Closed Bug 384870 Opened 12 years ago Closed 12 years ago

Raw nsIContent* used in nsXBLAttributeEntry

Categories

(Core :: XBL, defect)

x86
All
defect
Not set

Tracking

()

RESOLVED INVALID

People

(Reporter: smaug, Assigned: sicking)

Details

(Whiteboard: [sg:investigate] no known vuln but asking for trouble)

nsXBLAttributeEntry has a raw pointer to nsIContent. That might cause
crashes if nsIContent gets deleted.
I don't have a testcase yet.
Assignee: nobody → jonas
Whiteboard: [sg:investigate] no known vuln but asking for trouble
Martijn made some testcases to try to crash and because there weren't any 
crashes, I looked at the code and realized that nsXBLAttributeEntry has pointers
only to the xbl document's nsIContent objects, and that document is loaded
as data and not accessible from the main (bound element's ownerDoc) document, so 
scripts can't modify it. (This applies also to inline xbl.) So as far as I see, this bug is invalid.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Or wontfix. whatever :)
Group: security
You need to log in before you can comment on or make changes to this bug.