Last Comment Bug 380476 - XSS by loading a target site in the middle of calling setTimeout()
: XSS by loading a target site in the middle of calling setTimeout()
Status: RESOLVED FIXED
[sg:high]
: fixed1.8.0.13, verified1.8.1.5
Product: Core
Classification: Components
Component: Security (show other bugs)
: unspecified
: x86 Windows XP
: -- normal (vote)
: mozilla1.9alpha8
Assigned To: Johnny Stenback (:jst, jst@mozilla.com)
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-11 22:19 PDT by moz_bug_r_a4
Modified: 2007-09-27 16:45 PDT (History)
8 users (show)
jonas: blocking1.9+
dveditz: blocking1.8.1.5+
dveditz: wanted1.8.1.x+
dveditz: blocking1.8.0.13+
dveditz: wanted1.8.0.x+
jwalden+bmo: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase 1 (1.19 KB, text/html)
2007-05-11 22:21 PDT, moz_bug_r_a4
no flags Details
testcase 2 (1.47 KB, text/html)
2007-05-11 22:22 PDT, moz_bug_r_a4
no flags Details
Don't fire timeouts in windows that are no longer loaded. (707 bytes, patch)
2007-07-05 15:54 PDT, Johnny Stenback (:jst, jst@mozilla.com)
mrbkap: review+
jonas: superreview+
dveditz: approval1.8.1.5+
dveditz: approval1.8.0.13+
Details | Diff | Splinter Review

Description moz_bug_r_a4 2007-05-11 22:19:53 PDT
A page load initiated in a function can be processed in the middle of that
function.

  function f() {
    var d = w.document;
    w.location = url;
    w.document == d; // --> true
    alert(1); // or sync XMLHttpRequest, etc.
    w.document == d; // --> false
  }

By using this behavior, an attacker can perform an XSS attack using
setTimeout().  While setTimeout() is being called on a window, at the time of
conversions of arguments, it's possible to load a target site in the window
that setTimeout() is being called on.  When this happens, execution of
setTimeout() continues on the target site.
Comment 1 moz_bug_r_a4 2007-05-11 22:21:15 PDT
Created attachment 264574 [details]
testcase 1

This works on fx2.0.0.x and fx1.5.0.x.
Comment 2 moz_bug_r_a4 2007-05-11 22:22:15 PDT
Created attachment 264575 [details]
testcase 2

This works on trunk, fx2.0.0.x and fx1.5.0.x.
Comment 3 Mike Connor [:mconnor] 2007-06-28 07:46:21 PDT
punting remaining a6 bugs to b1, all of these shipped in a5, so we're at least no worse off by doing so.
Comment 4 Johnny Stenback (:jst, jst@mozilla.com) 2007-07-05 15:54:07 PDT
Created attachment 271138 [details] [diff] [review]
Don't fire timeouts in windows that are no longer loaded.
Comment 5 Johnny Stenback (:jst, jst@mozilla.com) 2007-07-05 16:19:34 PDT
Fix checked in.
Comment 6 Daniel Veditz [:dveditz] 2007-07-09 16:09:54 PDT
Comment on attachment 271138 [details] [diff] [review]
Don't fire timeouts in windows that are no longer loaded.

Does this patch work for 1.8?
Comment 7 Johnny Stenback (:jst, jst@mozilla.com) 2007-07-09 16:40:24 PDT
It *should* work, but I haven't ported the patch (assuming that's even needed). Let me know if you want this and I'll test it out etc.
Comment 8 Daniel Veditz [:dveditz] 2007-07-10 15:08:39 PDT
Comment on attachment 271138 [details] [diff] [review]
Don't fire timeouts in windows that are no longer loaded.

approved for 1.8.1.5 and 1.8.0.13, a=dveditz for release-drivers
Comment 9 Johnny Stenback (:jst, jst@mozilla.com) 2007-07-10 17:15:49 PDT
Fix landed on branches.
Comment 10 juan becerra [:juanb] 2007-08-20 15:51:07 PDT
Verified fixed on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/2007071317 Firefox/2.0.0.5

Was unable to reproduce the problem on Tbird 15012 or 15013, during Tbird 15013 verifications. 

Note You need to log in before you can comment on or make changes to this bug.