Closed
Bug 440308
Opened 17 years ago
Closed 17 years ago
XSS by using XMLHttpRequest and onreadystatechange handler
Categories
(Core :: Security, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: smaug)
Details
(Keywords: testcase, verified1.8.1.15, verified1.8.1.16, Whiteboard: [sg:high])
Attachments
(1 file)
|
1.04 KB,
patch
|
jst
:
review+
jst
:
superreview+
dveditz
:
approval1.8.1.15+
|
Details | Diff | Splinter Review |
Please see bug 403168.
This is fx2-only. On fx2, nsXMLHttpRequest::ChangeState() does not call
CheckInnerWindowCorrectness(), thus, it's possible to perform an XSS attack by
using onreadystatechange handler.
(On trunk, nsXMLHttpRequest::ChangeState() calls NotifyEventListeners(), which
calls CheckInnerWindowCorrectness().)
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.16+
Whiteboard: [sg:high]
| Assignee | ||
Updated•17 years ago
|
Assignee: nobody → Olli.Pettay
| Assignee | ||
Comment 2•17 years ago
|
||
Attachment #325759 -
Flags: superreview?(jst)
Attachment #325759 -
Flags: review?(jst)
Comment 3•17 years ago
|
||
Comment on attachment 325759 [details] [diff] [review]
proposed patch
- onReadyStateChangeListener) {
+ onReadyStateChangeListener &&
+ NS_SUCCEEDED(CheckInnerWindowCorrectness())) {
Looks good. This'll be the fourth caller of CheckInnerWindowCorrectness(), and it's inline. Probably worth un-inlining it now while you're here.
Attachment #325759 -
Flags: superreview?(jst)
Attachment #325759 -
Flags: superreview+
Attachment #325759 -
Flags: review?(jst)
Attachment #325759 -
Flags: review+
| Assignee | ||
Comment 4•17 years ago
|
||
Well, is it really worth for the branch.
| Assignee | ||
Comment 5•17 years ago
|
||
Comment on attachment 325759 [details] [diff] [review]
proposed patch
I'm not sure if this should go in to .15 or .16, but .15 is the only one I can ask approval for.
Attachment #325759 -
Flags: approval1.8.1.15?
Updated•17 years ago
|
Flags: blocking1.8.1.15+
Comment 6•17 years ago
|
||
Comment on attachment 325759 [details] [diff] [review]
proposed patch
Approved for 1.8.1.15 and 1.8.1.16, a=dveditz for release-drivers
Please land on both branches (MOZILLA_1_8_BRANCH for 1.8.1.16 and GECKO181_20080612_RELBRANCH for 1.8.1.15) and give the bug both fixed1.8.1.15 and fixed1.8.1.16 keywords
Attachment #325759 -
Flags: approval1.8.1.16+
Attachment #325759 -
Flags: approval1.8.1.15?
Attachment #325759 -
Flags: approval1.8.1.15+
Comment 7•17 years ago
|
||
Fix checked into both 1.8 branch and _relbranch
Keywords: fixed1.8.1.15,
fixed1.8.1.16
Comment 8•17 years ago
|
||
Resolving this bug as FIXED since it's branch-only.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Comment 9•17 years ago
|
||
Verified this with the new 2.0.0.15 build (Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.15) Gecko/2008062305 Firefox/2.0.0.15) and reproduced the bug on the same machine with shipped 2.0.0.14.
Keywords: fixed1.8.1.15 → verified1.8.1.15
Updated•17 years ago
|
Status: RESOLVED → VERIFIED
Updated•17 years ago
|
Keywords: fixed1.8.1.17 → fixed1.8.1.16
Updated•17 years ago
|
Group: security
Comment 10•17 years ago
|
||
Verified this with 2.0.0.16 Firefox as well (Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.16) Gecko/2008070205 Firefox/2.0.0.16).
Keywords: fixed1.8.1.16 → verified1.8.1.16
Updated•17 years ago
|
Flags: blocking1.8.0.15+
Updated•17 years ago
|
Flags: blocking1.8.1.17+ → blocking1.8.1.16+
Comment 11•17 years ago
|
||
Comment on attachment 325759 [details] [diff] [review]
proposed patch
This patch had approval for 1.8.1.16, but apparently the flags got moved out. Clearing that flag to clear the queries.
Attachment #325759 -
Flags: approval1.8.1.17+
You need to log in
before you can comment on or make changes to this bug.
Description
•