Closed
Bug 444073
Opened 17 years ago
Closed 17 years ago
Script evaluated by Components.utils.evalInSandbox() can pollute implicit XPCNativeWrapper
Categories
(Core :: XPConnect, defect, P1)
Tracking
()
VERIFIED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
Details
(Keywords: fixed1.9.1, verified1.8.1.17, verified1.9.0.2, Whiteboard: [sg:moderate][fixed by 441087] potentially critical for extensions/userscripts that use this)
Attachments
(1 file)
|
371 bytes,
text/plain
|
Details |
This is basically the same bug as bug 441087.
When a script is evaluated by Components.utils.evalInSandbox(), the script
inherits the caller's filename. Thus, the script can access and modify
implicit XPCNativeWrappers.
In bug 441087's case, |event| is an implicit XPCNativeWrapper, and, eval'ed
script cannot access properties of the implicit XPCNativeWrapper due to the fix
for bug 419848.
Note: Greasemonkey user scripts need to access web pages via (explicit)
XPCNativeWrapper. Otherwise scripts in web pages can abuse GM_* API functions.
|
Reporter | |
Comment 1•17 years ago
|
||
Steps to reproduce:
1. Install Greasemonkey and this user script.
2. Load an html page.
3. Right click on the document.
An alert will appears.
|
||
Updated•17 years ago
|
Component: Security → XPConnect
Flags: blocking1.9.0.2?
Flags: blocking1.8.1.17?
QA Contact: toolkit → xpconnect
|
|
||
Comment 2•17 years ago
|
||
Er, woops, didn't mean to request blocking.
Flags: blocking1.9.0.2?
Flags: blocking1.8.1.17?
|
||
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: blocking1.9.1?
Flags: blocking1.9.0.2?
Flags: blocking1.8.1.17?
Whiteboard: [sg:moderate] potentially critical for extensions/userscripts that use this
|
|
||
Updated•17 years ago
|
Assignee: nobody → mrbkap
Flags: blocking1.8.1.17? → blocking1.8.1.17+
|
|
||
Comment 3•17 years ago
|
||
If it blocks 1.8.1.17, it should block 1.9.0.2. Blake, how's a patch looking for tomorrow? ...
Flags: blocking1.9.0.2? → blocking1.9.0.2+
|
|
||
Updated•17 years ago
|
Whiteboard: [sg:moderate] potentially critical for extensions/userscripts that use this → [sg:moderate][needs patches] potentially critical for extensions/userscripts that use this
|
Assignee | |
Comment 4•17 years ago
|
||
This was fixed on the trunk and branches bug bug 441087.
Status: NEW → RESOLVED
Closed: 17 years ago
Keywords: fixed1.8.1.17,
fixed1.9.0.2
Resolution: --- → FIXED
|
|
Reporter | |
Comment 5•17 years ago
|
||
This bug is not fixed on fx-2.0.0.17pre-2008-08-26-03. See also bug 441087
comment #29.
|
|
||
Updated•17 years ago
|
Keywords: fixed1.8.1.17
|
||
Updated•17 years ago
|
Whiteboard: [sg:moderate][needs patches] potentially critical for extensions/userscripts that use this → [sg:moderate][fixed by 441087] potentially critical for extensions/userscripts that use this
|
||
Comment 7•17 years ago
|
||
Verified this as fixed in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17 and that the bug repros in 2.0.0.16.
Keywords: fixed1.8.1.17 → verified1.8.1.17
|
|
||
Comment 8•17 years ago
|
||
I've verified this for 1.9.0.2 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.2) Gecko/2008090212 Firefox/3.0.2.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.0.2 → verified1.9.0.2
|
|
||
Updated•17 years ago
|
Group: core-security
|
|
||
Updated•17 years ago
|
Flags: blocking1.8.0.next+
|
||
Updated•16 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•