Closed Bug 51442 Opened 25 years ago Closed 25 years ago

JS in mail/news running with system principal

Categories

(Core :: Security, defect, P1)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: security-bugs, Assigned: mscott)

Details

(Whiteboard: [nsbeta3+])

Attachments

(1 file)

proposed fix
1.05 KB, patch
Details | Diff | Splinter Review
This is really bad. Not only is the "Disable JS in mail/news" pref not working, scripts in mail are actually running with the all-powerful system principal. This needs to be fixed immediately.
Suggest nsbeta3+ as this is serious. I'll try to track it down, but I'll probably need help from mailnews.
Status: NEW → ASSIGNED
Keywords: nsbeta3
Target Milestone: --- → M18
I'm willing to help. How would JS get the system principal? Here's how we create that iframe in messenger.xul: <iframe id="messagepane" context="messagePaneContext" style="height: 0px" flex="1" name="messagepane" type="content-primary" src="about:blank"/> When JS runs inside this iframe, how does the security code figure out that this iframe should get the system principal? Why is it treated any different than any other ol' iframe?
Oh I see the trouble maker....oh dear. in nsStreamConverter.cpp around line 596, libmime gets the system principal and assigns it as the owner on the channel we are using for displaying the message. Could this be how it's sneaking in? In any case, that snippet scares me a bit. cc'ing rhp, the author of that code.
Attached patch proposed fixSplinter Review
Here's my proposed fix. nsStreamConverter was setting the system principal on the channel being used to load content into the message pane iframe. I just took this code out. Rich, do you know why we needed to do that? I'm not seeing any side effects by taking these lines out.
My gut feel is that this was a copy and paste issue. When I got the code to dork around with the channel's, I might have copied this stuff as well. Just a thought, but the change looks good to me. r: rhp - rhp
per triage mtg. Just for PDT's sake, the consequences of this are that arbitrary JS in email messages have access to XP-Connect among other things and can do all sorts of nasty things.
Severity: normal → critical
Priority: P3 → P1
Whiteboard: [nsbeta3+]
This fix works for me. Scott, can you get this checked in?
You bet. Thanks for the review Rich!
Assignee: mstoltz → mscott
Status: ASSIGNED → NEW
Fixed.
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
John could you verify this bug - Thanks Changing QA contact to junruh@netscape.com
QA Contact: czhang → junruh
Verified on 9/6 Win95 and Linux.
Status: RESOLVED → VERIFIED
Opening fixed security bugs to the public.
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: