As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 500513 - Stop allowing plugins to access XPCOM through NPN_GetValue()
: Stop allowing plugins to access XPCOM through NPN_GetValue()
Status: RESOLVED FIXED
: dev-doc-complete
Product: Core
Classification: Components
Component: Plug-ins (show other bugs)
: Trunk
: All All
: -- normal (vote)
: ---
Assigned To: Josh Aas
:
: Benjamin Smedberg [:bsmedberg]
Mentors:
: 435433 531356 (view as bug list)
Depends on: 503902 510963 531290 545224
Blocks: 435431
  Show dependency treegraph
 
Reported: 2009-06-25 14:15 PDT by Chris Jones [:cjones] inactive; ni?/f?/r? if you need me
Modified: 2010-02-13 07:25 PST (History)
9 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix v1.0 (1.82 KB, patch)
2009-06-25 21:20 PDT, Josh Aas
jst: review+
jst: superreview+
Details | Diff | Splinter Review

Description User image Chris Jones [:cjones] inactive; ni?/f?/r? if you need me 2009-06-25 14:15:31 PDT
Plugins can call NPN_GetValue() with the values NPNVserviceManager, NPNVDOMElement, or NPNVDOMWindow and get pointers to XPCOM instances.  They should not be able to do this.

Among other reasons that this interface is troublesome is that it will extremely painful to impossible for us to support when plugins run in separate processes.
Comment 1 User image Benjamin Smedberg [:bsmedberg] 2009-06-25 14:16:47 PDT
And it prevents us from making any breaking changes to XPCOM.
Comment 2 User image Josh Aas 2009-06-25 14:21:27 PDT
Do we have any known consumers besides maybe the old OJI-based Java plugin and maybe Real Player?
Comment 3 User image Josh Aas 2009-06-25 21:20:18 PDT
Created attachment 385314 [details] [diff] [review]
fix v1.0
Comment 4 User image Josh Aas 2009-06-26 07:35:17 PDT
pushed to mozilla-central

http://hg.mozilla.org/mozilla-central/rev/7b55c4e84bcb
Comment 5 User image Benjamin Smedberg [:bsmedberg] 2009-06-26 07:58:42 PDT
*** Bug 435433 has been marked as a duplicate of this bug. ***
Comment 6 User image Benjamin Smedberg [:bsmedberg] 2009-11-28 16:53:59 PST
*** Bug 531356 has been marked as a duplicate of this bug. ***
Comment 8 User image Mats Palmgren (:mats) 2009-11-29 09:35:11 PST
Should we update https://developer.mozilla.org/en/NPN_GetValue
to mention that getting these values is deprecated in Firefox 3.6?
Comment 9 User image Eric Shepherd [:sheppy] 2009-11-30 07:22:22 PST
Documentation updated:

https://developer.mozilla.org/en/NPN_GetValue

Also mentioned on:

https://developer.mozilla.org/en/Firefox_3.6_for_developers#Miscellaneous

Note You need to log in before you can comment on or make changes to this bug.