Closed
Bug 408639
Opened 17 years ago
Closed 17 years ago
XPCCrossOriginWrapper calls untrusted functions during construction
Categories
(Core :: XPConnect, defect, P2)
Tracking
()
RESOLVED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
Details
(Whiteboard: [patch])
Attachments
(1 file, 1 obsolete file)
|
1.04 KB,
patch
|
Details | Diff | Splinter Review |
XPCCrossOriginWrapper has the same problem as XPCNativeWrapper (bug 407289).
An attacker can perform an XSS attack against a web page that accesses
top.location, etc.
Also, an attacker can run arbitrary code with chrome privileges, since even
when chrome accesses content via XPCNativeWrapper, XPCCrossOriginWrapper can be
created internally.
|
Reporter | |
Comment 1•17 years ago
|
||
This tries to get cookies for www.google.com.
This uses bug 344495's trick.
This works on trunk.
|
|
Reporter | |
Comment 2•17 years ago
|
||
This uses bug 344495's trick.
This works on trunk.
|
||
Updated•17 years ago
|
Flags: blocking1.9?
|
||
Updated•17 years ago
|
Assignee: nobody → mrbkap
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
|
Assignee | |
Comment 3•17 years ago
|
||
This is the easiest way to fix the bug: always just use the currently running script as a scope to figure out what prototype to use (note: it doesn't matter, we null out the prototype later anyway). The actual problem is that we are trying to stash the document's wrapper on the window at an inopportune time. Fixing that is "hard," however, so I went with this.
Attachment #294515 -
Flags: superreview?(brendan)
Attachment #294515 -
Flags: review?(jst)
|
||
Comment 4•17 years ago
|
||
Comment on attachment 294515 [details] [diff] [review]
Simple fix
A note in a comment here would be good (i.e. update the comment talking about severing the prototype link etc). r=jst
Attachment #294515 -
Flags: review?(jst) → review+
|
|
Assignee | |
Comment 5•17 years ago
|
||
I added a comment above the JS_NewObject call that says:
// Note that we create outerObj with a null parent here. We set it
// later so that we find our nominal prototype in the same scope as
// the one that is calling us.
|
|
Assignee | |
Updated•17 years ago
|
Whiteboard: [patch]
|
||
Comment 6•17 years ago
|
||
Comment on attachment 294515 [details] [diff] [review]
Simple fix
How about adding a "FIXME: bug 408871" comment and sr=me?
/be
Attachment #294515 -
Flags: superreview?(brendan) → superreview+
|
|
Assignee | |
Comment 7•17 years ago
|
||
Attachment #294515 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 8•17 years ago
|
||
Fix checked in.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
||
Updated•17 years ago
|
Flags: in-testsuite?
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•