Closed
Bug 520522
Opened 15 years ago
Closed 14 years ago
Bypassing XOW by using XPCNativeWrapper.wrappedJSObject
Categories
(Core :: XPConnect, defect, P2)
Tracking
()
RESOLVED
FIXED
mozilla1.9.2
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
References
Details
(Whiteboard: [sg:high][3.6.x] critical with a privileged context to attack)
Attachments
(1 file)
|
645 bytes,
text/html
|
Details |
The fix for bug 514435 can be circumvented. By using XPCNativeWrapper, it's possible to get a SJOW whose unsafe object is not a XOW.
|
Reporter | |
Comment 1•15 years ago
|
||
This tries to get cookies for www.mozilla.com.
|
Assignee | |
Comment 2•15 years ago
|
||
I should have seen this coming :(.
|
||
Updated•15 years ago
|
Whiteboard: [sg:high] critical with a privileged context to attack
|
||
Updated•15 years ago
|
blocking1.9.1: --- → ?
blocking2.0: --- → ?
status1.9.1:
--- → ?
Flags: wanted1.9.0.x?
Flags: blocking1.9.2?
Flags: blocking1.9.0.16?
|
||
Updated•15 years ago
|
|
|
||
Updated•15 years ago
|
blocking1.9.1: ? → .5+
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.2?
Flags: blocking1.9.0.16?
Flags: blocking1.9.0.16+
|
|
||
Updated•15 years ago
|
Flags: blocking1.9.2?
|
||
Updated•15 years ago
|
Assignee: nobody → mrbkap
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
Target Milestone: --- → mozilla1.9.2
|
|
||
Comment 3•15 years ago
|
||
Blake, any progress on a patch for this yet?
|
||
Updated•15 years ago
|
Flags: blocking1.9.0.16+ → blocking1.9.0.17+
|
|
||
Updated•15 years ago
|
blocking1.9.1: .6+ → .7+
|
|
||
Comment 5•15 years ago
|
||
Unblocking on this per discussion with mrbkap and damons. Blake, keep this your top priority, and we'll consider a fix once it's ready, but we won't be holding the release for this.
Flags: blocking1.9.2+ → blocking1.9.2-
|
|
||
Comment 6•15 years ago
|
||
How is this one looking for 1.9.2.1/1.9.1.8/1.9.0.18 ? It's scary-close to the code-freeze for the latter two (and maybe 1.9.2.1) to be considering "Flatten out wrapper hierarchy" (prerequisite bug 524994).
Whiteboard: [sg:high] critical with a privileged context to attack → [sg:high][3.6.x] critical with a privileged context to attack
|
|
Assignee | |
Comment 7•15 years ago
|
||
I have a patch for this. It's unfortunately conglomerated with some stuff that we can't land on old branches, but I'll work on teasing apart the requisite parts soon.
|
|
||
Updated•14 years ago
|
blocking1.9.1: .8+ → .9+
blocking1.9.2: --- → ?
Flags: blocking1.9.0.18+ → blocking1.9.0.19+
|
||
Updated•14 years ago
|
blocking1.9.2: ? → needed
|
|
||
Comment 9•14 years ago
|
||
Blake: what news?
|
|
||
Comment 10•14 years ago
|
||
Should this continue to block 1.9.0.19/1.9.1.9 or can it wait until a future release? Getting close to code freeze deadline.
|
|
||
Comment 11•14 years ago
|
||
mrbkap: please see comment 9 and comment 10
|
|
||
Updated•14 years ago
|
|
|
Assignee | |
Comment 12•14 years ago
|
||
Fixed by bug 533600.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
||
Comment 13•14 years ago
|
||
mrbkap: then should bug 533600 be back-ported to the affected branches?
|
|
Assignee | |
Comment 14•14 years ago
|
||
Yes.
|
|
||
Comment 15•14 years ago
|
||
Are we ready to take the fix on the branches now?
|
||
Comment 16•14 years ago
|
||
Talked to Blake, he is worried about this being taken on the branch at this time and doesn't expect to make code-freeze. I have got assurances he will make a special point to get it into the next release, so I am moving the blocking flag forward (one last time).
|
|
||
Comment 17•14 years ago
|
||
(err, I will do so once the flag values are created)
|
|
||
Comment 18•14 years ago
|
||
sg:high -> punt to next version.
blocking1.9.1: .14+ → needed
blocking1.9.2: .11+ → needed
|
|
||
Comment 19•13 years ago
|
||
(In reply to comment #16) > I have got assurances he will make a special point to get it into > the next release, so I am moving the blocking flag forward Is now the time?
|
|
||
Comment 20•13 years ago
|
||
(In reply to comment #7) > I have a patch for this. It's unfortunately conglomerated with some stuff > that we can't land on old branches, but I'll work on teasing apart the > requisite parts soon. mrbkap: what ever happened to this patch?
|
|
Assignee | |
Comment 21•13 years ago
|
||
The fix for this bug got subsumed into compartments.
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•