Last Comment Bug 415191 - Check in rdf/chrome version of bug 413250
: Check in rdf/chrome version of bug 413250
Status: VERIFIED FIXED
: verified1.8.1.12, verified1.8.1.13
Product: Core
Classification: Components
Component: General (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
:
Mentors:
Depends on: 413250
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-31 17:53 PST by Daniel Veditz [:dveditz]
Modified: 2008-03-25 09:04 PDT (History)
9 users (show)
dveditz: wanted1.8.1.x+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Daniel Veditz [:dveditz] 2008-01-31 17:53:53 PST
Don't want to hold up FF3b3 respin waiting for seamonkey reviews on the mozilla/rdf/chrome version of bug 413250. This bug is to track checking in that one
Comment 1 Daniel Veditz [:dveditz] 2008-02-01 19:58:04 PST
fixed (patch in 413250)
Comment 2 Daniel Veditz [:dveditz] 2008-02-01 19:59:12 PST
oops, this is for the trunk landing. Not done yet.
Comment 3 Al Billings [:abillings] 2008-02-05 13:50:26 PST
I'm not sure what to do with this, Dan. :-)
Comment 4 Daniel Veditz [:dveditz] 2008-02-05 17:57:59 PST
You could ask the SeaMonkey 1.1.8 folks to verify this one.
Comment 5 Daniel Veditz [:dveditz] 2008-02-06 11:33:42 PST
Any seamonkey-compatible flat extension will do. Greasemonkey ought to work.

You can't use quite the exploit in bug 413250 because rdf/chrome actually caught %2e%2e just fine (see bug 413250 comment 17). But a variation like

chrome://greasemonkey/content/.%2e/%2e./

shouldn't show you part of your profile directory.
Comment 6 Andrew Schultz 2008-02-06 16:15:31 PST
As far as I can tell, old versions of seamonkey were not vulnerable to the firefox exploits.  Seamonkey chrome URI handling used the rule of "if you try to go above [extension]/, just stay at [extension]/"

So
chrome://stylish/content/../content/common.js redirects to chrome://stylish/content/common.js

and
chrome://stylish/content/../../../content/common.js also redirects to chrome://stylish/content/common.js

In SM 1.1.7, loading chrome://stylish/content/%252e./ says "The file /content/%2e./ cannot be found."
In SM 1.1.8, trying to load that does nothing.

Beyond that, I don't see any difference between 1.1.7 and 1.1.8

...so I think everything is fixed on the seamonkey side.
Comment 7 Al Billings [:abillings] 2008-02-06 16:17:25 PST
Fixed or masked?
Comment 8 Daniel Veditz [:dveditz] 2008-02-07 18:27:30 PST
fixed -- the exploit case in 1.1.8 "does nothing". The 1.1.7 behavior of trying to load the file "/content/%2e./" is wrong, though maybe means the bug was constrained enough in SeaMonkey to not be exploitable. Maybe it was, but in any case the patch stops it.
Comment 9 Daniel Veditz [:dveditz] 2008-03-06 17:21:21 PST
fixed on trunk
Comment 10 Al Billings [:abillings] 2008-03-17 17:44:41 PDT
Do we need to do anything special to verify that this also landed on branch for 1.8.1.13 and not just the 1.8.1.12 relbranch?
Comment 11 Robert Kaiser (not working on stability any more) 2008-03-22 05:42:01 PDT
I'd guess looking at bonsai should be enough to verify it actually landed. For verifying it actually works, I'd use branch SeaMonkey nightlies.
Comment 12 Al Billings [:abillings] 2008-03-24 17:31:54 PDT
I looked at this with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.14pre) Gecko/20080324 SeaMonkey/1.1.10pre, just to see if I could repro the fix. When I try to install the Seamonkey greasemonkey extension, I receive an error code of -214 with a note that the installation cannot write to Profile/chrome. I don't know if this is expected or not but the extension, or a similar one, is necessary to test the fix.

Can someone in the Seamonkey community verify this fix for 1.8.1.13? I'm admitting failure here.
Comment 13 Philip Chee 2008-03-25 08:33:55 PDT
You must have read/write access to the SeaMonkey application directory. Because the SeaMonkey GM mod was packed on a windows machine the attributes of the installed files are wrong. You'll need to recursively chmod the installed files.
Comment 14 Andrew Schultz 2008-03-25 09:04:38 PDT
marking as VERIFIED

Note You need to log in before you can comment on or make changes to this bug.