Last Comment Bug 415191 - Check in rdf/chrome version of bug 413250
: Check in rdf/chrome version of bug 413250
Status: VERIFIED FIXED
: verified1.8.1.12, verified1.8.1.13
Product: Core
Classification: Components
Component: General (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
:
Mentors:
Depends on: 413250
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-31 17:53 PST by Daniel Veditz [:dveditz]
Modified: 2008-03-25 09:04 PDT (History)
9 users (show)
dveditz: wanted1.8.1.x+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Daniel Veditz [:dveditz] 2008-01-31 17:53:53 PST
Don't want to hold up FF3b3 respin waiting for seamonkey reviews on the mozilla/rdf/chrome version of bug 413250. This bug is to track checking in that one
Comment 1 Daniel Veditz [:dveditz] 2008-02-01 19:58:04 PST
fixed (patch in 413250)
Comment 2 Daniel Veditz [:dveditz] 2008-02-01 19:59:12 PST
oops, this is for the trunk landing. Not done yet.
Comment 3 Al Billings [:abillings] 2008-02-05 13:50:26 PST
I'm not sure what to do with this, Dan. :-)
Comment 4 Daniel Veditz [:dveditz] 2008-02-05 17:57:59 PST
You could ask the SeaMonkey 1.1.8 folks to verify this one.
Comment 5 Daniel Veditz [:dveditz] 2008-02-06 11:33:42 PST
Any seamonkey-compatible flat extension will do. Greasemonkey ought to work.

You can't use quite the exploit in bug 413250 because rdf/chrome actually caught %2e%2e just fine (see bug 413250 comment 17). But a variation like

chrome://greasemonkey/content/.%2e/%2e./

shouldn't show you part of your profile directory.
Comment 6 Andrew Schultz 2008-02-06 16:15:31 PST
As far as I can tell, old versions of seamonkey were not vulnerable to the firefox exploits.  Seamonkey chrome URI handling used the rule of "if you try to go above [extension]/, just stay at [extension]/"

So
chrome://stylish/content/../content/common.js redirects to chrome://stylish/content/common.js

and
chrome://stylish/content/../../../content/common.js also redirects to chrome://stylish/content/common.js

In SM 1.1.7, loading chrome://stylish/content/%252e./ says "The file /content/%2e./ cannot be found."
In SM 1.1.8, trying to load that does nothing.

Beyond that, I don't see any difference between 1.1.7 and 1.1.8

...so I think everything is fixed on the seamonkey side.
Comment 7 Al Billings [:abillings] 2008-02-06 16:17:25 PST
Fixed or masked?
Comment 8 Daniel Veditz [:dveditz] 2008-02-07 18:27:30 PST
fixed -- the exploit case in 1.1.8 "does nothing". The 1.1.7 behavior of trying to load the file "/content/%2e./" is wrong, though maybe means the bug was constrained enough in SeaMonkey to not be exploitable. Maybe it was, but in any case the patch stops it.
Comment 9 Daniel Veditz [:dveditz] 2008-03-06 17:21:21 PST
fixed on trunk
Comment 10 Al Billings [:abillings] 2008-03-17 17:44:41 PDT
Do we need to do anything special to verify that this also landed on branch for 1.8.1.13 and not just the 1.8.1.12 relbranch?
Comment 11 Robert Kaiser 2008-03-22 05:42:01 PDT
I'd guess looking at bonsai should be enough to verify it actually landed. For verifying it actually works, I'd use branch SeaMonkey nightlies.
Comment 12 Al Billings [:abillings] 2008-03-24 17:31:54 PDT
I looked at this with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.14pre) Gecko/20080324 SeaMonkey/1.1.10pre, just to see if I could repro the fix. When I try to install the Seamonkey greasemonkey extension, I receive an error code of -214 with a note that the installation cannot write to Profile/chrome. I don't know if this is expected or not but the extension, or a similar one, is necessary to test the fix.

Can someone in the Seamonkey community verify this fix for 1.8.1.13? I'm admitting failure here.
Comment 13 Philip Chee 2008-03-25 08:33:55 PDT
You must have read/write access to the SeaMonkey application directory. Because the SeaMonkey GM mod was packed on a windows machine the attributes of the installed files are wrong. You'll need to recursively chmod the installed files.
Comment 14 Andrew Schultz 2008-03-25 09:04:38 PDT
marking as VERIFIED

Note You need to log in before you can comment on or make changes to this bug.