flash.sampler.getLexicalScopes() and getSavedThis() expose Flash player internals that may be a security risk; for example, getLexicalScopes() returns an array that may include activation objects that are not exposed to the app in any other way. I'm not sure if getSavedThis() exposes anything dangerous, so it may not be strictly necessary to protect this function, but I would be inclined to protect it. So, in the C++ code, SamplerScript::getLexicalScopes() and SamplerScript::getSavedThis() should both call trusted(), and should fail (return null or undefined) if trusted() returns false, just as most other functions in SamplerScript do: For getLexicalScopes(): AvmCore* core = self->core(); Sampler *s = core->get_sampler(); if (!s || !s->sampling() || s->sampleCount() == 0 || !trusted(self)) return undefinedAtom; For getSavedThis(), change "return undefinedAtom" to "return NULL".
> For getSavedThis(), change "return undefinedAtom" to "return NULL". The patch doesn't do this and I think it would be wrong since the decl is to return Object and that means Atom in C++.
Sorry, I got it backwards in my comment -- what I meant was, getSavedThis() should return undefinedAtom if permission is denied, and getLexicalScopes() should return NULL if permission is denied.
Aren't these calls new to Argo? If so, we can land 'em directly. If not, we'll have to land this in tr-sec...
Yes, these calls are new to Argo.
does this even need to be a security bug?
Created attachment 426706 [details] [diff] [review] Revised patch Revised based on feedback from Tommy: The functions still succeed even if sampling is not currently taking place.
You're right Tommy, I don't think this needs to be a security bug, since it's only in TR and is new to Argo. Sorry about that. (I don't have permission to change it because I'm not in the right group)
Comment on attachment 426706 [details] [diff] [review] Revised patch rubber stamp
Attachment #426706 - Flags: superreview?(edwsmith) → superreview+
Assignee: nobody → mmoreart
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → flash10.1
tamarin-redux: changeset: 3849:df1838d8ebf3 tamarin-redux-argo: 3721:df1838d8ebf3
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.