Closed
Bug 560466
Opened 15 years ago
Closed 15 years ago
Arbitrary code execution using userdata handlers
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: moz_bug_r_a4, Assigned: smaug)
References
Details
(Whiteboard: [sg:critical])
Attachments
(2 files)
|
1.09 KB,
text/html
|
Details | |
|
1.08 KB,
patch
|
peterv
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
Since we call userdata handlers without dealing with JS context stuff, if a
chrome code manipulates a content node and a userdata handler is called, the
userdata handler's scripted caller is the chrome code.
When viewPartialSourceForSelection() calls ancestorContainer.cloneNode(),
content can run arbitrary code with chrome privileges.
|
Reporter | |
Comment 1•15 years ago
|
||
This uses bug 344495's trick. This depends on bug 554449.
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical]
|
Assignee | |
Comment 2•15 years ago
|
||
blake, any chance to get rid of the manual context pushing at something point?
Which way does this depend on bug 554449? Does fixing it fix also this one?
|
|
Assignee | |
Comment 3•15 years ago
|
||
Or does the testcase depend on bug 554449?
|
|
Assignee | |
Comment 4•15 years ago
|
||
But for now, I'm going to do whatever is done with event listeners.
|
|
Assignee | |
Comment 5•15 years ago
|
||
Assignee: nobody → Olli.Pettay
Status: NEW → ASSIGNED
Attachment #440179 -
Flags: superreview?(jst)
Attachment #440179 -
Flags: review?(peterv)
|
|
Reporter | |
Comment 6•15 years ago
|
||
(In reply to comment #2)
> Which way does this depend on bug 554449? Does fixing it fix also this one?
Fixing bug 554449 fixes the testcase. If bug 554449 is fixed, when a content
function is called, the subject principal is the content principal even if the
scripted caller is the chrome code.
|
|
Assignee | |
Comment 7•15 years ago
|
||
Ok, that sounds good. I wonder if we could remove some context pushing after
bug 554449 is fixed. Blake?
|
||
Updated•15 years ago
|
Attachment #440179 -
Flags: superreview?(jst) → superreview+
|
||
Comment 8•15 years ago
|
||
Comment on attachment 440179 [details] [diff] [review]
patch
I'm fine with this, but if it's not needed after bug 554449 is fixed maybe we shouldn't do it?
Attachment #440179 -
Flags: review?(peterv) → review+
|
|
Assignee | |
Comment 9•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/44090f6670c7
Well, I pushed the patch anyway. If security checks are changed to work
in a different way, this can be removed, and also nsCxPushers in ELM.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Comment 10•15 years ago
|
||
The testcase in this bug is now fixed by bug 554449. Do we want this patch on the branches anyway?
Depends on: CVE-2010-3773
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•10 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•