The default bug view has changed. See this FAQ.

XPCNativeWrapper pollution using setTimeout()

RESOLVED FIXED

Status

()

Core
XPConnect
P1
normal
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Tracking

({testcase, verified1.8.1.13})

unspecified
testcase, verified1.8.1.13
Points:
---
Bug Flags:
blocking1.9 +
blocking1.8.1.13 +
wanted1.8.1.x +
blocking1.8.0.next +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] fixes 414749 also)

Attachments

(3 attachments, 1 obsolete attachment)

(Reporter)

Description

9 years ago
A script that setTimeout(code) creates inherits its scripted caller's script
filename.  Thus, it's possible to use setTimeout() in the same way as bug
369211 and bug 387881 to modify XPCNativeWrappers.
(Reporter)

Comment 1

9 years ago
Created attachment 295738 [details]
testcase - Arbitrary code execution
Assignee: dveditz → nobody
Component: Security → XPConnect
Flags: blocking1.9?
Flags: blocking1.8.1.12?
QA Contact: toolkit → xpconnect
Whiteboard: [sg:critical]
Keywords: testcase
OS: Windows XP → All
Hardware: PC → All
Blake, any hope to get a fix for this one similar to the other wrapper pollution ones you're fixing?
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.12?
Flags: blocking1.8.1.12+
Assignee: nobody → mrbkap
Priority: -- → P1

Updated

9 years ago
Flags: blocking1.9? → blocking1.9+
No tested trunk fix, not going to make 1.8.1.12 either
Flags: blocking1.8.1.12+ → blocking1.8.1.13+
(Assignee)

Comment 4

9 years ago
Created attachment 299453 [details] [diff] [review]
patch v1

This patch feels a little fragile to me, but it works.
Attachment #299453 - Flags: superreview?(jst)
Attachment #299453 - Flags: review?(jst)
Comment on attachment 299453 [details] [diff] [review]
patch v1

Looks right to me. r+sr=jst
Attachment #299453 - Flags: superreview?(jst)
Attachment #299453 - Flags: superreview+
Attachment #299453 - Flags: review?(jst)
Attachment #299453 - Flags: review+
(Reporter)

Comment 6

9 years ago
Created attachment 299940 [details]
testcase 2 - Arbitrary code execution

This works on current trunk.  (testcase 1 no longer works on trunk due to the
fix for bug 397791.)
(Assignee)

Comment 7

9 years ago
Created attachment 300182 [details] [diff] [review]
patch v2

After some thought, I realized what was bugging me was a missing 'subsumes' check. Now this code works both ways.
Attachment #299453 - Attachment is obsolete: true
Attachment #300182 - Flags: superreview?(jst)
Attachment #300182 - Flags: review?(jst)
(Assignee)

Updated

9 years ago
Attachment #299453 - Flags: superreview+
Attachment #299453 - Flags: review+

Updated

9 years ago
Attachment #300182 - Flags: superreview?(jst)
Attachment #300182 - Flags: superreview+
Attachment #300182 - Flags: review?(jst)
Attachment #300182 - Flags: review+
(Assignee)

Comment 8

9 years ago
Fix checked into trunk.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
(Assignee)

Comment 9

9 years ago
Note bug 414749 as a followup.
(Assignee)

Comment 10

9 years ago
Created attachment 307125 [details] [diff] [review]
Branch patch

This rolls in the patch for bug 414749 as well. It's so much easier without the DOM agnostic stuff!
Attachment #307125 - Flags: superreview?(jst)
Attachment #307125 - Flags: review?(jst)
Attachment #307125 - Flags: approval1.8.1.13?

Updated

9 years ago
Attachment #307125 - Flags: superreview?(jst)
Attachment #307125 - Flags: superreview+
Attachment #307125 - Flags: review?(jst)
Attachment #307125 - Flags: review+
Comment on attachment 307125 [details] [diff] [review]
Branch patch

approved for 1.8.1.13, a=dveditz for release-drivers
Attachment #307125 - Flags: approval1.8.1.13? → approval1.8.1.13+
When this is checked into the branch please mark bug 414749 with "fixed1.8.1.13" as well
Whiteboard: [sg:critical] → [sg:critical] fixes 414749 also
(Assignee)

Comment 13

9 years ago
Fixed on the 1.8 branch.
Keywords: fixed1.8.1.13
Verified in 1.8 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/2008031114 Firefox/2.0.0.13 and bug verified with 2.0.0.12.
Keywords: fixed1.8.1.13 → verified1.8.1.13

Comment 15

9 years ago
Comment on attachment 307125 [details] [diff] [review]
Branch patch

applies to 1.8.0 with slight adjustments (will attach a helper attachment with the distro patch). caillon, please sign off
Attachment #307125 - Flags: approval1.8.0.15?

Comment 16

9 years ago
Created attachment 311594 [details] [diff] [review]
1.8.0 clean

Updated

9 years ago
Flags: blocking1.8.0.15+
Group: security
You need to log in before you can comment on or make changes to this bug.