Closed Bug 423375 Opened 16 years ago Closed 16 years ago

Content script can load restricted URIs

Categories

(Core :: Security, defect, P1)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: timeless)

References

Details

Attachments

(1 file)

testcase 1
390 bytes, text/html
Details 
Content script can load restricted URIs (chrome:, resource:, etc.).  Is this a
regression from bug 246699?

regression range:
http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2008-03-11+09&maxdate=2008-03-12+05
Attached file testcase 1 

    
    

    
  
Is this a blocker, Dan? This looks bad.
Flags: blocking1.8.1.13?

    
    

    
  
I've verified that this is trunk only and doesn't repro in branch. (It's good to be sure...)
Flags: blocking1.8.1.13?
Assignee: dveditz → timeless
Flags: blocking1.9?
Priority: -- → P1

    
    

    
  
Should we back out the patch for bug 246699?

    
    

    
  
Yes, please back it that patch out immediately.  I don't have a tree right now, but if nobody else gets it before I get to the office I'll do it.
Flags: blocking1.9? → blocking1.9+

    
    

    
  
(In reply to comment #6)
> Yes, please back it that patch out immediately.

done

    
    

    
  
Please make sure to get those testcases into our automated tests so that no one can ever break this again!

I would suggest removing the security flag, since this is now fixed and was never a problem on branches.
Flags: in-testsuite?

    
    

    
  
Just for the record, testcase 2 should be marked as private (it reveals bug
422025's XSS trick).


    
    

    
  
(In reply to comment #7)
> (In reply to comment #6)
> > Yes, please back it that patch out immediately.
> 
> done
So this is now fixed, right?



    
    

    
  
Yep, and I'm adding the first test case as a mochitest after lunch, to precede any other attempts to touch that code.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED

    
    

    
  
verified fixed using the testcases and Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9pre) Gecko/2008042705 Minefield/3.0pre ID:2008042705

when i use also the 2nd testcase i get "Error: Access to 'chrome://browser/content/browser.xul' from script denied
Source File: https://bugzilla.mozilla.org/attachment.cgi?id=309874
Line: 20" in the Error Console and i think this is also expected

-> Verified fixed
Status: RESOLVED → VERIFIED
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: