Closed Bug 456271 Opened 16 years ago Closed 16 years ago

Make it impossible to create script-exposed documents without script handling objects

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: bzbarsky, Assigned: smaug)

References

(Depends on 2 open bugs)

Details

(Keywords: verified1.9.1, Whiteboard: [sg:moderate][needs 1.9.0 fix, fix for regression 460460])

Attachments

(3 files)

something like this
1.10 KB, patch
Details | Diff | Splinter Review
or maybe this
2.57 KB, patch
bzbarsky
: review+
bzbarsky
: superreview+
Details | Diff | Splinter Review
+"one of these is true"
2.59 KB, patch
Details | Diff | Splinter Review 
Right now, any document without a script handling object that is exposed to content script is a security bug.  At the same time, it's trivial to create such documents: by default documents have no script handling object.  Not only that, but even chokepoint methods like nsContentUtils::CreateDocument happily allow creation of documents with no script handling object.

We presumably need that for all the proper functioning of XHR from C++, so how about making sure that:

1)  An nsINode whose GetOwnerDoc() has no script handling object cannot be
    JS-wrapped.
2)  Adopting or importing a node from a document with a script handling object
    into one without fails.

That should at least make sure we don't accidentally expose such documents to script (something that at least one set of patches in progress was pretty close to doing, since none of this stuff is documented anywhere).  Of course ideally this script handling object bogosity will go away...  smaug says there might be a bug on that.
Flags: blocking1.9.1?
I haven't really verified this works, because I don't know how a script could
get access to problematic documents.
So I need to write a C++ test case for this and return
a document without script handling object to JS.

Especially I'm not familiar with quickstubs, so if that changes something here, 
a hint how to fix that would be useful.
quickstubs don't affect PreCreate so far, so we're good there.

You could verify this works by disabling the setting of the script handling object in XHR and checking that you can no longer get the responseXML from the XHR object.   Not sure we can write a test for this in general easily.

Still need to fix the import/adopt thing, btw.
Only adopt, since that is the only case where event listeners are moved to a
new document.
Or, hmm, right. Clone/import may cause something bad too, because of
onfoo attributes.
Attached patch or maybe thisSplinter Review 
I tested this by making .createDocument to create non-scriptable-documents.
Content couldn't access those but chrome could.
Also the following works in chrome
Components.classes["@mozilla.org/xml/xml-document;1"].createInstance(Components.interfaces.nsIDOMDocument); and this is why we still need to allow trusted scripts to access those documents, I think.
Not perfect solution, but should prevent possible security problems where
content's event listeners run with chrome privileges.
Group: core-security
I guess import is not a problem because you won't be able to JS-wrap the new node.  So you're right, just have to deal with adopt.

I'm not sure about allowing chrome to access these documents: they could leak into content.

The fact that documents are creatable with a classid is more or less an accident; it creates bogus documents, and we want to remove it one of these days when we get around to it.  I see no reason to make sure it works from chrome script.
(In reply to comment #6)
> I'm not sure about allowing chrome to access these documents: they could leak
> into content.
But would they use the same wrappers then?
Sure, if the chrome passes its wrapper to the content code.
But wouldn't that case bring other security problems anyway, I mean even with
documents which have script handling object. Wrappers' scope is set in
PreCreate.
And if chrome gives a document with a chrome script handling object to content
and content can somehow modify it, event listeners will run with chrome privileges.
Yeah, it probably would.  I guess I just don't see a usecase in special-casing chrome here, and would rather not add the extra code.
I don't want to break any extensions, which may use .createInstance.
We've said loud and clear that those shouldn't be used.  In fact, I'd support removing them entirely for 1.9.1.  If extensions are using them, they need to stop anyway.
(In reply to comment #12)
> We've said loud and clear that those shouldn't be used.
We have? Where?

I'd like to get the fix to 1.9.0 too, so would be great to get the same
patch first to 1.9.1 to get some baking time.
Attachment #339696 - Flags: superreview?(bzbarsky)
Attachment #339696 - Flags: review?(bzbarsky)
> We have? Where?

Any time someone brought it up in the newsgroups, for one thing...

I can see the 1.9.0 argument.  Let's do this your way for now, then, and file a followup to remove the code before we get too far into the 1.9.1 betas, maybe?
Comment on attachment 339696 [details] [diff] [review]
or maybe this

>+  // If we have a document, make sure

 ... one of these is true

r+sr=bzbarsky with that.
Attachment #339696 - Flags: superreview?(bzbarsky)
Attachment #339696 - Flags: superreview+
Attachment #339696 - Flags: review?(bzbarsky)
Attachment #339696 - Flags: review+
Assignee: nobody → Olli.Pettay
Depends on: 459673
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Depends on: 460460
Depends on: 461772
Depends on: 465767
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/36efcc70a426
Flags: blocking1.9.1? → blocking1.9.1+
Keywords: fixed1.9.1
Priority: -- → P1
smaug(In reply to comment #13)
> I'd like to get the fix to 1.9.0 too, so would be great to get the same
> patch first to 1.9.1 to get some baking time.

Seems well-baked, how much of this and which regression fixes (bug 465767?) do we want on the 1.9.0 branch? Were there any extensions affected?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.8?
Unless we know specific documents we're exposing unsafely this is more of a preventive action than a "critical" security bug, but seems an easy mistake to make so guessing at "moderate" severity.
Whiteboard: [sg:moderate]
Flags: blocking1.9.0.8? → blocking1.9.0.8+
Verified based on checkins. Landed on trunk as http://hg.mozilla.org/mozilla-central/rev/36efcc70a426

Can we have a test here?
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
Keywords: fixed1.9.1verified1.9.1
OS: Mac OS X → All
Hardware: x86 → All
Target Milestone: --- → mozilla1.9.2a1
Since the regression situation is unclear and there hasn't been any response I'm guessing this isn't making the 1.9.0.8 code-freeze :-(
Flags: blocking1.9.0.8+ → blocking1.9.0.9?
Given the still-open dependencies/regressions we'll wait on this for the 1.9.0 branch
Flags: blocking1.9.0.10?
QA Contact: content
Component: Content → DOM
QA Contact: content → general
Flags: blocking1.9.0.13?
Is regression bug 460460 going to get fixed? Or is that now the intended behavior and addon authors will simply have to deal with it?
Whiteboard: [sg:moderate] → [sg:moderate][needs answer to comment 23 from Olli]
Bug 460460 is going to get fixed eventually, I hope. But I'm not yet sure how.
Hopefully http://mxr-test.konigsberg.mozilla.org/bonsai/cvsblame.cgi?file=js/src/xpconnect/src/xpccallcontext.cpp&xrev=913aaa2f38d3&mark=95-102#93 gets changed or security checks changed so that they don't rely on the JSContext.
Flags: blocking1.9.0.14?
Whiteboard: [sg:moderate][needs answer to comment 23 from Olli] → [sg:moderate][needs 1.9.0 fix, fix for regression 460460]
Group: core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: