Closed Bug 444077 Opened 12 years ago Closed 12 years ago

XPCNativeWrapper pollution using chrome JS

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Details

(Keywords: fixed1.9.1, verified1.8.1.17, verified1.9.0.2, Whiteboard: [sg:critical] fixed by 441087)

moz_bug_r_a4

Reporter

Description

•

12 years ago

It's possible to modify an implicit XPCNativeWrapper within a function loaded
from chrome: url without using eval-like methods nor __defineGetter__.  (See
also the second paragraph of bug 387390 comment #21.)

:Gavin Sharp [email: gavin@gavinsharp.com]

Updated

•

12 years ago

Component: Security → XPConnect

QA Contact: toolkit → xpconnect

Daniel Veditz [:dveditz]

Comment 2

•

12 years ago

Blake: welcome back! ;-)

Assignee: nobody → mrbkap

Flags: wanted1.8.1.x+

Flags: blocking1.9.1?

Flags: blocking1.9.0.2?

Flags: blocking1.8.1.17+

Whiteboard: [sg:critical]

Samuel Sidler (old account; do not CC)

Updated

•

12 years ago

Flags: blocking1.9.0.2? → blocking1.9.0.2+

Blake Kaplan (:mrbkap) (inactive, use needinfo)

Assignee

Comment 3

•

12 years ago

The patch in bug 441087 fixes this.

Daniel Veditz [:dveditz]

Updated

•

12 years ago

Whiteboard: [sg:critical] → [sg:critical] fixed by 441087

Samuel Sidler (old account; do not CC)

Comment 4

•

12 years ago

Fixed by bug 441087.

Status: NEW → RESOLVED

Closed: 12 years ago

Keywords: fixed1.9.0.2

Resolution: --- → FIXED

Blake Kaplan (:mrbkap) (inactive, use needinfo)

Assignee

Comment 5

•

12 years ago

Marking fixed to follow bug 441087.

Keywords: fixed1.8.1.17

moz_bug_r_a4

Reporter

Comment 6

•

12 years ago

This bug is not fixed on fx-2.0.0.17pre-2008-08-26-03.  See also bug 441087
comment #29.

:Gavin Sharp [email: gavin@gavinsharp.com]

Updated

•

12 years ago

Keywords: fixed1.8.1.17

Samuel Sidler (old account; do not CC)

Comment 7

•

12 years ago

Fix for 441087 was checked in.

Keywords: fixed1.8.1.17

Stephen Donner [:stephend] Not actively reading bugmail

Comment 8

•

12 years ago

I can reproduce at will using the testcase in comment 1 using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16, but not using 2.0.0.17 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17).

Verified FIXED; replacing fixed1.8.1.17 with verified1.8.1.17.

Keywords: fixed1.8.1.17 → verified1.8.1.17

Al Billings [:abillings - ex-MoCo]

Comment 9

•

12 years ago

Verified for 1.9.0.2 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.2) Gecko/2008090212 Firefox/3.0.2.

Keywords: fixed1.9.0.2 → verified1.9.0.2

Daniel Veditz [:dveditz]

Updated

•

12 years ago

Group: core-security

Alexander Sack

Updated

•

12 years ago

Flags: blocking1.8.0.next+

Benjamin Smedberg

Comment 10

•

12 years ago

Landed before branching

Flags: blocking1.9.1? → blocking1.9.1+

Keywords: fixed1.9.1

You need to log in before you can comment on or make changes to this bug.

Bugzilla

XPCNativeWrapper pollution using chrome JS

Categories

(Core :: XPConnect, defect)

Tracking

()

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

References

Details

(Keywords: fixed1.9.1, verified1.8.1.17, verified1.9.0.2, Whiteboard: [sg:critical] fixed by 441087)

Crash Data

Security

(public)

User Story

Description

Updated

Comment 2

Updated

Comment 3

Updated

Comment 4

Comment 5

Comment 6

Updated

Comment 7

Comment 8

Comment 9

Updated

Updated

Comment 10