Closed
Bug 579882
Opened 14 years ago
Closed 14 years ago
IndexedDB: Investigate/review IndexedDB event handling
Categories
(Core :: Storage: IndexedDB, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | final+ |
People
(Reporter: smaug, Assigned: bent.mozilla)
References
Details
(Whiteboard: [sg:audit])
Attachments
(1 file, 2 obsolete files)
34.62 KB,
patch
|
sicking
:
review+
jst
:
approval2.0+
|
Details | Diff | Splinter Review |
It seems like there could be some security problems because IDBTransaction
doesn't setup mScriptContext nor mOwner member variables.
Reporter | ||
Updated•14 years ago
|
Summary: Investigate/review IndexDB event handling → Investigate/review IndexedDB event handling
Updated•14 years ago
|
Whiteboard: [sg:audit]
Reporter | ||
Comment 1•14 years ago
|
||
Bugs in the IDB event handling may lead to similar problems as
https://bugzilla.mozilla.org/show_bug.cgi?id=403168
Assignee | ||
Updated•14 years ago
|
Summary: Investigate/review IndexedDB event handling → IndexedDB: Investigate/review IndexedDB event handling
Updated•14 years ago
|
blocking2.0: ? → final+
Updated•14 years ago
|
Assignee: nobody → bent.mozilla
Assignee | ||
Comment 2•14 years ago
|
||
Attachment #462917 -
Flags: review?(jonas)
Attachment #462917 -
Flags: review?(Olli.Pettay)
Assignee | ||
Updated•14 years ago
|
Attachment #462917 -
Attachment is obsolete: true
Attachment #462917 -
Flags: review?(jonas)
Attachment #462917 -
Flags: review?(Olli.Pettay)
Assignee | ||
Comment 3•14 years ago
|
||
Attachment #462960 -
Flags: review?(jonas)
Attachment #462960 -
Flags: review?(Olli.Pettay)
Assignee | ||
Updated•14 years ago
|
Attachment #462960 -
Flags: review?(jonas)
Reporter | ||
Updated•14 years ago
|
Attachment #462960 -
Attachment is patch: true
Attachment #462960 -
Attachment mime type: application/octet-stream → text/plain
Reporter | ||
Comment 4•14 years ago
|
||
Comment on attachment 462960 [details] [diff] [review]
Patch, v1
>+IDBRequest::Generator::GenerateRequestInternal(JSContext* aCx,
>+ PRBool aWriteRequest)
> {
>- NS_ASSERTION(aGenerator, "Null generator!");
>+ nsRefPtr<IDBRequest> request(new IDBRequest());
>+
>+ request->mGenerator = this;
>+ request->mWriteRequest = aWriteRequest;
>+
>+ if (!mLiveRequests.AppendElement(request)) {
>+ NS_ERROR("Append failed!");
>+ return nsnull;
>+ }
Shouldn't AppendElement happen after you've set request->mOwner
>+
>+ nsIScriptContext* context = GetScriptContextFromJSContext(aCx);
>+ if (context) {
>+ request->mScriptContext = context;
>+ nsCOMPtr<nsPIDOMWindow> window =
>+ do_QueryInterface(context->GetGlobalObject());
>+ if (window) {
>+ request->mOwner = window->GetCurrentInnerWindow();
>+ }
>+ }
Since this all can be used only in a web page context, we should, IMO
require that context and window are non-null.
>@@ -95,6 +96,17 @@ IDBTransaction::Create(IDBDatabase* aDat
> return nsnull;
> }
>
>+ nsIScriptContext* context = GetScriptContextFromJSContext(aCx);
>+ if (context) {
>+ transaction->mScriptContext = context;
>+ nsCOMPtr<nsPIDOMWindow> window =
>+ do_QueryInterface(context->GetGlobalObject());
>+ if (window) {
>+ transaction->mOwner = window->GetCurrentInnerWindow();
>+ }
>+ }
Same here.
But since I'm not too familiar with this code, could someone who has
reviewed this code read this too.
Attachment #462960 -
Flags: review?(Olli.Pettay) → review+
Assignee | ||
Updated•14 years ago
|
Attachment #462960 -
Flags: review?(jonas)
Comment on attachment 462960 [details] [diff] [review]
Patch, v1
I don't think we need to remember the context on such a granular level. Lets just stick it in each transaction and reuse the information there for all requests. There should be no way for a transaction object to be passed across origins so there should be no risk of security problems due to using the wrong context.
Attachment #462960 -
Flags: review?(jonas) → review-
Assignee | ||
Comment 7•14 years ago
|
||
Ok, this does that.
Attachment #462960 -
Attachment is obsolete: true
Attachment #467847 -
Flags: review?(jonas)
It looks like you're still sticking the context/window into each request. Why not just grab it out of the transaction when you're firing the event instead? (with exception of the factory.open request)
Assignee | ||
Comment 9•14 years ago
|
||
(In reply to comment #8)
> (with exception of the factory.open request)
It's not just factory.open... It's also create/removeObjectStore and create/RemoveIndex. Those will inherit a setVersion transaction someday soon, but not yet.
The first two changes in the patch that I see are for IDBCursor::Update and IDBCursor::Remove
Assignee | ||
Comment 11•14 years ago
|
||
Right. I meant, it's not just factory.open that can't use a transaction as the argument to the request.
Why do you have to change the two function in comment 10, why can't the request created there get the needed objects from the transaction as they fire events?
Attachment #467847 -
Flags: review?(jonas) → review+
Assignee | ||
Comment 13•14 years ago
|
||
Comment on attachment 467847 [details] [diff] [review]
Patch, v2
Need this to make sure we don't let IndexedDB become another source of XSS bugs.
Attachment #467847 -
Flags: approval2.0?
Updated•14 years ago
|
Attachment #467847 -
Flags: approval2.0? → approval2.0+
Assignee | ||
Comment 14•14 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Can we open this?
Yes
Group: core-security
Component: DOM → DOM: IndexedDB
You need to log in
before you can comment on or make changes to this bug.
Description
•