Bug 568564 (CVE-2010-2754)

Suppress the script filename for cross-origin error events (SA39925)




7 years ago
7 years ago


(Reporter: bz, Assigned: bz)


({fixed1.9.0.20, privacy})

fixed1.9.0.20, privacy
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking2.0 beta1+, blocking1.9.2 needed, status1.9.2 .7-fixed, blocking1.9.1 needed, status1.9.1 .11-fixed)


(Whiteboard: [sg:moderate], URL)


(3 attachments)

See http://secunia.com/advisories/39925
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Summary: Suppress the script filename for cross-origin error events → Suppress the script filename for cross-origin error events [Secunia Advisory SA39925]
In particular, we need to do that because on redirects we put the post-redirect URI into the JSScript filename field.  If js error reports had an origin not tied to filename, we could take various other approaches here.
Created attachment 447792 [details] [diff] [review]
Like so
Attachment #447792 - Flags: review?(jst)
Duplicate of this bug: 568688
OS: Mac OS X → All
Hardware: x86 → All
Summary: Suppress the script filename for cross-origin error events [Secunia Advisory SA39925] → Suppress the script filename for cross-origin error events (SA39925)
Version: Trunk → unspecified
Proof of concept:
Shouldn't it block 3.6.4?


7 years ago
Duplicate of this bug: 569550
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Until it gets a sg evaluation it'll be needed but not hard blocking any of the upcoming branch releases; obviously would like a reviewed patch ASAP, but I know people's review queues are busy.
blocking1.9.1: ? → needed
blocking1.9.2: ? → needed
blocking2.0: ? → beta1+
Whiteboard: [sg:?]


7 years ago
Attachment #447792 - Flags: review?(jst) → review+


7 years ago
Keywords: privacy
Whiteboard: [sg:?] → [sg:low]


7 years ago
Whiteboard: [sg:low] → [sg:moderate]

Comment 8

7 years ago
The severity really depends on what information sites reveal through URLs.  

* http://0me.me/demo/XSUH/XSUH_demo_firefox_all_in_1.html got my Google profile ID, and thus a good guess at my email address.  That's a pretty bad privacy violation.

* In theory, a site might reveal a session token. If high-profile sites turned out to do that, we'd call this bug [sg:high].
Self-defense until fixed: block 3rd party cookies and the victim sites can't reveal any personal information.
Pushed http://hg.mozilla.org/mozilla-central/rev/155d4a2be1bc and then http://hg.mozilla.org/mozilla-central/rev/6043ca0d3fba to fix test issues.  Will create a roll-up patch for branches.
Last Resolved: 7 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Created attachment 450044 [details] [diff] [review]
1.9.2 fix
Attachment #450044 - Flags: approval1.9.2.5?
Created attachment 450045 [details] [diff] [review]
1.9.1 merge
Attachment #450045 - Flags: approval1.9.1.11?


7 years ago
Attachment #450044 - Flags: approval1.9.2.5? → approval1.9.2.6+

Comment 13

7 years ago
Comment on attachment 450045 [details] [diff] [review]
1.9.1 merge

a=LegNeato for and Please land this on mozilla-1.9.2 default and mozilla-1.9.1 default.
Attachment #450045 - Flags: approval1.9.1.11? → approval1.9.1.11+
status1.9.1: wanted → .11-fixed
status1.9.2: wanted → .6-fixed

Comment 15

7 years ago
is this really fixed? why 
why is this happening (to me!)?

i mean, why secunia folks don't think this is fixed? it's their problem? it's mozilla's? is this a situation of ineffective communication?

Comment 16

7 years ago
It's fixed on the default 1.9.2 branch as stated, so will be in the next release, Firefox 3.6.7

If you're desperate for a preview build of it, get http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.7-candidates/build1/win32/en-US/Firefox%20Setup%203.6.7.exe
> is this really fixed?

Yes, but the fix hasn't been shipped yet.  It's fixed in the upcoming 1.9.2.x security release, as comment 16 says.

Comment 18

7 years ago
@Mardeg OK now I see the "clegnitto: approval1.9.2.7+". Sorry for my blindness. Thx for the info and the tip.

@bz thx!
Alias: CVE-2010-2754
Comment on attachment 450045 [details] [diff] [review]
1.9.1 merge

Requesting approval1.9.0.next on this patch so that we can take it in upcoming Camino 2.0.x security and stability updates.  If approved, I'll handle the checkins, unless the patch author requests otherwise.
Attachment #450045 - Flags: approval1.9.0.next?
Comment on attachment 450045 [details] [diff] [review]
1.9.1 merge

Approved for, a=dveditz
Attachment #450045 - Flags: approval1.9.0.next? → approval1.9.0.next+
Checking in content/base/test/test_bug461735.html;
/cvsroot/mozilla/content/base/test/test_bug461735.html,v  <--  test_bug461735.html
new revision: 1.2; previous revision: 1.1
Checking in dom/src/base/nsJSEnvironment.cpp;
/cvsroot/mozilla/dom/src/base/nsJSEnvironment.cpp,v  <--  nsJSEnvironment.cpp
new revision: 1.402; previous revision: 1.401
Keywords: fixed1.9.0.20
You need to log in before you can comment on or make changes to this bug.