Closed Bug 582913 Opened 14 years ago Closed 14 years ago

Bypassing XOW by using chrome XBL or JS

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
blocking1.9.2 --- -
status1.9.2 --- wontfix
blocking1.9.1 --- -
status1.9.1 --- wontfix

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Details

(Whiteboard: [needs answer to comment 10 from mrbkap][sg:high]) 

http://mxr.mozilla.org/mozilla-central/source/js/src/xpconnect/src/nsXPConnect.cpp#2546

2475 nsXPConnect::GetWrapperForObject(JSContext* aJSContext,
2476                                  JSObject* aObject,
2477                                  JSObject* aScope,
2478                                  nsIPrincipal* aPrincipal,
2479                                  PRUint32 aFilenameFlags,
2480                                  jsval* _retval)
2481 {
...
2546     // We can do nothing if:
2547     // - We're wrapping a system object
2548     // or
2549     //   - We're from the same *scope* AND
2550     //   - We're not about to force a XOW (e.g. for "window") OR
2551     //   - We're not actually going to create a XOW (we're wrapping for
2552     //     chrome).
2553     if(aObject->isSystem() ||
2554        (sameScope &&
2555         (!forceXOW || (aFilenameFlags & JSFILENAME_SYSTEM))))
2556         return NS_OK;

With the attached testcase, aObject is a content window, sameScope is 1,
forceXOW is 1, and aFilenameFlags is 3, thus the window is not wrapped in a
security wrapper.
Attached file testcase 
This tries to get cookies for www.mozilla.com.
I get Error: Permission denied for <https://bug582913.bugzilla.mozilla.org> to get property Window.eval from <http://www.mozilla.com>.
Source File: https://bug582913.bugzilla.mozilla.org/attachment.cgi?id=461169&t=vmrreYjVPp
Line: 33
(In reply to comment #2)
> I get Error: Permission denied for <https://bug582913.bugzilla.mozilla.org> to
> get property Window.eval from <http://www.mozilla.com>.
> Source File:
> https://bug582913.bugzilla.mozilla.org/attachment.cgi?id=461169&t=vmrreYjVPp
> Line: 33

Do you get the error only on trunk?  If so, which text do you see near the
iframe?  "null" or "[object HTMLElement]"?

I can reproduce the testcase on trunk, 1.9.2 and 1.9.1 on Windows and Linux.
trunk mac os x 10.5. [object HTMLElement] 500 is what i saw next to the iframe. I'll check the others in a bit.
On trunk, the testcase tries to force GC in order to remove a cached XOW.  If
GC happens, the text should be "null" instead of "[object HTMLElement]".

In my machines, GC can happen after looping about 100 times.  What happens if
you change the code in function gc: 500 into a larger number?
Attached file testcase 2 
This does not try to force GC.  I can reproduce this on trunk.

Bob, could you test this?
Whiteboard: [sg:high]
testcase1 and testcase2 work in 1.9.1, 1.9.2 but not 1.9.3 on mac os x.
Assignee: nobody → mrbkap
This was fixed by compartments. moz_bug_r_a4, can you verify?
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Yes.

On fx-4.0b8pre-2010-11-09-07, I cannot reproduce the testcases, and I get this
error: Error: Permission denied to access property 'eval'
Status: RESOLVED → VERIFIED
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Is there any possibility of a non-compartments fix for the branches?
blocking1.9.1: ? → needed
blocking1.9.2: ? → needed
Whiteboard: [sg:high] → [needs answer to comment 10 from mrbkap][sg:high]
This will have to be "wontfix" on old branches -- the whole point of Compartments is to fix bugs like this that we couldn't fix another way, and we're not back-porting Compartments and everything else that would require.
blocking1.9.1: needed → -
blocking1.9.2: needed → -
status1.9.1: wantedwontfix
status1.9.2: wantedwontfix
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.