Bug 390983 (CVE-2007-5335)

addMicrosummaryGenerator sidebar method can install from file URIs in content



12 years ago
3 years ago


(Reporter: rflint, Assigned: rflint)



Bug Flags:
wanted1.8.1.x +

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [sg:low], [need testcase], )


(1 attachment, 1 obsolete attachment)

Posted patch 1.8 patch (obsolete) — Splinter Review
From what I can tell, this only opens up another way to get at bug 267645 (making the XHR throw an OOM from loading large files), which can be done through easier paths than this. Filing in sg just because it's late and I may have missed something other than that - if not we should at least close this up to maintain consistency with content policies/other sidebar methods.

I'll fix this on trunk as part of bug 370242.
Attachment #275304 - Flags: review?(myk)
Comment on attachment 275304 [details] [diff] [review]
1.8 patch

>+    if (!/^https?:\/\//i.test(generatorURL))
>+      return;

Good catch!  The only issue here is that addPanel and addSearchEngine both allow FTP and don't check for the double slash after the colon, i.e.:

    if (!/^(https?:|ftp:)/i.test(url)) {

Seems like we should do the same here.
Attachment #275304 - Flags: review?(myk) → review-
Comment on attachment 275304 [details] [diff] [review]
1.8 patch

Hrm, ryan points out that the microsummary service doesn't support FTP yet, so this is actually good as is. r=myk
Attachment #275304 - Flags: review- → review+
Posted patch 1.8 patch v2Splinter Review
Pulls out the double slash to match up with the majority of similar checks in the file.
Attachment #275304 - Attachment is obsolete: true
Attachment #275715 - Flags: approval1.8.1.7?
Comment on attachment 275715 [details] [diff] [review]
1.8 patch v2

Looks good, r=myk
Attachment #275715 - Flags: review+
Severity: trivial → minor
Flags: wanted1.8.1.x+
Whiteboard: [sg:low]
Comment on attachment 275715 [details] [diff] [review]
1.8 patch v2

approved for, a=dveditz for release-drivers
Attachment #275715 - Flags: approval1.8.1.7? → approval1.8.1.7+
Last Resolved: 12 years ago
Keywords: fixed1.8.1.7
Resolution: --- → FIXED
Ryan, can you help us verify this fix in FF 2008rc2? 
Whiteboard: [sg:low] → [sg:low], [need testcase]
(In reply to comment #7)
> Ryan, can you help us verify this fix in FF 2008rc2? 

Testcase is in the URL field - builds < on windows should open up a dialog to add a microsummary generator and builds should do nothing. I can verify that that is indeed the case in the latest nightly.


12 years ago
Alias: CVE-2007-5335
verified in

Group: security
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.