Closed Bug 546573 Opened 14 years ago Closed 14 years ago

It's possible to access an outer window's Function constructor (Universal XSS)

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- beta4+
blocking1.9.2 --- -
status1.9.2 --- wontfix
blocking1.9.1 --- -
status1.9.1 --- wontfix

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

References

Details

(Whiteboard: [sg:high][critsmash-high:patch] fixed-in-tracemonkey)

Attachments

(5 files, 2 obsolete files)

testcase
329 bytes, text/html
Details
testcase 2
310 bytes, text/html
Details
Fix
8.23 KB, patch
jst
: review+
enndeakin
: review+
Details | Diff | Splinter Review
Updated to tip, and with more test fixes (passes mochi-chrome)
9.57 KB, patch
Details | Diff | Splinter Review
Additional test fix.
511 bytes, patch
Details | Diff | Splinter Review 
When an outer window has no inner window yet, it's possible to access the outer
window's Function constructor, which can be used to perform an XSS attack.
Attached file testcase 
This tries to get cookies for www.mozilla.com.
Note to self: make sure 3rd-party cookies are not blocked when trying to reproduce this.
Assignee: nobody → mrbkap
blocking1.9.2: --- → ?
blocking2.0: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Flags: wanted1.9.0.x+
Keywords: regression, regressionwindow-wanted
Whiteboard: [sg:high]
Attached patch Proposed fix (obsolete) — Splinter Review 
I think this is all that's required to fix this bug. Basically, we need to make sure that by the time a window is exposed to script, it has an inner window. I *think* that this is all that's required to do that, but I'm not entirely sure.

This supports a previous argument that I've made that outer windows shouldn't be global objects at all (weird, huh?). At the very least it's extra confusing. At the most, it turns into stuff like this. (The fact that we have *two* Function constructors, one of which is never correct to use is something that we've had trouble with before.)
Attachment #427444 - Flags: superreview?(bzbarsky)
Attachment #427444 - Flags: review?(jst)
Attachment #427444 - Flags: superreview?(bzbarsky) → superreview+
Comment on attachment 427444 [details] [diff] [review]
Proposed fix

sr=bzbarsky
blocking2.0: ? → beta1
Attachment #427444 - Flags: review?(jst) → review+
Attached file testcase 2 
Does that patch fix this?
blocking1.9.2: ? → needed
Attachment #427444 - Attachment is obsolete: true
Attachment #427444 - Flags: superreview+
Attachment #427444 - Flags: review+
Attached patch Proposed fix v2 (obsolete) — Splinter Review 
This is the only way I could figure out to EnsureInnerWindow for script that doesn't run for all windows (since we very eagerly create JSObjects for outer windows).
Attachment #429648 - Flags: superreview?(bzbarsky)
Attachment #429648 - Flags: review?(jst)
Comment on attachment 429648 [details] [diff] [review]
Proposed fix v2

Ok, but maybe we should just eagerly create inner windows and be done with it?  Out of scope here, I know.
Attachment #429648 - Flags: superreview?(bzbarsky) → superreview+
Attachment #429648 - Flags: review?(jst) → review+
http://hg.mozilla.org/mozilla-central/rev/2cf18052b8ee
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Had to back this out... it broke focus mochitests.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attachment #429648 - Attachment is obsolete: true
A sample for my reference:

s: moz2-linux-slave2639502 ERROR TEST-UNEXPECTED-FAIL | /tests/content/html/content/test/test_bug430351.html | <iframe xmlns="http://www.w3.org/1999/xhtml"></iframe> in <div xmlns="http://www.w3.org/1999/xhtml" id="parent"><iframe></iframe></div> should not be focusable - Didn't expect [object HTMLIFrameElement], but got it.
39503 ERROR TEST-UNEXPECTED-FAIL | /tests/content/html/content/test/test_bug430351.html | <iframe xmlns="http://www.w3.org/1999/xhtml" tabindex="-1"></iframe> in <div xmlns="http://www.w3.org/1999/xhtml" id="parent"><iframe tabindex="-1"></iframe></div> should not be focusable - Didn't expect [object HTMLIFrameElement], but got it.
39504 ERROR TEST-UNEXPECTED-FAIL | /tests/content/html/content/test/test_bug430351.html | <iframe xmlns="http://www.w3.org/1999/xhtml" tabindex="0"></iframe> in <div xmlns="http://www.w3.org/1999/xhtml" id="parent"><iframe tabindex="0"></iframe></div> should not be focusable - Didn't expect [object HTMLIFrameElement], but got it.
Neil, the test that started failing seems to be bogus: as far as I can tell, the only reason that, before this patch, <iframe>s weren't focusable was that nobody bothered to force an inner window (e.g. by looking up a property on it). It seems, then, like the test that failed is bogus; but I'm not entirely sure... Do you have an opinion?
I bet bug 546648 is related here, same problem it seems like.
Attached patch FixSplinter Review 
This fixes the test too. Neil could you review the changes?
Attachment #444217 - Flags: review?(jst)
Attachment #444217 - Flags: review?(enndeakin)
Attachment #444217 - Flags: review?(jst) → review+
Attachment #444217 - Flags: review?(enndeakin) → review+
http://hg.mozilla.org/mozilla-central/rev/eef17c173aaa
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
Backed out... more mochitest failures.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [sg:high] → [sg:high][critsmash-high:patch]
Blake, eta on this?  To be clear:  Not as important as the sg:crits.  Put this one last on your sg: to-be-fixed list.
blocking2.0: beta1+ → beta2+
Attachment #455041 - Attachment is obsolete: true
Attachment #455041 - Attachment is obsolete: false
We may not want the changes to docshell_helpers.js in that diff...
This fixes another test failure. With this fix I *think* we're down to one remaining consistent failure, and that looks like this in the logs:

TEST-UNEXPECTED-FAIL | chrome://mochikit/content/browser/browser/components/sessionstore/test/browser/browser_500328.js | Timed out
TEST-UNEXPECTED-FAIL | chrome://mochikit/content/browser/browser/components/sessionstore/test/browser/browser_500328.js | Found an unexpected tab at the end of test run: http://example.com/

But no indication about what actually fails there. I haven't had a chance to run that test locally yet...
blocking2.0: beta2+ → beta3+
Depends on: 580819
What's keeping this from landing? Does it affect branches as well? Marked a b3 blocker 10 days ago, no activity since.
This is not going to make it for beta3, moving to beta4.
blocking2.0: beta3+ → beta4+
http://hg.mozilla.org/tracemonkey/rev/6ea9b217883a

This is actually fixed twice over. I'm going to get rid of CheckWindow in a separate patch. I'll investigate a less threatening patch (one that doesn't break docshell tests) for branches.
Whiteboard: [sg:high][critsmash-high:patch] → [sg:high][critsmash-high:patch] fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/6ea9b217883a
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED
Time to work on a branch version of this one.
blocking1.9.1: --- → .13+
blocking1.9.2: needed → .10+
sg:high -> punt to next version.
blocking1.9.1: .14+ → needed
blocking1.9.2: .11+ → needed
It's the next version--mrbkap will you have time to backport this one now?
blocking1.9.1: needed → .15+
blocking1.9.2: needed → .12+
Depends on: 605127
blocking1.9.1: .16+ → .17+
blocking1.9.2: .13+ → .14+
Punting to the next branch version as it Blake didn't get to this.
blocking1.9.1: .17+ → .18+
blocking1.9.2: .14+ → .15+
This bug is getting very bruised from all the kicking
Deferring to a future point release as we have run out of time. If this absolutely needs to be fixed and can land today or tomorrow, please send a note to release-drivers@mozilla.org
blocking1.9.1: .19+ → .20+
blocking1.9.2: .17+ → .18+
Is it even possible to fix this bug on the old branch?
blocking1.9.1: .20+ → needed
blocking1.9.2: .18+ → .19+
blocking1.9.2: .20+ → needed
Summary: It's possible to access an outer window's Function constructor → It's possible to access an outer window's Function constructor (Universal XSS)
Blake says there's no way to fix this on the 1.9.2 branch
blocking1.9.1: needed → -
blocking1.9.2: needed → -
status1.9.1: wantedwontfix
status1.9.2: wantedwontfix
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: