Last Comment Bug 383424 - Arbitrary code execution using an event handler attached to an element that is not in a document
: Arbitrary code execution using an event handler attached to an element that i...
Status: RESOLVED FIXED
[sg:critical]
: verified1.8.0.13, verified1.8.1.5
Product: Core
Classification: Components
Component: DOM (show other bugs)
: 1.8 Branch
: x86 Windows XP
: -- normal (vote)
: ---
Assigned To: Johnny Stenback (:jst, jst@mozilla.com)
:
: Andrew Overholt [:overholt]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-05 22:49 PDT by moz_bug_r_a4
Modified: 2007-09-29 17:49 PDT (History)
7 users (show)
dveditz: blocking1.9?
dveditz: blocking1.8.1.5+
dveditz: wanted1.8.1.x+
dveditz: blocking1.8.0.13+
dveditz: wanted1.8.0.x+
jwalden+bmo: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase 1 - autoscroll (859 bytes, text/html)
2007-06-05 22:50 PDT, moz_bug_r_a4
no flags Details
testcase 2 - textZoom (1.12 KB, text/html)
2007-06-05 22:52 PDT, moz_bug_r_a4
no flags Details
Possible fix. (431 bytes, patch)
2007-06-08 00:15 PDT, Johnny Stenback (:jst, jst@mozilla.com)
mrbkap: review+
bzbarsky: superreview+
dveditz: approval1.8.1.5+
dveditz: approval1.8.0.13+
Details | Diff | Splinter Review

Description moz_bug_r_a4 2007-06-05 22:49:02 PDT
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/events/src/nsEventListenerManager.cpp&rev=1.275&mark=1086-1088#1086
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/content/base/src/nsContentUtils.cpp&rev=1.218&mark=2403,2406-2408#2393

If aCurrentTarget is an element that is not in a document, nsCxPusher does not
push a JS context.  Because of this, when a content-registered event handler is
called, the subject principal can be the system principal, which can happen
when chrome modifies content DOM (e.g. appendChild(), setAttribute(), style.foo
= bar).  This allows content to run arbitrary code with chrome privileges. 
Also, the subject principal can be the safe context's principal (i.e. the
hidden window's principal).  In this case, since the hidden window's url is
resource://gre/res/hiddenWindow.html, and resource: is allowed to load chrome:
urls, if there is an XSS bug then content can run arbitrary code with chrome
privileges.
Comment 1 moz_bug_r_a4 2007-06-05 22:50:46 PDT
Created attachment 267384 [details]
testcase 1 - autoscroll

This works on trunk, fx2.0.0.x and fx1.5.0.x.
Comment 2 moz_bug_r_a4 2007-06-05 22:52:04 PDT
Created attachment 267385 [details]
testcase 2 - textZoom

This works on fx2.0.0.x, fx1.5.0.x, sm1.1.x and sm1.0.x.
Comment 4 Johnny Stenback (:jst, jst@mozilla.com) 2007-06-08 00:15:04 PDT
Created attachment 267685 [details] [diff] [review]
Possible fix.

This is tested and fixes the problem, but it's a two minute fix that didn't get much thought as to what side effects this might have. I'll want to think about this some more, but it seems like the right thing to do. Thoughts?
Comment 5 Boris Zbarsky [:bz] (still a bit busy) 2007-06-08 08:21:43 PDT
Comment on attachment 267685 [details] [diff] [review]
Possible fix.

This is the right thing to do in general, I think, but we still have the problem that an element can outlive its owner document, in which case GetOwnerDoc() will return null.... I guess that can't happen if the element is being referenced from JS, though.

I really wish we had a principal stack, not a JSContext stack.  :(
Comment 6 Johnny Stenback (:jst, jst@mozilla.com) 2007-06-12 14:17:18 PDT
Fix checked in on the trunk.
Comment 7 Daniel Veditz [:dveditz] 2007-06-15 11:06:21 PDT
Comment on attachment 267685 [details] [diff] [review]
Possible fix.

approved for 1.8.1.5 and 1.8.0.13, a=dveditz for release-drivers
Comment 8 juan becerra [:juanb] 2007-08-20 17:31:36 PDT
Verified on Thunderbird version 1.5.0.13 (20070809) using testcases in comments 1, 2, 3

Also verified fixed on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.5) Gecko/2007071317 Firefox/2.0.0.5

Tbird 15012 and Fx2004 showed problem (dialogs came up), but Tbird 15013 and Fx2005 worked fine (no dialogs).

Note You need to log in before you can comment on or make changes to this bug.