Bug 390983 (CVE-2007-5335)

addMicrosummaryGenerator sidebar method can install from file URIs in content

RESOLVED FIXED

Status

Firefox Graveyard
Microsummaries
--
minor
RESOLVED FIXED
11 years ago
2 years ago

People

(Reporter: rflint, Assigned: rflint)

Tracking

({verified1.8.1.8})

2.0 Branch
verified1.8.1.8
Bug Flags:
wanted1.8.1.x +

Details

(Whiteboard: [sg:low], [need testcase], URL)

Attachments

(1 attachment, 1 obsolete attachment)

Created attachment 275304 [details] [diff] [review]
1.8 patch

From what I can tell, this only opens up another way to get at bug 267645 (making the XHR throw an OOM from loading large files), which can be done through easier paths than this. Filing in sg just because it's late and I may have missed something other than that - if not we should at least close this up to maintain consistency with content policies/other sidebar methods.

I'll fix this on trunk as part of bug 370242.
Attachment #275304 - Flags: review?(myk)
Comment on attachment 275304 [details] [diff] [review]
1.8 patch

>+    if (!/^https?:\/\//i.test(generatorURL))
>+      return;

Good catch!  The only issue here is that addPanel and addSearchEngine both allow FTP and don't check for the double slash after the colon, i.e.:

    if (!/^(https?:|ftp:)/i.test(url)) {

Seems like we should do the same here.
Attachment #275304 - Flags: review?(myk) → review-
Comment on attachment 275304 [details] [diff] [review]
1.8 patch

Hrm, ryan points out that the microsummary service doesn't support FTP yet, so this is actually good as is. r=myk
Attachment #275304 - Flags: review- → review+
Created attachment 275715 [details] [diff] [review]
1.8 patch v2

Pulls out the double slash to match up with the majority of similar checks in the file.
Attachment #275304 - Attachment is obsolete: true
Attachment #275715 - Flags: approval1.8.1.7?
Comment on attachment 275715 [details] [diff] [review]
1.8 patch v2

Looks good, r=myk
Attachment #275715 - Flags: review+
Severity: trivial → minor
Flags: wanted1.8.1.x+
Whiteboard: [sg:low]
Comment on attachment 275715 [details] [diff] [review]
1.8 patch v2

approved for 1.8.1.7, a=dveditz for release-drivers
Attachment #275715 - Flags: approval1.8.1.7? → approval1.8.1.7+
mozilla/browser/components/sidebar/src/nsSidebar.js 1.10.8.13
Status: ASSIGNED → RESOLVED
Last Resolved: 11 years ago
Keywords: fixed1.8.1.7
Resolution: --- → FIXED

Comment 7

11 years ago
Ryan, can you help us verify this fix in FF 2008rc2? 
Whiteboard: [sg:low] → [sg:low], [need testcase]
(In reply to comment #7)
> Ryan, can you help us verify this fix in FF 2008rc2? 
> 

Testcase is in the URL field - builds < 2.0.0.8 on windows should open up a dialog to add a microsummary generator and 2.0.0.8 builds should do nothing. I can verify that that is indeed the case in the latest 2.0.0.8 nightly.

Updated

11 years ago
Alias: CVE-2007-5335
verified in 2.0.0.8rc2

Group: security
Keywords: fixed1.8.1.8 → verified1.8.1.8
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.