Closed
Bug 470720
Opened 16 years ago
Closed 16 years ago
XSS using XPCNativeWrapper and quick stubs
Categories
(Core :: Security, defect, P1)
Tracking
()
RESOLVED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
References
Details
(Whiteboard: [sg:high])
Attachments
(3 files)
|
551 bytes,
text/html
|
Details | |
|
612 bytes,
text/html
|
Details | |
|
1.59 KB,
patch
|
jst
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
This is trunk/1.9.1 only.
By using XPCNativeWrapper, it's possible to call quick stub
methods/getters/setters on cross-origin objects.
Bug 468552 partially fixes this bug.
|
Reporter | |
Comment 1•16 years ago
|
||
This tries to get cookies for www.mozilla.com.
This works on 1.9.1.
On trunk, bug 468552 fixed this testcase.
|
|
Reporter | |
Comment 2•16 years ago
|
||
This tries to get cookies for www.mozilla.com.
This works on trunk and 1.9.1.
|
||
Updated•16 years ago
|
Whiteboard: [sg:high]
|
|
||
Updated•16 years ago
|
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x-
|
||
Updated•16 years ago
|
Flags: blocking1.9.1?
|
Assignee | |
Comment 3•16 years ago
|
||
I had confused SJOWs with native wrappers when I allowed native wrappers to unwrap XOWs. SJOWs have a CanAccess check above every call, native wrappers don't. In addition, native wrappers allow themselves to be unwrapped cross-origin, which is what hurts us here.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #354231 -
Flags: superreview?(jst)
Attachment #354231 -
Flags: review?(jst)
|
||
Updated•16 years ago
|
Attachment #354231 -
Flags: superreview?(jst)
Attachment #354231 -
Flags: superreview+
Attachment #354231 -
Flags: review?(jst)
Attachment #354231 -
Flags: review+
|
|
||
Comment 4•16 years ago
|
||
Comment on attachment 354231 [details] [diff] [review]
Fix
// Unwrap a cross origin wrapper, since we're more restrictive than it is.
Since we're no longer unwrapping XOWs, update the comment.
r+sr=jst
|
|
Assignee | |
Comment 5•16 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Comment 6•16 years ago
|
||
looks like this should be ready get approval and to go to the branch, right?
is there still time to make the beta? does it need a beta cycle to catch problems?
Priority: -- → P1
|
|
Assignee | |
Comment 7•16 years ago
|
||
Chris: this bug was subsumed by bug 472792. We shouldn't take it on the branch, but we should take my fix for that bug (which fixes this as well).
|
||
Updated•16 years ago
|
Flags: blocking1.9.1?
|
|
||
Updated•15 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•