XPCNativeWrapper pollution using chrome XBL

VERIFIED FIXED

Status

()

Core
XPConnect
P1
normal
VERIFIED FIXED
10 years ago
10 years ago

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Tracking

({verified1.8.1.17, verified1.9.0.2, verified1.9.1})

unspecified
x86
Windows XP
verified1.8.1.17, verified1.9.0.2, verified1.9.1
Points:
---
Bug Flags:
blocking1.9.1 +
blocking1.9.0.2 +
blocking1.8.1.17 +
wanted1.8.1.x +
blocking1.8.0.next +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] fixed by 441087)

(Reporter)

Description

10 years ago
It's possible to modify an implicit XPCNativeWrapper within a chrome XBL method
without using eval-like methods nor __defineGetter__.  (See also the second
paragraph of bug 387390 comment #21.)
Component: Security → XPConnect
QA Contact: toolkit → xpconnect
Assignee: nobody → mrbkap
Flags: wanted1.8.1.x+
Flags: blocking1.9.1?
Flags: blocking1.9.0.2?
Flags: blocking1.8.1.17+
Whiteboard: [sg:critical]
Flags: blocking1.9.0.2? → blocking1.9.0.2+
(Assignee)

Comment 2

10 years ago
The patch in bug 441087 fixes this.
Whiteboard: [sg:critical] → [sg:critical] fixed by 441087
Fixed by bug 441087.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Keywords: fixed1.9.0.2
Resolution: --- → FIXED
(Assignee)

Comment 4

10 years ago
Marking fixed to follow bug 441087.
Keywords: fixed1.8.1.17
(Reporter)

Comment 5

10 years ago
This bug is not fixed on fx-2.0.0.17pre-2008-08-26-03.  See also bug 441087
comment #29.
Keywords: fixed1.8.1.17
Fix for 441087 was checked in.
Keywords: fixed1.8.1.17
With the testcase in comment 0, I can very easily reproduce in 2.0.0.16 (Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16), but not in 2.0.0.17 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17).

Verified FIXED; replacing fixed1.8.1.17 with verified1.8.1.17.
Meant to type "comment 1," sigh...
Keywords: fixed1.8.1.17 → verified1.8.1.17

Comment 9

10 years ago
Verified for 1.9.0.2 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.2) Gecko/2008090212 Firefox/3.0.2.
Keywords: fixed1.9.0.2 → verified1.9.0.2
Group: core-security

Updated

10 years ago
Flags: blocking1.8.0.next+

Updated

10 years ago
Flags: blocking1.9.1? → blocking1.9.1+
Keywords: fixed1.9.1
Priority: -- → P1

Comment 10

10 years ago
Verified fix on Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090205 Shiretoko/3.1b3pre Ubiquity/0.1.5 
and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090205 Minefield/3.2a1pre
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
You need to log in before you can comment on or make changes to this bug.