Last Comment Bug 423541 - (CVE-2008-2805) Arbitrary file upload via originalTarget and DOM Range
(CVE-2008-2805)
: Arbitrary file upload via originalTarget and DOM Range
Status: VERIFIED FIXED
[sg:high]
: testcase, verified1.8.1.15
Product: Core
Classification: Components
Component: DOM: Core & HTML (show other bugs)
: 1.8 Branch
: All All
: P2 major (vote)
: ---
Assigned To: Olli Pettay [:smaug]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-17 16:24 PDT by Samuel Sidler (old account; do not CC)
Modified: 2009-01-05 11:53 PST (History)
13 users (show)
jonas: blocking1.9-
dveditz: blocking1.8.1.15+
asac: blocking1.8.0.next+
jwalden+bmo: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
possible patch (4.54 KB, patch)
2008-05-05 03:08 PDT, Olli Pettay [:smaug]
jst: review+
jonas: superreview+
dveditz: approval1.8.1.15+
asac: approval1.8.0.next+
Details | Diff | Review

Description Samuel Sidler (old account; do not CC) 2008-03-17 16:24:44 PDT
Created attachment 310115 [details]
Testcase

As reported to security@ by Opera:

While investigating potential file upload issues, one of our security
researchers came across another vulnerability in Firefox.  This is
unrelated to the issues that we have previously reported to you.
Attached.  Exploiting the issue only requires one click (anywhere in the
page), and one keypress (a-z, 0-9...any typed character works, although
ctrl/shift/backspace/etc don't work).


Filing in DOM:HTML since that's where bug 413135 was filed.
Comment 1 Olli Pettay [:smaug] 2008-03-18 03:15:15 PDT
Jst, could we add a check to nsDOMClassInfo: if cx doesn't have system principal
and .originalTarget is in native anonymous then return .target as 
.originalTarget.
Comment 2 Johnny Stenback (:jst, jst@mozilla.com) 2008-03-18 16:40:14 PDT
Could we not do that in the originalTarget getter implementation instead? 
Comment 3 Olli Pettay [:smaug] 2008-03-18 16:47:27 PDT
But some native code which runs when there is content cx in stack may need
the right originalTarget.
Comment 4 Johnny Stenback (:jst, jst@mozilla.com) 2008-03-18 16:49:17 PDT
Then such code should push null on the JS context stack while calling code that depend on the context stack.
Comment 5 Damon Sicore (:damons) 2008-03-21 14:07:41 PDT
Can we get a security rating on this? 
Comment 6 Jonas Sicking (:sicking) 2008-03-25 11:36:45 PDT
Does this really work on trunk? Getting references to the internal objects really shouldn't be able to get you anywhere on trunk.
Comment 7 Olli Pettay [:smaug] 2008-03-25 13:02:11 PDT
I can't reproduce this on trunk, but can on 1.8.
Samuel, you added the blocking1.9? Can you reproduce this on trunk?
Comment 8 Jonas Sicking (:sicking) 2008-03-25 15:33:46 PDT
Based on previous comment removing blocking.

*Definitely* renominate if this can be reproduced on trunk though!
Comment 9 Samuel Sidler (old account; do not CC) 2008-03-26 15:53:04 PDT
(In reply to comment #7)
> Samuel, you added the blocking1.9? Can you reproduce this on trunk?

Apologies. That was a kneejerk reaction. I can't reproduce on trunk.
Comment 10 Samuel Sidler (old account; do not CC) 2008-04-28 11:31:57 PDT
-> Olli since he fixed bug 413135.
Comment 11 Olli Pettay [:smaug] 2008-05-05 03:08:45 PDT
Created attachment 319352 [details] [diff] [review]
possible patch

I'll do still some testing but I think this might be good enough.
Comment 12 Olli Pettay [:smaug] 2008-05-05 03:21:52 PDT
Comment on attachment 319352 [details] [diff] [review]
possible patch

I can't think any easier way to fix this. event.originalTarget isn't the only way to get access to native anon content.

I know it sucks to put nsContentUtils::IsCallerTrustedForCapability("UniversalFileRead") to nsRange, but are there any other options?
Comment 13 Johnny Stenback (:jst, jst@mozilla.com) 2008-05-05 16:23:01 PDT
Comment on attachment 319352 [details] [diff] [review]
possible patch

Seems reasonable for branch to me.
Comment 14 Olli Pettay [:smaug] 2008-05-28 14:58:57 PDT
Jonas, could you perhaps sr this?
Comment 15 Daniel Veditz [:dveditz] 2008-05-30 11:24:14 PDT
Comment on attachment 319352 [details] [diff] [review]
possible patch

Approved for 1.8.1.15, a=dveditz for release-drivers
Comment 16 Al Billings [:abillings] 2008-06-10 12:54:44 PDT
Verified for 1.8.1.15 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.15pre) Gecko/2008061004 BonEcho/2.0.0.15pre.
Comment 17 Alexander Sack 2009-01-05 11:52:18 PST
Comment on attachment 319352 [details] [diff] [review]
possible patch

a=asac for 1.8.0

Note You need to log in before you can comment on or make changes to this bug.