XSS: XOW function wrappers can be created with wrong parent

RESOLVED FIXED

Status

()

Core
Security
RESOLVED FIXED
10 years ago
2 years ago

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Tracking

Trunk
x86
Windows XP
Points:
---
Bug Flags:
wanted1.8.1.x +
blocking1.8.0.14 -
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:high] requires XOW on 1.8 branch)

Attachments

(3 attachments)

(Reporter)

Description

10 years ago
<iframe src="target site"/>
w = frames[0];

The proto of w.focus comes from the caller's global object.  But, the proto of
w.window.focus, w.document.open and w.location.replace comes from the target
site's global object.  Thus, bug 369334 is still available.
(Reporter)

Comment 1

10 years ago
Created attachment 275942 [details]
testcase 1 - window.focus and eval

This tries to get cookies for www.apple.com.
(Reporter)

Comment 2

10 years ago
Created attachment 275943 [details]
testcase 2 - document.open and location setter

This tries to get cookies for www.apple.com.
(Reporter)

Comment 3

10 years ago
Since bug 369334 is fixed only on trunk by XOW, the testcases work on 1.8/1.8.0
branches as well.
Flags: blocking1.9?
Flags: blocking1.8.1.7?
Flags: blocking1.8.0.14?
Whiteboard: [sg:high]
Assignee: dveditz → mrbkap
(Assignee)

Comment 4

10 years ago
Created attachment 276172 [details] [diff] [review]
Proposed fix

The problem here is the early binding of 'window' that we do: in particular, looking up window on another origin's window (or frame element) will return an XOW. But the XOW is from the wrong scope, leading to this bug. This patch makes us check that the parent of any XOW that's being returned is the right parent.
Attachment #276172 - Flags: superreview?(jst)
Attachment #276172 - Flags: review?(jst)

Updated

10 years ago
Attachment #276172 - Flags: superreview?(jst)
Attachment #276172 - Flags: superreview+
Attachment #276172 - Flags: review?(jst)
Attachment #276172 - Flags: review+

Updated

10 years ago
Attachment #276172 - Flags: approval1.9+
(Assignee)

Comment 5

10 years ago
Fix checked into trunk.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Depends on: 367911
Whiteboard: [sg:high] → [sg:high] requires XOW on 1.8 branch
No longer depends on: 367911
Depends on: 367911
Flags: blocking1.8.1.7? → blocking1.8.1.7+
Flags: blocking1.8.1.8+ → blocking1.8.1.9?
Flags: blocking1.8.0.14? → blocking1.8.0.14-
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.13?
Flags: blocking1.8.1.12?
Flags: blocking1.8.1.13?
Flags: in-testsuite?
Flags: blocking1.9?

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.