user assisted js execution in editor

RESOLVED INCOMPLETE

Status

Thunderbird
General
RESOLVED INCOMPLETE
11 years ago
3 years ago

People

(Reporter: georgi - hopefully not receiving bugspam, Unassigned)

Tracking

({qawanted, sec-low})

x86
Linux
qawanted, sec-low

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: 1.8 branch [sg:low?])

Attachments

(1 attachment)

Created attachment 270001 [details]
local folder 'jsuserhelp' - instructions inside

if a user double clicks on an image with js uri in editor js is
executed:

Error: uncaught exception: Permission denied to get property UnnamedClass.classes
Source File: chrome://editor/content/EdImageOverlay.js
Line: 381

javascript is executed in the sandbox.

trunk doesn't execute js and gives error "can't find principal"

Updated

10 years ago
Whiteboard: 1.8 branch
trunk seems safe, js is executed in 2.0
probably [sg:low?]
Whiteboard: 1.8 branch → 1.8 branch [sg:low?]
Ludovic: I can't reproduce this in 11.0b4. Can you try it on 2.0, 3.1.x and something recent and see if you can confirm as well?
Keywords: qawanted
Attachment #270001 - Attachment mime type: application/octet-stream → message/rfc822
I've just tried 2.0.0.24 and couldn't even click on the test case.
Keywords: sec-low
Resolving as incomplete, as we never found the reproduction point for this, and from comment 1, it looks like it may have only ever affected the 2.0 branch anyway.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → INCOMPLETE
Group: core-security
You need to log in before you can comment on or make changes to this bug.