Closed Bug 45877 Opened 25 years ago Closed 25 years ago

Signed script dialog corrupts prefs file.

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows NT
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jat, Assigned: jat)

Details

(Whiteboard: [nsbeta3+])

Attachments

(2 files)

html file for script
4.45 KB, text/html
Details
script which tries to get access and causes problem
713 bytes, text/javascript
Details
BuildID: 2000071708 When script run, a dialog appears asking the user to accept or decline the signed script. A box asks if the user wants to remember the decision. By selecting "remember" the browser writes information about the signed script and its capability to the user's pref.js file. The capability is inordinately long and contains newlines and quotes. When browser is started with these changes, it is unable to read the preferences file. Reproducible: Always Steps to Reproduce: 1. Sign attached script and html file 2. run html file in mozilla (make sure "Remember this selection" is checked). 3. quit mozilla 4. restart mozilla Actual Results: Unable to access any preferences. Reverts to defaults prefs, so unable to check mail, bookmarks, etc without manually changing pref.js file. Expected Results: Should run with user's preferences.
Attached file html file for script
Confirmed exploit.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
This is an exploit which I think will probably be taken advantage of. The fix is simple. jataylor believes the bug is caused by an excessively long privilege name, not by any odd characters in the name, so simply checking for a maximum length on these names will solve the problem. Nominating nsbeta3.
Keywords: correctness, nsbeta3
Target Milestone: --- → M19
[nsbeta3+]. Clearly we must figure out what the maximum safe length for a privilege is and stick within that. Beyond that (as a more ambitious fix, probably FUTURE) it might be worth looking at whether the preferences service should be made more robust so it's less easily hosed.
Whiteboard: [nsbeta3+]
->jtaylor. John, I think it would be best to solve this at the root of the problem, which may be in prefs or possibly the JS engine. I'll work with you on this.
Assignee: mstoltz → jtaylor
Status: ASSIGNED → NEW
Status: NEW → ASSIGNED
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
verified
Status: RESOLVED → VERIFIED
Opening fixed security bugs to the public.
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: