It's possible to access a XOW come from the wrong scope by using a shallow XPCNativeWrapper

RESOLVED FIXED

Status

()

RESOLVED FIXED
9 years ago
3 years ago

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Tracking

unspecified
x86
Windows XP
Points:
---

Firefox Tracking Flags

(status1.9.2 wanted, status1.9.1 wanted)

Details

(Whiteboard: [sg:high][3.6.x])

Attachments

(2 attachments)

(Reporter)

Description

9 years ago
XPCNativeWrapper::RewrapIfDeepWrapper cares nothing for the return value when
obj is a shallow wrapper, thus a XOW come from the wrong scope is not re-wrapped.
(Reporter)

Comment 1

9 years ago
Created attachment 421404 [details]
testcase

This tries to get cookies for www.apple.com.

This works on trunk and 1.9.* (and 1.8 since bug 369334 is not fixed on 1.8).
Assignee: nobody → mrbkap
Whiteboard: [sg:high]
status1.9.1: --- → wanted
Whiteboard: [sg:high] → [sg:high][3.6.x]
Created attachment 421935 [details] [diff] [review]
Fix

This uses the patch in bug 533600. I'm probably going to end up rolling this patch into my other, larger patch, but this fixes this bug. I have found my new hammer: XPCWrappedNativeScope::GetWrapperFor.
Fixed by bug 533600.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
status1.9.2: --- → wanted

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.