The default bug view has changed. See this FAQ.

[FIX]Possible to exploit relative xul:script URIs in signed jars

RESOLVED FIXED

Status

()

Core
DOM
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: bz, Assigned: bz)

Tracking

({fixed1.8.1.15})

Trunk
fixed1.8.1.15
Points:
---
Bug Flags:
blocking1.8.1.15 +
wanted1.8.1.x +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:high][fixed on branch by 424426], URL)

Attachments

(1 attachment)

See bug 418996 comment 1 and bug 418996 comment 21.
The problem is presumably that XUL doesn't use the scriptloader for <xul:script> and hence doesn't do the downgrading that the scriptloader does?

Updated

9 years ago
Duplicate of this bug: 424190
Created attachment 310841 [details] [diff] [review]
Fix
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #310841 - Flags: superreview?(jonas)
Attachment #310841 - Flags: review?(jonas)
Flags: in-testsuite?
Summary: Possible to exploit relative script URIs in signed jars → [FIX]Possible to exploit relative script URIs in signed jars
Comment on attachment 310841 [details] [diff] [review]
Fix

Looks good
Attachment #310841 - Flags: superreview?(jonas)
Attachment #310841 - Flags: superreview+
Attachment #310841 - Flags: review?(jonas)
Attachment #310841 - Flags: review+
Comment on attachment 310841 [details] [diff] [review]
Fix

Extend to XUL the protection HTML already had.  Only affects non-chrome XUL served inside a signed jar.  Such XUL can no longer keep its signed status if it includes unsigned scripts.

Might be worth beta exposure.
Attachment #310841 - Flags: approval1.9b5?
Attachment #310841 - Flags: approval1.9?
Can we get a test for this?
I'm not going to have time to write one in time for beta...  We need some tests for bug 418996 too, and to test this we need to either copy the server-side stuff Collin set up or (better) come up with some custom signed jars that mochitests can use...
Comment on attachment 310841 [details] [diff] [review]
Fix

Can I get a promise that we'll get a test case for this and bug 418996?  :)

a1.9+ & a1.9beta5+=damons
Attachment #310841 - Flags: approval1.9b5?
Attachment #310841 - Flags: approval1.9b5+
Attachment #310841 - Flags: approval1.9?
Attachment #310841 - Flags: approval1.9+
> Can I get a promise that we'll get a test case for this and bug 418996?  :)

Absolutely.  It's on my short-list of bugs to write tests for as soon as I have the time.  I'm just not sure that will be before 1.9 ship...

If someone picks this up in the meantime, great.  If not, once I finish this whole dissertation thing, I'll just do it.
Filed bug 424488 on having a decent way to test this in a good controlled manner.
Depends on: 424488
Checked in.  Marking fixed in the sense that XUL and HTML now behave the same, though Collin found bug 424426, which affects both for now.
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Summary: [FIX]Possible to exploit relative script URIs in signed jars → [FIX]Possible to exploit relative xul:script URIs in signed jars
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.14?
Whiteboard: [sg:high]
Flags: blocking1.8.1.15? → blocking1.8.1.15+
Whiteboard: [sg:high] → [sg:high][needs branch patch - eta July?]
The branch patch in bug 424426 fixes this bug.
Whiteboard: [sg:high][needs branch patch - eta July?] → [sg:high][fixed on branch by 424426]
Fixed on the branch by the fix for bug 424426.
Keywords: fixed1.8.1.15
(In reply to comment #0)
> See bug 418996 comment 1 and bug 418996 comment 21.
> 

I tested the fix with the linked test case in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15pre) Gecko/2008061005 BonEcho/2.0.0.15pre and the case doesn't repro like it does for 2.0.0.14. Is there additional testing that we should do to verify this?

Updated

9 years ago
OS: Linux → All
Hardware: PC → All
Group: security
You need to log in before you can comment on or make changes to this bug.