Closed
Bug 44013
Opened 25 years ago
Closed 25 years ago
BUG: spoofing bookmarks using location.__defineGetter__
Categories
(Core :: Security, defect, P3)
Core
Security
Tracking
()
VERIFIED
FIXED
People
(Reporter: security-bugs, Assigned: rogerl)
References
Details
(Keywords: js1.5)
Attachments
(1 file)
|
1.78 KB,
patch
|
Details | Diff | Splinter Review |
It is possible to mislead the user that he is bookmarking a web page,
while the location may be arbitrary, including chrome: and file: urls.
This is dangerous because allows opening local html files and chrome:
urls.
JS in chrome seems to trust too much JS values from BOM, but they may be
redefined using __defineGetter__.
The code is:
-------------------------
Bookmark this page, then choose the bookmark
<SCRIPT>
location.__defineGetter__("href",function() {return
"chrome://navigator/content"});
</SCRIPT>
-------------------------
|
Reporter | |
Comment 1•25 years ago
|
||
__defineGetter__ (and probably also __proto__ and other __ functions) need
security checks to keep them from being used cross-site. ->Brendan.
Assignee: mstoltz → brendan
Summary: BUG: spoofing bookmarks using location.__defineGetter__ → BUG: spoofing bookmarks using location.__defineGetter__
|
||
Comment 2•25 years ago
|
||
Roger, can you take this one -- it's easy and it falls in code you originated
(obj_defineGetter and obj_defineSetter simply need to check
/*
* Getters and setters are just like watchpoints from an access
* control point of view.
*/
if (!OBJ_CHECK_ACCESS(cx, obj, id, JSACC_WATCH, &rval, &attrs))
return JS_FALSE;
with dummy jsval rval; uintN attrs, just before the return OBJ_DEFINE_PROPERTY
call at the bottom).
I'm marking nsbeta2 to avoid a security firedrill.
/be
Assignee: brendan → rogerl
Keywords: nsbeta2
|
Assignee | |
Comment 3•25 years ago
|
||
|
|
||
Comment 4•25 years ago
|
||
Looks good, thanks. Nits: fval,tval is a bit crowded in the declaration -- how
about a space after the comma? And junk is the traditional name (it's not a
well known tradition ;-) for unused jsval args passed by reference. r=brendan.
/be
|
|
Assignee | |
Comment 5•25 years ago
|
||
Fix checked in.
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 8•24 years ago
|
||
Opening fixed security bugs to the public.
Group: netscapeconfidential?
You need to log in
before you can comment on or make changes to this bug.
Description
•