Last Comment Bug 568564 - (CVE-2010-2754) Suppress the script filename for cross-origin error events (SA39925)
(CVE-2010-2754)
: Suppress the script filename for cross-origin error events (SA39925)
Status: RESOLVED FIXED
[sg:moderate]
: fixed1.9.0.20, privacy
Product: Core
Classification: Components
Component: DOM (show other bugs)
: unspecified
: All All
: -- normal with 1 vote (vote)
: ---
Assigned To: Boris Zbarsky [:bz] (still a bit busy)
:
Mentors:
http://secunia.com/advisories/39925
: 568688 569550 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-27 10:55 PDT by Boris Zbarsky [:bz] (still a bit busy)
Modified: 2010-08-20 18:49 PDT (History)
15 users (show)
bzbarsky: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
beta1+
needed
.7-fixed
needed
.11-fixed


Attachments
Like so (2.16 KB, patch)
2010-05-27 11:25 PDT, Boris Zbarsky [:bz] (still a bit busy)
jst: review+
Details | Diff | Splinter Review
1.9.2 fix (2.94 KB, patch)
2010-06-08 22:11 PDT, Boris Zbarsky [:bz] (still a bit busy)
christian: approval1.9.2.7+
Details | Diff | Splinter Review
1.9.1 merge (2.96 KB, patch)
2010-06-08 22:12 PDT, Boris Zbarsky [:bz] (still a bit busy)
christian: approval1.9.1.11+
dveditz: approval1.9.0.next+
Details | Diff | Splinter Review

Description Boris Zbarsky [:bz] (still a bit busy) 2010-05-27 10:55:23 PDT
See http://secunia.com/advisories/39925
Comment 1 Boris Zbarsky [:bz] (still a bit busy) 2010-05-27 11:01:34 PDT
In particular, we need to do that because on redirects we put the post-redirect URI into the JSScript filename field.  If js error reports had an origin not tied to filename, we could take various other approaches here.
Comment 2 Boris Zbarsky [:bz] (still a bit busy) 2010-05-27 11:25:16 PDT
Created attachment 447792 [details] [diff] [review]
Like so
Comment 3 Mike Beltzner [:beltzner, not reading bugmail] 2010-05-27 19:40:51 PDT
*** Bug 568688 has been marked as a duplicate of this bug. ***
Comment 4 Michał Gołębiowski [:m_gol] 2010-05-29 21:03:47 PDT
Proof of concept:
http://0me.me/demo/XSUH/XSUH_demo_firefox_all_in_1.html
Comment 5 Michał Gołębiowski [:m_gol] 2010-05-29 21:05:31 PDT
Shouldn't it block 3.6.4?
Comment 6 Robert Longson 2010-06-02 04:39:06 PDT
*** Bug 569550 has been marked as a duplicate of this bug. ***
Comment 7 Mike Beltzner [:beltzner, not reading bugmail] 2010-06-02 05:41:37 PDT
Until it gets a sg evaluation it'll be needed but not hard blocking any of the upcoming branch releases; obviously would like a reviewed patch ASAP, but I know people's review queues are busy.
Comment 8 Jesse Ruderman 2010-06-07 15:25:10 PDT
The severity really depends on what information sites reveal through URLs.  

* http://0me.me/demo/XSUH/XSUH_demo_firefox_all_in_1.html got my Google profile ID, and thus a good guess at my email address.  That's a pretty bad privacy violation.

* In theory, a site might reveal a session token. If high-profile sites turned out to do that, we'd call this bug [sg:high].
Comment 9 Daniel Veditz [:dveditz] 2010-06-07 15:54:29 PDT
Self-defense until fixed: block 3rd party cookies and the victim sites can't reveal any personal information.
Comment 10 Boris Zbarsky [:bz] (still a bit busy) 2010-06-08 20:28:14 PDT
Pushed http://hg.mozilla.org/mozilla-central/rev/155d4a2be1bc and then http://hg.mozilla.org/mozilla-central/rev/6043ca0d3fba to fix test issues.  Will create a roll-up patch for branches.
Comment 11 Boris Zbarsky [:bz] (still a bit busy) 2010-06-08 22:11:59 PDT
Created attachment 450044 [details] [diff] [review]
1.9.2 fix
Comment 12 Boris Zbarsky [:bz] (still a bit busy) 2010-06-08 22:12:27 PDT
Created attachment 450045 [details] [diff] [review]
1.9.1 merge
Comment 13 christian 2010-06-11 15:24:53 PDT
Comment on attachment 450045 [details] [diff] [review]
1.9.1 merge

a=LegNeato for 1.9.2.6 and 1.9.1.11. Please land this on mozilla-1.9.2 default and mozilla-1.9.1 default.
Comment 15 Samuel 2010-07-04 04:08:11 PDT
is this really fixed? why 
http://secunia.com/community/forum/thread/show/4596/firefox_3_6_4_released
why is this happening (to me!)?

i mean, why secunia folks don't think this is fixed? it's their problem? it's mozilla's? is this a situation of ineffective communication?
Comment 16 Mardeg 2010-07-04 14:19:21 PDT
It's fixed on the default 1.9.2 branch as stated, so will be in the next release, Firefox 3.6.7

If you're desperate for a preview build of it, get http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.7-candidates/build1/win32/en-US/Firefox%20Setup%203.6.7.exe
Comment 17 Boris Zbarsky [:bz] (still a bit busy) 2010-07-04 15:09:57 PDT
> is this really fixed?

Yes, but the fix hasn't been shipped yet.  It's fixed in the upcoming 1.9.2.x security release, as comment 16 says.
Comment 18 Samuel 2010-07-05 00:27:49 PDT
@Mardeg OK now I see the "clegnitto: approval1.9.2.7+". Sorry for my blindness. Thx for the info and the tip.

@bz thx!
Comment 19 Smokey Ardisson (offline for a while; not following bugs - do not email) 2010-07-18 21:59:16 PDT
Comment on attachment 450045 [details] [diff] [review]
1.9.1 merge

Requesting approval1.9.0.next on this patch so that we can take it in upcoming Camino 2.0.x security and stability updates.  If approved, I'll handle the checkins, unless the patch author requests otherwise.
Comment 20 Daniel Veditz [:dveditz] 2010-07-22 19:22:14 PDT
Comment on attachment 450045 [details] [diff] [review]
1.9.1 merge

Approved for 1.9.0.20, a=dveditz
Comment 21 Smokey Ardisson (offline for a while; not following bugs - do not email) 2010-07-24 15:29:18 PDT
Checking in content/base/test/test_bug461735.html;
/cvsroot/mozilla/content/base/test/test_bug461735.html,v  <--  test_bug461735.html
new revision: 1.2; previous revision: 1.1
done
Checking in dom/src/base/nsJSEnvironment.cpp;
/cvsroot/mozilla/dom/src/base/nsJSEnvironment.cpp,v  <--  nsJSEnvironment.cpp
new revision: 1.402; previous revision: 1.401
done

Note You need to log in before you can comment on or make changes to this bug.