Last Comment Bug 411092 - XPCNativeWrapper pollution using setTimeout()
: XPCNativeWrapper pollution using setTimeout()
[sg:critical] fixes 414749 also
: testcase, verified1.8.1.13
Product: Core
Classification: Components
Component: XPConnect (show other bugs)
: unspecified
: All All
P1 normal (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
: Andrew Overholt [:overholt]
Depends on:
  Show dependency treegraph
Reported: 2008-01-06 23:51 PST by moz_bug_r_a4
Modified: 2008-03-25 23:54 PDT (History)
9 users (show)
mtschrep: blocking1.9+
dveditz: blocking1.8.1.13+
dveditz: wanted1.8.1.x+
jwalden+bmo: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch v1 (5.70 KB, patch)
2008-01-26 12:55 PST, Blake Kaplan (:mrbkap)
no flags Details | Diff | Splinter Review
patch v2 (5.71 KB, patch)
2008-01-29 16:35 PST, Blake Kaplan (:mrbkap)
jst: review+
jst: superreview+
Details | Diff | Splinter Review
Branch patch (5.92 KB, patch)
2008-03-03 16:00 PST, Blake Kaplan (:mrbkap)
jst: review+
jst: superreview+
dveditz: approval1.8.1.13+
Details | Diff | Splinter Review
1.8.0 clean (5.73 KB, patch)
2008-03-25 09:26 PDT, Alexander Sack
no flags Details | Diff | Splinter Review

Description User image moz_bug_r_a4 2008-01-06 23:51:02 PST
A script that setTimeout(code) creates inherits its scripted caller's script
filename.  Thus, it's possible to use setTimeout() in the same way as bug
369211 and bug 387881 to modify XPCNativeWrappers.
Comment 1 User image moz_bug_r_a4 2008-01-06 23:52:26 PST
Created attachment 295738 [details]
testcase - Arbitrary code execution
Comment 2 User image Daniel Veditz [:dveditz] 2008-01-09 11:15:38 PST
Blake, any hope to get a fix for this one similar to the other wrapper pollution ones you're fixing?
Comment 3 User image Daniel Veditz [:dveditz] 2008-01-24 13:56:36 PST
No tested trunk fix, not going to make either
Comment 4 User image Blake Kaplan (:mrbkap) 2008-01-26 12:55:52 PST
Created attachment 299453 [details] [diff] [review]
patch v1

This patch feels a little fragile to me, but it works.
Comment 5 User image Johnny Stenback (:jst, 2008-01-27 19:15:53 PST
Comment on attachment 299453 [details] [diff] [review]
patch v1

Looks right to me. r+sr=jst
Comment 6 User image moz_bug_r_a4 2008-01-28 21:52:21 PST
Created attachment 299940 [details]
testcase 2 - Arbitrary code execution

This works on current trunk.  (testcase 1 no longer works on trunk due to the
fix for bug 397791.)
Comment 7 User image Blake Kaplan (:mrbkap) 2008-01-29 16:35:19 PST
Created attachment 300182 [details] [diff] [review]
patch v2

After some thought, I realized what was bugging me was a missing 'subsumes' check. Now this code works both ways.
Comment 8 User image Blake Kaplan (:mrbkap) 2008-01-29 18:12:00 PST
Fix checked into trunk.
Comment 9 User image Blake Kaplan (:mrbkap) 2008-01-29 21:50:20 PST
Note bug 414749 as a followup.
Comment 10 User image Blake Kaplan (:mrbkap) 2008-03-03 16:00:10 PST
Created attachment 307125 [details] [diff] [review]
Branch patch

This rolls in the patch for bug 414749 as well. It's so much easier without the DOM agnostic stuff!
Comment 11 User image Daniel Veditz [:dveditz] 2008-03-04 10:27:57 PST
Comment on attachment 307125 [details] [diff] [review]
Branch patch

approved for, a=dveditz for release-drivers
Comment 12 User image Daniel Veditz [:dveditz] 2008-03-04 10:29:07 PST
When this is checked into the branch please mark bug 414749 with "fixed1.8.1.13" as well
Comment 13 User image Blake Kaplan (:mrbkap) 2008-03-06 18:01:23 PST
Fixed on the 1.8 branch.
Comment 14 User image Al Billings [:abillings] 2008-03-14 15:51:42 PDT
Verified in 1.8 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2008031114 Firefox/ and bug verified with
Comment 15 User image Alexander Sack 2008-03-25 09:25:32 PDT
Comment on attachment 307125 [details] [diff] [review]
Branch patch

applies to 1.8.0 with slight adjustments (will attach a helper attachment with the distro patch). caillon, please sign off
Comment 16 User image Alexander Sack 2008-03-25 09:26:01 PDT
Created attachment 311594 [details] [diff] [review]
1.8.0 clean

Note You need to log in before you can comment on or make changes to this bug.