
|
||
Comment 5•18 years ago
|
||
Comment on attachment 261730 [details] [diff] [review]
Do the security checks against the right object.
approved for 1.8.0.12 and 1.8.1.4, a=dveditz for release-drivers
Attachment #261730 -
Flags: approval1.8.1.4?
Attachment #261730 -
Flags: approval1.8.1.4+
Attachment #261730 -
Flags: approval1.8.0.12?
Attachment #261730 -
Flags: approval1.8.0.12+
|
|
Assignee | |
Updated•18 years ago
|
Keywords: fixed1.8.0.12,
fixed1.8.1.4
|
||
Comment 6•18 years ago
|
||
Verified on the branches and trunk using the following builds:
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.12pre) Gecko/20070430 Firefox/1.5.0.12pre
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.4) Gecko/20070501 Firefox/2.0.0.4
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.9a5pre) Gecko/20070428 Minefield/3.0a5pre
Status: RESOLVED → VERIFIED
|
|
||
Updated•18 years ago
|
Group: security
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•