Closed
Bug 466937
(CVE-2009-0355)
Opened 16 years ago
Closed 16 years ago
File stealing with SessionStore
Categories
(Firefox :: Session Restore, defect)
Firefox
Session Restore
Tracking
()
RESOLVED
FIXED
Firefox 3.6a1
People
(Reporter: moz_bug_r_a4, Assigned: zeniko)
Details
(4 keywords, Whiteboard: [sg:high])
Attachments
(3 files, 1 obsolete file)
2.14 KB,
patch
|
dietrich
:
review+
dveditz
:
approval1.9.0.6+
|
Details | Diff | Splinter Review |
2.23 KB,
patch
|
dveditz
:
approval1.8.1.next+
|
Details | Diff | Splinter Review |
8.19 KB,
patch
|
dietrich
:
review+
beltzner
:
approval1.9.1+
|
Details | Diff | Splinter Review |
It's possible to change the type of an input control during restoration.
Assignee | ||
Comment 2•16 years ago
|
||
In order to keep sessionstore.js small and to remain compatible with Betas 1 and 2, this patch special-cases <input type="file">. AFAICT this is the only privacy sensitive of our input elements (please correct me now, if I'm wrong!). On a side-note: The same vulnerability works the other way round, as well: If the user selects a file, it'd be possible to get the full file path instead of just the filename. Both patch and test take care of both ways.
Assignee | ||
Comment 3•16 years ago
|
||
Assignee | ||
Comment 4•16 years ago
|
||
Assignee | ||
Comment 5•16 years ago
|
||
(In reply to comment #2) > AFAICT this is the only privacy sensitive of our input elements ... besides <input type="password"> which we single out already.
Assignee | ||
Comment 6•16 years ago
|
||
Do we still need 1.8.1 patches, anyway?
Flags: blocking1.9.0.6?
Flags: blocking1.8.1.next?
Flags: blocking-firefox3.1?
Assignee | ||
Comment 7•16 years ago
|
||
Minor update to the test: Let's also make sure that <input type="file"> restoration wasn't broken in the same circumstances.
Attachment #350380 -
Attachment is obsolete: true
Attachment #350477 -
Flags: review?(dietrich)
Attachment #350380 -
Flags: review?(dietrich)
Updated•16 years ago
|
Flags: blocking-firefox3.1? → blocking-firefox3.1+
Updated•16 years ago
|
Whiteboard: [sg:high] → [sg:high][has patch][needs review dietrich]
Comment 8•16 years ago
|
||
This has been placed on our "Top Security Bugs" list. Please treat as a top priority.
Assignee | ||
Updated•16 years ago
|
Attachment #350477 -
Flags: review?(gavin.sharp)
Assignee | ||
Updated•16 years ago
|
Whiteboard: [sg:high][has patch][needs review dietrich] → [sg:high][has patch][needs review dietrich or gavin]
Comment 9•16 years ago
|
||
Comment on attachment 350477 [details] [diff] [review] patch and test looks fine, r=me
Attachment #350477 -
Flags: review?(dietrich) → review+
Assignee | ||
Updated•16 years ago
|
OS: Windows XP → All
Hardware: PC → All
Whiteboard: [sg:high][has patch][needs review dietrich or gavin] → [sg:high][has patch][needs approval]
Assignee | ||
Updated•16 years ago
|
Attachment #350477 -
Flags: review?(gavin.sharp) → approval1.9.1?
Assignee | ||
Updated•16 years ago
|
Attachment #350382 -
Flags: approval1.9.0.6?
Assignee | ||
Updated•16 years ago
|
Attachment #350382 -
Flags: approval1.9.0.6? → approval1.8.1.next?
Assignee | ||
Updated•16 years ago
|
Attachment #350381 -
Flags: approval1.9.0.6?
Comment 10•16 years ago
|
||
(In reply to comment #6) > Do we still need 1.8.1 patches, anyway? Several vendors will continue to support Firefox 2 longer than MoCo, so yeah, it's extremely helpful.
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
Flags: blocking1.9.0.6?
Flags: blocking1.9.0.6+
Comment 11•16 years ago
|
||
We're going to wait for 1.9.1 approval and landing before approving for the older branches, but why is 1.9.1 so different from 1.9.0 here? That would seem to call for a separate review.
Assignee | ||
Comment 12•16 years ago
|
||
Comment on attachment 350381 [details] [diff] [review] 1.9 branch patch (In reply to comment #11) > why is 1.9.1 so different from 1.9.0 here? Because with all the improvements on 1.9.1 we can actually distinguish type="file" from type="text" and restore both whereas on older branches we can't and thus just have to ignore type="file" during both saving and restoring. Dietrich: The second bit has been included in the 1.9.1 patch and the first bit is equal to the type="password" one. Please nod if I haven't missed anything.
Attachment #350381 -
Flags: review?(dietrich)
Updated•16 years ago
|
Attachment #350381 -
Flags: review?(dietrich) → review+
Comment 13•16 years ago
|
||
Comment on attachment 350477 [details] [diff] [review] patch and test a191=beltzner
Attachment #350477 -
Flags: approval1.9.1? → approval1.9.1+
Assignee | ||
Updated•16 years ago
|
Keywords: checkin-needed
Whiteboard: [sg:high][has patch][needs approval] → [sg:high][has patch][needs branch approval]
Updated•16 years ago
|
Whiteboard: [sg:high][has patch][needs branch approval] → [sg:high][has patch][needs trunk/1.9.1 landing]
Comment 14•16 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/8d0d5017c101
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Whiteboard: [sg:high][has patch][needs trunk/1.9.1 landing] → [sg:high][has patch][needs 1.9.1 landing]
Target Milestone: --- → Firefox 3.2a1
Updated•16 years ago
|
Whiteboard: [sg:high][has patch][needs 1.9.1 landing] → [sg:high][has patch]
Comment 15•16 years ago
|
||
Comment on attachment 350381 [details] [diff] [review] 1.9 branch patch Approved for 1.9.0.6, a=dveditz for release-drivers.
Attachment #350381 -
Flags: approval1.9.0.6? → approval1.9.0.6+
Comment 16•16 years ago
|
||
dveditz, please approve blocking1.8.1.next if you come to it.
Flags: wanted1.8.0.x-
Flags: blocking1.8.0.next-
Updated•16 years ago
|
Flags: blocking1.8.1.next? → blocking1.8.1.next+
Comment 17•16 years ago
|
||
checked into 1.9.1: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/b9c4584c3fc2
Keywords: fixed1.9.1
Comment 18•16 years ago
|
||
checked into 1.9.0 branch: Checking in browser/components/sessionstore/src/nsSessionStore.js; /cvsroot/mozilla/browser/components/sessionstore/src/nsSessionStore.js,v <-- nsSessionStore.js new revision: 1.108; previous revision: 1.107 done
Keywords: fixed1.9.0.6
Comment 19•16 years ago
|
||
Removing checkin-needed keyword, as I think this has been completely landed, but please correct me if I'm wrong.
Keywords: checkin-needed
Whiteboard: [sg:high][has patch] → [sg:high]
Assignee | ||
Comment 20•16 years ago
|
||
This hasn't landed on the 1.8.1 branch yet. Needs approval first, though.
Whiteboard: [sg:high] → [sg:high][approval needed for 1.8.1.next]
Comment 21•16 years ago
|
||
yep. we are waiting for approval1.8.1.next? from comment 16 ... drivers please support us!
Comment 22•16 years ago
|
||
Verified for 1.9.0.6 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6pre) Gecko/2009010606 GranParadiso/3.0.6pre.
Keywords: fixed1.9.0.6 → verified1.9.0.6
Comment 23•16 years ago
|
||
Comment on attachment 350382 [details] [diff] [review] 1.8.1 branch patch Approved for 1.8 branch, a=dveditz
Attachment #350382 -
Flags: approval1.8.1.next? → approval1.8.1.next+
Assignee | ||
Updated•16 years ago
|
Keywords: checkin-needed
Whiteboard: [sg:high][approval needed for 1.8.1.next] → [sg:high][checkin needed: 1.8.1 branch]
Comment 24•16 years ago
|
||
MOZILLA_1_8_BRANCH: Checking in browser/components/sessionstore/src/nsSessionStore.js; /cvsroot/mozilla/browser/components/sessionstore/src/nsSessionStore.js,v <-- nsSessionStore.js new revision: 1.5.2.55; previous revision: 1.5.2.54 done
Keywords: checkin-needed → fixed1.8.1.21
Whiteboard: [sg:high][checkin needed: 1.8.1 branch] → [sg:high]
Updated•15 years ago
|
Group: core-security
Updated•15 years ago
|
Alias: CVE-2009-0355
You need to log in
before you can comment on or make changes to this bug.
Description
•