Closed
Bug 503226
(CVE-2009-3375)
Opened 15 years ago
Closed 15 years ago
document.getSelection() can read cross-origin content selections
Categories
(Core :: DOM: Core & HTML, defect, P2)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta1-fixed |
| blocking1.9.1 | --- | .4+ |
| status1.9.1 | --- | .4-fixed |
People
(Reporter: gfleischer+bugzilla, Assigned: smaug)
Details
(Keywords: verified1.9.0.15, verified1.9.1, Whiteboard: [sg:moderate])
Attachments
(2 files)
|
1.59 KB,
text/html
|
Details | |
|
1.23 KB,
patch
|
jst
:
review+
sicking
:
review+
jst
:
superreview+
dveditz
:
approval1.9.1.4+
dveditz
:
approval1.9.0.15+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.11) Gecko/2009060214 Firefox/3.0.11
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.1pre) Gecko/20090708 Shiretoko/3.5.1pre
The document.getSelection() method can be used to read cross-origin content selections.
By storing a reference to the contentDocument of an iframe, any selections made within that iframe can be read regardless of origin.
This method appears to be deprecated.
Reproducible: Always
|
Reporter | |
Comment 1•15 years ago
|
||
Select destination for iframe and select 'go'. Make a text selection and the content should be displayed in an alert box.
|
||
Comment 2•15 years ago
|
||
The test shows the reported behaviour. I suspect this should live in Content-land, particularly since jst wrote the deprecation message. :)
Status: UNCONFIRMED → NEW
Component: General → DOM: Core & HTML
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → general
Whiteboard: [sg:investigate]
|
Assignee | |
Updated•15 years ago
|
Assignee: nobody → Olli.Pettay
Flags: blocking1.9.2?
|
|
Assignee | |
Updated•15 years ago
|
Status: NEW → ASSIGNED
|
||
Comment 5•15 years ago
|
||
Marking this a blocker since this allows cross site data leakage.
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
|
|
Assignee | |
Comment 6•15 years ago
|
||
Attachment #394093 -
Flags: review?(jst)
|
|
||
Updated•15 years ago
|
Attachment #394093 -
Flags: superreview+
Attachment #394093 -
Flags: review?(jst)
Attachment #394093 -
Flags: review+
|
|
Assignee | |
Updated•15 years ago
|
Attachment #394093 -
Flags: review?(jonas)
|
|
Assignee | |
Comment 7•15 years ago
|
||
Comment on attachment 394093 [details] [diff] [review]
simple patch
AFAIK, security bugs need separate r and sr nowadays.
Attachment #394093 -
Flags: review?(jonas) → review+
Comment on attachment 394093 [details] [diff] [review]
simple patch
mochitest?
|
|
Assignee | |
Comment 9•15 years ago
|
||
Don't want to add such before this is fixed everywhere.
|
|
Assignee | |
Comment 10•15 years ago
|
||
Status: ASSIGNED → RESOLVED
blocking1.9.1: --- → ?
Closed: 15 years ago
Flags: blocking1.9.0.15?
Resolution: --- → FIXED
|
|
Assignee | |
Comment 11•15 years ago
|
||
Keywords: fixed1.9.2
|
||
Updated•15 years ago
|
blocking1.9.1: ? → .4+
Flags: blocking1.9.0.15? → blocking1.9.0.15+
|
|
Assignee | |
Updated•15 years ago
|
Attachment #394093 -
Flags: approval1.9.1.4?
|
|
Assignee | |
Updated•15 years ago
|
Attachment #394093 -
Flags: approval1.9.0.15?
|
||
Updated•15 years ago
|
status1.9.1:
--- → wanted
Flags: wanted1.9.0.x+
|
|
||
Comment 12•15 years ago
|
||
Comment on attachment 394093 [details] [diff] [review]
simple patch
Approved for 1.9.1.4 and 1.9.0.15, a=dveditz for release-drivers
Attachment #394093 -
Flags: approval1.9.1.4?
Attachment #394093 -
Flags: approval1.9.1.4+
Attachment #394093 -
Flags: approval1.9.0.15?
Attachment #394093 -
Flags: approval1.9.0.15+
|
|
Assignee | |
Comment 13•15 years ago
|
||
Checking in content/html/document/src/nsHTMLDocument.cpp;
/cvsroot/mozilla/content/html/document/src/nsHTMLDocument.cpp,v <-- nsHTMLDocument.cpp
new revision: 3.792; previous revision: 3.791
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/bffd0a33d902
Keywords: fixed1.9.0.15
|
|
||
Updated•15 years ago
|
status1.9.2:
--- → beta1-fixed
Keywords: fixed1.9.2
|
||
Comment 14•15 years ago
|
||
Verified attached testcase reproduces bug in 1.9.1.3 and is fixed in the 1.9.1.4pre build (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.4pre) Gecko/20090914 Shiretoko/3.5.4pre).
Keywords: verified1.9.1
|
|
||
Comment 15•15 years ago
|
||
Verified for 1.9.0.15 as well with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.15pre) Gecko/2009091606 GranParadiso/3.0.15pre (.NET CLR 3.5.30729).
Keywords: fixed1.9.0.15 → verified1.9.0.15
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:investigate] → [sg:moderate]
|
||
Updated•15 years ago
|
Alias: CVE-2009-3375
|
|
||
Comment 16•15 years ago
|
||
(In reply to comment #9)
> Don't want to add such before this is fixed everywhere.
I can has test plz?
Flags: in-testsuite?
|
|
||
Updated•15 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•