Closed Bug 568148 (CVE-2010-1213) Opened 9 years ago Closed 9 years ago
Scripts" of Web Worker with E4X causes information disclosure
Assignee: general → brendan
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #447465 - Flags: review?(gal)
Reporter, thanks for finding this! /be
Priority: -- → P1
Target Milestone: --- → mozilla1.9.3a5
Comment on attachment 447465 [details] [diff] [review] fix, always reject only-XML JS source whether script result wanted or not Brendan explained the historic reason for bypassing the check in case of TCF_NO_SCRIPT_EVAL (if you wanted the value we were hoping you know what you are doing), but it seems best to always apply it.
Attachment #447465 - Flags: review?(gal) → review+
http://hg.mozilla.org/tracemonkey/rev/d5c0c147d6f0 JS folks offer to review any JS API based new code, including workers. Seems like a good idea, may not catch everything -- could help improve docs and API at least though (at best it might catch bugs like this). /be
Interesting that even though this patch builds on the fix for bug 375250, it is more severe, because bug 375250 was not exploitable as reported.
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
Whiteboard: fixed-in-tracemonkey → [sg:high] fixed-in-tracemonkey
(In reply to comment #5) > Interesting that even though this patch builds on the fix for bug 375250, it is > more severe, because bug 375250 was not exploitable as reported. This bug is about a new API, not around when that bug was fixed. /be
Sorry I missed the orange -- thanks to Waldo for pointing it out today. /be
Attachment #447835 - Flags: review?(gal)
Followup fix: http://hg.mozilla.org/tracemonkey/rev/4e04e69a5d41 /be
Whiteboard: [sg:high] fixed-in-tracemonkey → [sg:high] fixed-in-tracemonkey [critsmash-high:patch]
qawanted: please turn the test link into an attachment to this bug so we know we'll have it for regression testing. brendan: could we turn the testcase into something we could check-in once the fix is public?
blocking1.9.1: ? → .11+
blocking1.9.2: ? → .5+
Cc'ing jorendorff re: comment 9 question -- we have workers in the js shell, IIRC. /be
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Comment on attachment 447835 [details] [diff] [review] followup fix This went in. /be
Attachment #447835 - Flags: review?(gal) → review+
Verified for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:126.96.36.199pre) Gecko/20100622 Shiretoko/3.5.11pre ( .NET CLR 3.5.30729) using testcase. Checked in build before checkin and testcase reproduced bug there. Verified for 1.9.2 the same way in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:188.8.131.52pre) Gecko/20100622 Namoroka/3.6.6pre ( .NET CLR 3.5.30729) and the build from the day before the fix.
I didn't attach a patch here, but it was a one-liner. See comment 13. Can I get off the list of bugs without approved patches without actually attaching a patch and getting (retroactive) approval? /be
Yep, off lists.
Issue is resolved - clearing old keywords - qa-wanted clean-up
You need to log in before you can comment on or make changes to this bug.