Closed
Bug 412462
Opened 17 years ago
Closed 17 years ago
Cross origin wrapper's convert hook allows for XSS
Categories
(Core :: XPConnect, defect, P1)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla1.9beta3
People
(Reporter: mrbkap, Assigned: mrbkap)
References
Details
(Keywords: regression, testcase)
Attachments
(2 files)
|
882 bytes,
text/html
|
Details | |
|
1.31 KB,
patch
|
jst
:
review+
brendan
:
superreview+
|
Details | Diff | Splinter Review |
There's a comment:
// TODO wrap return value?
but we don't do that, so you can get your hands on a plain outer window object and navigate that window to another origin and access properties. Currently, you cannot access "native" properties thanks to the security check in XPCWrappedNative::CallMethod, but jst (and I) want to do away with that. Fix coming up.
Flags: blocking1.9?
|
Assignee | |
Comment 1•17 years ago
|
||
Note that at the bottom of the function, rv is the result of IsWrapperSameOrigin.
Brendan, any other convert gotchas you can think of?
Attachment #297196 -
Flags: superreview?(brendan)
Attachment #297196 -
Flags: review?(jst)
|
|
Assignee | |
Updated•17 years ago
|
Priority: -- → P1
|
||
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
|
|
||
Updated•17 years ago
|
Attachment #297196 -
Flags: review?(jst) → review+
|
||
Comment 2•17 years ago
|
||
Comment on attachment 297196 [details] [diff] [review]
Fix
Could JSTYPE_FUNCTION be passed in as type? See jsinterp.c and jsfun.c, grepping for 'convert.*JSTYPE_FUN'.
/be
Attachment #297196 -
Flags: superreview?(brendan) → superreview+
|
|
||
Comment 3•17 years ago
|
||
Fix checked in per discussion with mrbkap. Blake, please reopen or file a new bug if you change your mind about the need to deal with comment 2. Marking FIXED.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
||
Updated•17 years ago
|
Flags: in-testsuite?
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•