The fix in bug 451680 does not fix <field>.
This tries to get cookies for www.mozilla.com. This works on trunk, fx3.0.x and fx2.0.0.x.
*sigh*. We probably need to block on this because it affects Firefox 2 and this is our last release there... Blake? :)
Assignee: nobody → mrbkap
Whiteboard: [sg:high] → [sg:high][needs branch patches]
This uses the node principal of the bound content's owner document. I *think* that's the right principal to use here.
Whiteboard: [sg:high][needs branch patches] → [sg:high][needs r/sr sicking]
Comment on attachment 348911 [details] [diff] [review] Proposed fix Using content->NodePrincipal() would be slightly safer I think. Should amount to exactly the same thing.
Whiteboard: [sg:high][needs r/sr sicking] → [sg:high][needs branch patches? or just approval?]
This applies to trunk and the 1.9 branch. I'm looking into backporting it to the 1.8 branch.
...except that the 1.8 branch isn't vulnerable to this exploit because on the branch, field installation is eager and called from nsXBLProtoImpl::InstallImplementation, which, thanks to the backport in bug 451680, now bails out in this case.
Comment on attachment 349022 [details] [diff] [review] Updated to comments After talking to beltzner, we'll wait to check this in after beta2.
Attachment #349022 - Flags: approval1.9.1b2? → approval1.9.1?
Component: Security → XBL
OS: Windows XP → All
QA Contact: toolkit → xbl
Hardware: PC → All
Target Milestone: --- → mozilla1.9.1
Version: unspecified → Trunk
Hey, want to remove that XXX comment about a better principal since you have one now? ;)
Er, yeah. I've done that locally.
Comment on attachment 349022 [details] [diff] [review] Updated to comments Approved for 220.127.116.11, a=dveditz for release-drivers
Attachment #349022 - Flags: approval18.104.22.168? → approval22.214.171.124+
Fixed on the 1.9 branch.
Status: NEW → ASSIGNED
We took this for 1.9.0, so we can't ship 1.9.1 w/o this. Blocker.
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
Verified for 126.96.36.199 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:188.8.131.52pre) Gecko/2008112503 BonEcho/184.108.40.206pre. Verified for 220.127.116.11 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168pre) Gecko/2008112505 GranParadiso/3.0.5pre. I'm surprised that we haven't fixed this in Trunk yet though.
Attachment #349022 - Flags: approval1.9.1? → approval1.9.1+
Note to whoever checks this in -- please use the patch that was actually checked into the 1.9 branch or address comment 8 manually. Checkin message: Bug 464174 - Pass a principal in when compiling fields. r+sr=sicking a=beltzner
Missed comment 15 before I pushed, so commit message just has bug number and reviewers: http://hg.mozilla.org/mozilla-central/rev/4cfa752afa85 And addressing comment 8... http://hg.mozilla.org/mozilla-central/rev/60ba92ead6d3
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: mozilla1.9.1 → mozilla1.9.1b3
Whiteboard: [sg:high][needs approval] fixed in 1.8.1.x by bug 451680 → [sg:high] fixed in 1.8.1.x by bug 451680
You need to log in before you can comment on or make changes to this bug.