Closed Bug 460001 Opened 16 years ago Closed 16 years ago

XSS by using two event listeners

Categories

(Core :: Security, defect, P1)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: smaug)

References

Details

(Keywords: regression, verified1.9.1, Whiteboard: [sg:high] 1.9.1-branch only)

Attachments

(3 files)

testcase 1 - event target is a document
1.02 KB, text/html
Details
testcase 2 - event target is an XMLHttpRequest object
1.01 KB, text/html
Details
backout the problematic part of bug 458202
4.72 KB, patch
sicking
: review+
sicking
: superreview+
Details | Diff | Splinter Review 
This is a trunk-only regression from bug 458202.

If there are two event listeners, and the first listener loads a new document,
the second listener can be called on the new document.
This tries to get cookies for www.mozilla.com.
This works on trunk.
This tries to get cookies for www.mozilla.com.
This works on trunk.
bah.
Assignee: nobody → Olli.Pettay
What can I say - my mistake!
Attachment #343204 - Flags: superreview?(jonas)
Attachment #343204 - Flags: review?(jonas)
Flags: blocking1.9.1?
Whiteboard: [sg:high]
Comment on attachment 343204 [details] [diff] [review]
backout the problematic part of bug 458202

It'd be good to get tests on this.
Attachment #343204 - Flags: superreview?(jonas)
Attachment #343204 - Flags: superreview+
Attachment #343204 - Flags: review?(jonas)
Attachment #343204 - Flags: review+
(In reply to comment #5)
> (From update of attachment 343204 [details] [diff] [review])
> It'd be good to get tests on this.
Sure, after ff3.0.4 and ff3.1b2.
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Blocks: 458202
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x-
Keywords: regression
Whiteboard: [sg:high] → [sg:high] 1.9.1-branch only
Group: core-security
http://hg.mozilla.org/mozilla-central/rev/4ebb5707950e was prior to branching.

Smaug, it would be very helpful if you listed changeset IDs or links when marking bugs FIXED.
Flags: blocking1.9.1? → blocking1.9.1+
Keywords: fixed1.9.1
Priority: -- → P1
From a visual point of view, what is the expected result of running these test cases?
The expected result is no XSS alerts.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090526
Shiretoko/3.5pre -> XSS alerts do not appear.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b2pre) Gecko/20081018
Minefield/3.1b2pre -> XSS alerts appear.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090527 Shiretoko/3.5pre

Verified that no XSS alerts appear.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: