5.74 KB, patch
|Details | Diff | Splinter Review|
5.53 KB, patch
|Details | Diff | Splinter Review|
User-Agent: Build Identifier: Please see bug 444077 and bug 441087. When a top-level statement is executed, fp->callee is null. Thus, it's possible to circumvent the fix in bug 441087. Reproducible: Always
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Hardware: PC → All
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
Not going to block 1.9.1 on this after all, but Blake, please do investigate!
Flags: blocking1.9.1+ → blocking1.9.1-
Created attachment 344195 [details] [diff] [review] Proposed fix I'm a little sad that nsScriptSecurityManager is peeking into xpcconvert here but avoiding it is more work than it's worth. The core of the fix is the else branch just before the call to GetNewOrUsed where we pluck the script principal out if we didn't get a function object callee.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical] → [sg:critical] needs branch patch
Since we're apparently opposed to taking bug 459906 on the 1.8 branch, there is no reason that this bug should block 220.127.116.11. I'll write up the backport patch for this bug soon, though, so it's sure to make the 18.104.22.168 and 22.214.171.124 releases.
Yeah, we talked and took bug 459906 instead of this one for this release. This bug blocks 126.96.36.199/188.8.131.52 however (so don't stop working on it!).
Comment on attachment 344195 [details] [diff] [review] Proposed fix This applies as-is to the 1.9 branch.
Attachment #344195 - Flags: approval184.108.40.206?
Comment on attachment 344195 [details] [diff] [review] Proposed fix Approved for 220.127.116.11, a=dveditz for release-drivers We need a separate 1.8.1.x patch, right?
Attachment #344195 - Flags: approval18.104.22.168? → approval22.214.171.124+
Whiteboard: [sg:critical] needs branch patch → [sg:critical][needs 1.8 patch]
Created attachment 348685 [details] [diff] [review] Patch for the 1.8 branch This fix is different from the one checked in on trunk. In particular, on the branch, it is much more expensive to get one's hands on an nsIScriptSecurityManager so it makes sense to do a little bit more work in XPCNativeWrapper since it has a script security manager already. I was trying to avoid this on trunk, since IMO this signature is ugly and harder to use.
Comment on attachment 348685 [details] [diff] [review] Patch for the 1.8 branch Oops, this is a patch for the 1.8 branch.
Attachment #348685 - Attachment description: Patch for the 1.9 branch → Patch for the 1.8 branch
Fixed on the 1.9 branch.
Whiteboard: [sg:critical][needs 1.8 patch] → [sg:critical]
Comment on attachment 348685 [details] [diff] [review] Patch for the 1.8 branch Approved for 126.96.36.199, a=dveditz for release-drivers
Attachment #348685 - Flags: approval188.8.131.52? → approval184.108.40.206+
Fixed on the 1.8 branch.
Verified for 220.127.116.11 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168pre) Gecko/2008112503 BonEcho/22.214.171.124pre. Verified for 126.96.36.199 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:188.8.131.52pre) Gecko/2008112505 GranParadiso/3.0.5pre.
Status: RESOLVED → VERIFIED
Keywords: fixed184.108.40.206, fixed220.127.116.11 → verified18.104.22.168, verified22.214.171.124
I think there is a problem with this patch. I'm not sure if this has any security implication though. If you load either of the attached testcases in the 3.0.5 beta, then double click in the page, when you bring up the context menu (right click), it's been corrupted, containing only: copy, select all, this frame >, and selection source. There are other odd things going on as well, as if you try to say highlight some text on the page, you just end up trying to drag and drop the iframe.
Comment on attachment 348685 [details] [diff] [review] Patch for the 1.8 branch a=asac for 1.8.0
Attachment #348685 - Flags: approval1.8.0.next+
You need to log in before you can comment on or make changes to this bug.