The default bug view has changed. See this FAQ.

XPCNativeWrapper's toString's __proto__ comes from the wrong scope

VERIFIED FIXED in mozilla1.9.1

Status

()

Core
XPConnect
P2
normal
VERIFIED FIXED
8 years ago
7 years ago

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Tracking

({fixed1.9.1, verified1.8.1.22, verified1.9.0.9})

unspecified
mozilla1.9.1
x86
Windows XP
fixed1.9.1, verified1.8.1.22, verified1.9.0.9
Points:
---
Bug Flags:
blocking1.9.1 +
blocking1.9.0.9 +
wanted1.9.0.x +
blocking1.8.1.next +
wanted1.8.1.x +
blocking1.8.0.next ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:high])

Attachments

(3 attachments, 1 obsolete attachment)

(Reporter)

Description

8 years ago
This is a similar problem to bug 370127.  If chrome code calls
content.toString.call(), then content-defined functions can be called by chrome
code.  Also, it's possible to use this bug to bypass XOW and perform bug
369334's XSS attack.
Assignee: nobody → mrbkap
Flags: blocking1.9.1?
Flags: blocking1.9.0.8?
Flags: blocking1.8.1.next?
(Assignee)

Comment 3

8 years ago
Created attachment 362261 [details] [diff] [review]
Fix for this bug

This fixes this bug. I'm re-evaluating how these toString methods are implemented though.
Attachment #362261 - Flags: superreview?(jst)
Attachment #362261 - Flags: review?(jst)
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.8?
Flags: blocking1.9.0.8+
Whiteboard: [sg:high]
Flags: wanted1.8.1.x+

Updated

8 years ago
Flags: blocking1.9.1? → blocking1.9.1+

Updated

8 years ago
Attachment #362261 - Flags: superreview?(jst)
Attachment #362261 - Flags: superreview+
Attachment #362261 - Flags: review?(jst)
Attachment #362261 - Flags: review+
Flags: blocking1.8.1.next?

Updated

8 years ago
Whiteboard: [sg:high] → [sg:high] needs landing

Updated

8 years ago
Priority: -- → P2
Target Milestone: --- → mozilla1.9.1
(Assignee)

Comment 4

8 years ago
http://hg.mozilla.org/mozilla-central/rev/6b6128b32170
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Assignee)

Updated

8 years ago
Whiteboard: [sg:high] needs landing → [sg:high]
(Assignee)

Comment 5

8 years ago
Comment on attachment 362261 [details] [diff] [review]
Fix for this bug

This applies as-is to the 1.9.0 branch.
Attachment #362261 - Flags: approval1.9.0.8?
(Assignee)

Comment 6

8 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/636b381bd764
Keywords: fixed1.9.1
Comment on attachment 362261 [details] [diff] [review]
Fix for this bug

Approved for 1.9.0.8, a=dveditz for release-drivers
Attachment #362261 - Flags: approval1.9.0.8? → approval1.9.0.8+
(Assignee)

Comment 8

8 years ago
Fixed on the 1.9.0 branch.
Keywords: fixed1.9.0.8
Verified for 1.9.0.8 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.8pre) Gecko/2009031904 GranParadiso/3.0.8pre.

Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090319 Shiretoko/3.5b4pre.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.0.8 → verified1.9.0.8

Comment 10

8 years ago
Created attachment 371857 [details] [diff] [review]
1.8.0 backport

Comment 11

8 years ago
Comment on attachment 371857 [details] [diff] [review]
1.8.0 backport

Can you please confirm this one?
Attachment #371857 - Flags: review?(jst)

Updated

8 years ago
Attachment #371857 - Flags: review?(jst) → review+
Flags: blocking1.8.1.next?
Flags: blocking1.8.0.next?

Comment 12

8 years ago
Created attachment 374793 [details] [diff] [review]
for 1.8 branch

this patch fixes both testcases on 1.8; avoided not exported js_SetSlotThreadSafe by using (funobj)->slots[JSSLOT_PARENT] directly. Hope thats the right approach.
Attachment #374793 - Flags: review?(jst)
Whiteboard: [sg:high] → [sg:high] needs r=jst for 1.8.1 (answer "(funobj)->slots[JSSLOT_PARENT]" question)
(Assignee)

Comment 13

8 years ago
Comment on attachment 374793 [details] [diff] [review]
for 1.8 branch

>+    // avoid not exported js_SetSlotThreadSafe
>+    (funobj)->slots[JSSLOT_PARENT] = OBJECT_TO_JSVAL(obj);

I think you want JS_SetParent(cx, funobj, obj) here.
Attachment #374793 - Flags: review?(jst) → review-
Whiteboard: [sg:high] needs r=jst for 1.8.1 (answer "(funobj)->slots[JSSLOT_PARENT]" question) → [sg:high] needs new 1.8.1 patch

Comment 14

8 years ago
Created attachment 378031 [details] [diff] [review]
for 1.8 branch (attempt 2)

with ::JS_SetParent (see comment 13)
Attachment #374793 - Attachment is obsolete: true
Attachment #378031 - Flags: review?(mrbkap)
(Assignee)

Updated

8 years ago
Attachment #378031 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 15

8 years ago
Comment on attachment 378031 [details] [diff] [review]
for 1.8 branch (attempt 2)

>+    // avoid not exported js_SetSlotThreadSafe
>+    JS_SetParent (cx, funobj, obj);

I don't think the code comment is necessary, and get rid of the space before the paren (not that it matters, it's your branch!).
Flags: blocking1.8.1.next? → blocking1.8.1.next+
Whiteboard: [sg:high] needs new 1.8.1 patch → [sg:high]
Comment on attachment 378031 [details] [diff] [review]
for 1.8 branch (attempt 2)

Approved for 1.8.1.22, a=dveditz for release-drivers
Attachment #378031 - Flags: approval1.8.1.next+
(Assignee)

Comment 17

8 years ago
new revision: 1.31.2.25; previous revision: 1.31.2.24
Keywords: fixed1.8.1.22
Verified for 1.8.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.22pre) Gecko/20090602 SeaMonkey/1.1.17pre using testcases.
Keywords: fixed1.8.1.22 → verified1.8.1.22
Group: core-security
You need to log in before you can comment on or make changes to this bug.