Last Comment Bug 424188 - [FIX]Possible to exploit relative xul:script URIs in signed jars
: [FIX]Possible to exploit relative xul:script URIs in signed jars
Status: RESOLVED FIXED
[sg:high][fixed on branch by 424426]
: fixed1.8.1.15
Product: Core
Classification: Components
Component: DOM (show other bugs)
: Trunk
: All All
: -- normal (vote)
: ---
Assigned To: Boris Zbarsky [:bz]
:
Mentors:
http://crypto.stanford.edu/~collinj/r...
: 424190 (view as bug list)
Depends on: 424488
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-20 12:38 PDT by Boris Zbarsky [:bz]
Modified: 2008-07-02 15:57 PDT (History)
9 users (show)
dveditz: blocking1.8.1.15+
dveditz: wanted1.8.1.x+
bzbarsky: in‑testsuite?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Fix (10.03 KB, patch)
2008-03-20 14:45 PDT, Boris Zbarsky [:bz]
jonas: review+
jonas: superreview+
dsicore: approval1.9b5+
dsicore: approval1.9+
Details | Diff | Splinter Review

Description Boris Zbarsky [:bz] 2008-03-20 12:38:15 PDT
See bug 418996 comment 1 and bug 418996 comment 21.
Comment 1 Boris Zbarsky [:bz] 2008-03-20 12:43:17 PDT
The problem is presumably that XUL doesn't use the scriptloader for <xul:script> and hence doesn't do the downgrading that the scriptloader does?
Comment 2 Collin Jackson 2008-03-20 12:52:58 PDT
*** Bug 424190 has been marked as a duplicate of this bug. ***
Comment 3 Boris Zbarsky [:bz] 2008-03-20 14:45:59 PDT
Created attachment 310841 [details] [diff] [review]
Fix
Comment 4 Jonas Sicking (:sicking) No longer reading bugmail consistently 2008-03-20 15:51:38 PDT
Comment on attachment 310841 [details] [diff] [review]
Fix

Looks good
Comment 5 Boris Zbarsky [:bz] 2008-03-20 16:08:42 PDT
Comment on attachment 310841 [details] [diff] [review]
Fix

Extend to XUL the protection HTML already had.  Only affects non-chrome XUL served inside a signed jar.  Such XUL can no longer keep its signed status if it includes unsigned scripts.

Might be worth beta exposure.
Comment 6 Damon Sicore (:damons) 2008-03-20 16:16:06 PDT
Can we get a test for this?
Comment 7 Boris Zbarsky [:bz] 2008-03-20 16:33:57 PDT
I'm not going to have time to write one in time for beta...  We need some tests for bug 418996 too, and to test this we need to either copy the server-side stuff Collin set up or (better) come up with some custom signed jars that mochitests can use...
Comment 8 Damon Sicore (:damons) 2008-03-20 16:44:26 PDT
Comment on attachment 310841 [details] [diff] [review]
Fix

Can I get a promise that we'll get a test case for this and bug 418996?  :)

a1.9+ & a1.9beta5+=damons
Comment 9 Boris Zbarsky [:bz] 2008-03-20 16:57:01 PDT
> Can I get a promise that we'll get a test case for this and bug 418996?  :)

Absolutely.  It's on my short-list of bugs to write tests for as soon as I have the time.  I'm just not sure that will be before 1.9 ship...

If someone picks this up in the meantime, great.  If not, once I finish this whole dissertation thing, I'll just do it.
Comment 10 Boris Zbarsky [:bz] 2008-03-21 21:34:04 PDT
Filed bug 424488 on having a decent way to test this in a good controlled manner.
Comment 11 Boris Zbarsky [:bz] 2008-03-21 22:05:24 PDT
Checked in.  Marking fixed in the sense that XUL and HTML now behave the same, though Collin found bug 424426, which affects both for now.
Comment 12 Johnny Stenback (:jst, jst@mozilla.com) 2008-06-04 16:48:50 PDT
The branch patch in bug 424426 fixes this bug.
Comment 13 Johnny Stenback (:jst, jst@mozilla.com) 2008-06-05 17:17:57 PDT
Fixed on the branch by the fix for bug 424426.
Comment 14 Al Billings [:abillings] 2008-06-10 17:36:34 PDT
(In reply to comment #0)
> See bug 418996 comment 1 and bug 418996 comment 21.
> 

I tested the fix with the linked test case in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15pre) Gecko/2008061005 BonEcho/2.0.0.15pre and the case doesn't repro like it does for 2.0.0.14. Is there additional testing that we should do to verify this?

Note You need to log in before you can comment on or make changes to this bug.