Status
()
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
Tracking
({testcase, verified1.8.1.13})
Firefox Tracking Flags
(Not tracked)
Details
(Whiteboard: [sg:critical] fixes 414749 also)
Attachments
(3 attachments, 1 obsolete attachment)
|
5.71 KB,
patch
|
jst
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
|
5.92 KB,
patch
|
jst
:
review+
jst
:
superreview+
dveditz
:
approval1.8.1.13+
Alexander Sack
:
approval1.8.0.next?
|
Details | Diff | Splinter Review |
|
5.73 KB,
patch
|
Details | Diff | Splinter Review |
A script that setTimeout(code) creates inherits its scripted caller's script filename. Thus, it's possible to use setTimeout() in the same way as bug 369211 and bug 387881 to modify XPCNativeWrappers.
|
(Reporter) | |
Comment 1•10 years ago
|
||
Created attachment 295738 [details]
testcase - Arbitrary code execution
|
||
Updated•10 years ago
|
||
Assignee: dveditz → nobody
Component: Security → XPConnect
Flags: blocking1.9?
Flags: blocking1.8.1.12?
QA Contact: toolkit → xpconnect
Whiteboard: [sg:critical]
|
|
||
Updated•10 years ago
|
||
Keywords: testcase
OS: Windows XP → All
Hardware: PC → All
|
||
Comment 2•10 years ago
|
||
Blake, any hope to get a fix for this one similar to the other wrapper pollution ones you're fixing?
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.12?
Flags: blocking1.8.1.12+
|
|
||
Updated•10 years ago
|
||
Assignee: nobody → mrbkap
Priority: -- → P1
|
||
Updated•10 years ago
|
||
Flags: blocking1.9? → blocking1.9+
|
|
||
Comment 3•10 years ago
|
||
No tested trunk fix, not going to make 1.8.1.12 either
Flags: blocking1.8.1.12+ → blocking1.8.1.13+
|
(Assignee) | |
Comment 4•10 years ago
|
||
Created attachment 299453 [details] [diff] [review] patch v1 This patch feels a little fragile to me, but it works.
Attachment #299453 -
Flags: superreview?(jst)
Attachment #299453 -
Flags: review?(jst)
|
||
Comment 5•10 years ago
|
||
Comment on attachment 299453 [details] [diff] [review] patch v1 Looks right to me. r+sr=jst
Attachment #299453 -
Flags: superreview?(jst)
Attachment #299453 -
Flags: superreview+
Attachment #299453 -
Flags: review?(jst)
Attachment #299453 -
Flags: review+
|
|
(Reporter) | |
Comment 6•10 years ago
|
||
Created attachment 299940 [details] testcase 2 - Arbitrary code execution This works on current trunk. (testcase 1 no longer works on trunk due to the fix for bug 397791.)
|
|
(Assignee) | |
Comment 7•10 years ago
|
||
Created attachment 300182 [details] [diff] [review] patch v2 After some thought, I realized what was bugging me was a missing 'subsumes' check. Now this code works both ways.
Attachment #299453 -
Attachment is obsolete: true
Attachment #300182 -
Flags: superreview?(jst)
Attachment #300182 -
Flags: review?(jst)
|
|
(Assignee) | |
Updated•10 years ago
|
||
Attachment #299453 -
Flags: superreview+
Attachment #299453 -
Flags: review+
|
|
||
Updated•10 years ago
|
||
Attachment #300182 -
Flags: superreview?(jst)
Attachment #300182 -
Flags: superreview+
Attachment #300182 -
Flags: review?(jst)
Attachment #300182 -
Flags: review+
|
|
(Assignee) | |
Comment 8•10 years ago
|
||
Fix checked into trunk.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
|
||
Updated•10 years ago
|
||
Flags: in-testsuite?
|
|
(Assignee) | |
Comment 9•10 years ago
|
||
Note bug 414749 as a followup.
|
|
(Assignee) | |
Comment 10•10 years ago
|
||
Created attachment 307125 [details] [diff] [review] Branch patch This rolls in the patch for bug 414749 as well. It's so much easier without the DOM agnostic stuff!
Attachment #307125 -
Flags: superreview?(jst)
Attachment #307125 -
Flags: review?(jst)
Attachment #307125 -
Flags: approval1.8.1.13?
|
|
||
Updated•10 years ago
|
||
Attachment #307125 -
Flags: superreview?(jst)
Attachment #307125 -
Flags: superreview+
Attachment #307125 -
Flags: review?(jst)
Attachment #307125 -
Flags: review+
|
|
||
Comment 11•10 years ago
|
||
Comment on attachment 307125 [details] [diff] [review] Branch patch approved for 1.8.1.13, a=dveditz for release-drivers
Attachment #307125 -
Flags: approval1.8.1.13? → approval1.8.1.13+
|
|
||
Comment 12•10 years ago
|
||
When this is checked into the branch please mark bug 414749 with "fixed1.8.1.13" as well
Whiteboard: [sg:critical] → [sg:critical] fixes 414749 also
|
||
Comment 14•10 years ago
|
||
Verified in 1.8 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/2008031114 Firefox/2.0.0.13 and bug verified with 2.0.0.12.
Keywords: fixed1.8.1.13 → verified1.8.1.13
|
||
Comment 15•10 years ago
|
||
Comment on attachment 307125 [details] [diff] [review] Branch patch applies to 1.8.0 with slight adjustments (will attach a helper attachment with the distro patch). caillon, please sign off
Attachment #307125 -
Flags: approval1.8.0.15?
|
|
||
Comment 16•10 years ago
|
||
Created attachment 311594 [details] [diff] [review] 1.8.0 clean
|
|
||
Updated•10 years ago
|
||
Flags: blocking1.8.0.15+
|
|
||
Updated•10 years ago
|
||
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•