Last Comment Bug 478433 - XPCNativeWrapper's toString's __proto__ comes from the wrong scope
: XPCNativeWrapper's toString's __proto__ comes from the wrong scope
Status: VERIFIED FIXED
[sg:high]
: fixed1.9.1, verified1.8.1.22, verified1.9.0.9
Product: Core
Classification: Components
Component: XPConnect (show other bugs)
: unspecified
: x86 Windows XP
: P2 normal (vote)
: mozilla1.9.1
Assigned To: Blake Kaplan (:mrbkap)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-13 09:40 PST by moz_bug_r_a4
Modified: 2010-02-13 12:45 PST (History)
8 users (show)
jst: blocking1.9.1+
dveditz: blocking1.9.0.9+
dveditz: wanted1.9.0.x+
dveditz: blocking1.8.1.next+
dveditz: wanted1.8.1.x+
dveditz: blocking1.8.0.next?
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Fix for this bug (1.41 KB, patch)
2009-02-13 10:43 PST, Blake Kaplan (:mrbkap)
jst: review+
jst: superreview+
dveditz: approval1.9.0.9+
Details | Diff | Splinter Review
1.8.0 backport (1.11 KB, patch)
2009-04-09 06:36 PDT, Martin Stránský
jst: review+
Details | Diff | Splinter Review
for 1.8 branch (1.37 KB, patch)
2009-04-27 11:59 PDT, Alexander Sack
mrbkap: review-
Details | Diff | Splinter Review
for 1.8 branch (attempt 2) (1.48 KB, patch)
2009-05-18 03:48 PDT, Alexander Sack
mrbkap: review+
dveditz: approval1.8.1.next+
Details | Diff | Splinter Review

Description moz_bug_r_a4 2009-02-13 09:40:10 PST
This is a similar problem to bug 370127.  If chrome code calls
content.toString.call(), then content-defined functions can be called by chrome
code.  Also, it's possible to use this bug to bypass XOW and perform bug
369334's XSS attack.
Comment 3 Blake Kaplan (:mrbkap) 2009-02-13 10:43:34 PST
Created attachment 362261 [details] [diff] [review]
Fix for this bug

This fixes this bug. I'm re-evaluating how these toString methods are implemented though.
Comment 4 Blake Kaplan (:mrbkap) 2009-02-25 17:48:23 PST
http://hg.mozilla.org/mozilla-central/rev/6b6128b32170
Comment 5 Blake Kaplan (:mrbkap) 2009-03-16 16:38:02 PDT
Comment on attachment 362261 [details] [diff] [review]
Fix for this bug

This applies as-is to the 1.9.0 branch.
Comment 6 Blake Kaplan (:mrbkap) 2009-03-16 18:03:44 PDT
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/636b381bd764
Comment 7 Daniel Veditz [:dveditz] 2009-03-17 13:21:50 PDT
Comment on attachment 362261 [details] [diff] [review]
Fix for this bug

Approved for 1.9.0.8, a=dveditz for release-drivers
Comment 8 Blake Kaplan (:mrbkap) 2009-03-17 14:41:37 PDT
Fixed on the 1.9.0 branch.
Comment 9 Al Billings [:abillings] 2009-03-19 16:46:59 PDT
Verified for 1.9.0.8 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.8pre) Gecko/2009031904 GranParadiso/3.0.8pre.

Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090319 Shiretoko/3.5b4pre.
Comment 10 Martin Stránský 2009-04-09 06:36:03 PDT
Created attachment 371857 [details] [diff] [review]
1.8.0 backport
Comment 11 Martin Stránský 2009-04-09 06:38:39 PDT
Comment on attachment 371857 [details] [diff] [review]
1.8.0 backport

Can you please confirm this one?
Comment 12 Alexander Sack 2009-04-27 11:59:50 PDT
Created attachment 374793 [details] [diff] [review]
for 1.8 branch

this patch fixes both testcases on 1.8; avoided not exported js_SetSlotThreadSafe by using (funobj)->slots[JSSLOT_PARENT] directly. Hope thats the right approach.
Comment 13 Blake Kaplan (:mrbkap) 2009-04-29 23:00:09 PDT
Comment on attachment 374793 [details] [diff] [review]
for 1.8 branch

>+    // avoid not exported js_SetSlotThreadSafe
>+    (funobj)->slots[JSSLOT_PARENT] = OBJECT_TO_JSVAL(obj);

I think you want JS_SetParent(cx, funobj, obj) here.
Comment 14 Alexander Sack 2009-05-18 03:48:29 PDT
Created attachment 378031 [details] [diff] [review]
for 1.8 branch (attempt 2)

with ::JS_SetParent (see comment 13)
Comment 15 Blake Kaplan (:mrbkap) 2009-05-18 11:02:56 PDT
Comment on attachment 378031 [details] [diff] [review]
for 1.8 branch (attempt 2)

>+    // avoid not exported js_SetSlotThreadSafe
>+    JS_SetParent (cx, funobj, obj);

I don't think the code comment is necessary, and get rid of the space before the paren (not that it matters, it's your branch!).
Comment 16 Daniel Veditz [:dveditz] 2009-05-31 22:07:28 PDT
Comment on attachment 378031 [details] [diff] [review]
for 1.8 branch (attempt 2)

Approved for 1.8.1.22, a=dveditz for release-drivers
Comment 17 Blake Kaplan (:mrbkap) 2009-06-01 18:12:35 PDT
new revision: 1.31.2.25; previous revision: 1.31.2.24
Comment 18 Al Billings [:abillings] 2009-06-02 14:57:45 PDT
Verified for 1.8.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.22pre) Gecko/20090602 SeaMonkey/1.1.17pre using testcases.

Note You need to log in before you can comment on or make changes to this bug.