If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Bypassing XOW by using chrome XBL or JS

VERIFIED FIXED

Status

()

Core
Security
VERIFIED FIXED
7 years ago
2 years ago

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Tracking

unspecified
x86
Windows XP
Points:
---

Firefox Tracking Flags

(blocking1.9.2 -, status1.9.2 wontfix, blocking1.9.1 -, status1.9.1 wontfix)

Details

(Whiteboard: [needs answer to comment 10 from mrbkap][sg:high])

(Reporter)

Description

7 years ago
http://mxr.mozilla.org/mozilla-central/source/js/src/xpconnect/src/nsXPConnect.cpp#2546

2475 nsXPConnect::GetWrapperForObject(JSContext* aJSContext,
2476                                  JSObject* aObject,
2477                                  JSObject* aScope,
2478                                  nsIPrincipal* aPrincipal,
2479                                  PRUint32 aFilenameFlags,
2480                                  jsval* _retval)
2481 {
...
2546     // We can do nothing if:
2547     // - We're wrapping a system object
2548     // or
2549     //   - We're from the same *scope* AND
2550     //   - We're not about to force a XOW (e.g. for "window") OR
2551     //   - We're not actually going to create a XOW (we're wrapping for
2552     //     chrome).
2553     if(aObject->isSystem() ||
2554        (sameScope &&
2555         (!forceXOW || (aFilenameFlags & JSFILENAME_SYSTEM))))
2556         return NS_OK;

With the attached testcase, aObject is a content window, sameScope is 1,
forceXOW is 1, and aFilenameFlags is 3, thus the window is not wrapped in a
security wrapper.
(Reporter)

Comment 1

7 years ago
Created attachment 461169 [details]
testcase

This tries to get cookies for www.mozilla.com.

Comment 2

7 years ago
I get Error: Permission denied for <https://bug582913.bugzilla.mozilla.org> to get property Window.eval from <http://www.mozilla.com>.
Source File: https://bug582913.bugzilla.mozilla.org/attachment.cgi?id=461169&t=vmrreYjVPp
Line: 33
(Reporter)

Comment 3

7 years ago
(In reply to comment #2)
> I get Error: Permission denied for <https://bug582913.bugzilla.mozilla.org> to
> get property Window.eval from <http://www.mozilla.com>.
> Source File:
> https://bug582913.bugzilla.mozilla.org/attachment.cgi?id=461169&t=vmrreYjVPp
> Line: 33

Do you get the error only on trunk?  If so, which text do you see near the
iframe?  "null" or "[object HTMLElement]"?

I can reproduce the testcase on trunk, 1.9.2 and 1.9.1 on Windows and Linux.

Comment 4

7 years ago
trunk mac os x 10.5. [object HTMLElement] 500 is what i saw next to the iframe. I'll check the others in a bit.
(Reporter)

Comment 5

7 years ago
On trunk, the testcase tries to force GC in order to remove a cached XOW.  If
GC happens, the text should be "null" instead of "[object HTMLElement]".

In my machines, GC can happen after looping about 100 times.  What happens if
you change the code in function gc: 500 into a larger number?
(Reporter)

Comment 6

7 years ago
Created attachment 461513 [details]
testcase 2

This does not try to force GC.  I can reproduce this on trunk.

Bob, could you test this?
Whiteboard: [sg:high]

Comment 7

7 years ago
testcase1 and testcase2 work in 1.9.1, 1.9.2 but not 1.9.3 on mac os x.
Assignee: nobody → mrbkap
(Assignee)

Comment 8

7 years ago
This was fixed by compartments. moz_bug_r_a4, can you verify?
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
(Reporter)

Comment 9

7 years ago
Yes.

On fx-4.0b8pre-2010-11-09-07, I cannot reproduce the testcases, and I get this
error: Error: Permission denied to access property 'eval'
Status: RESOLVED → VERIFIED
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Is there any possibility of a non-compartments fix for the branches?
blocking1.9.1: ? → needed
blocking1.9.2: ? → needed
Whiteboard: [sg:high] → [needs answer to comment 10 from mrbkap][sg:high]
This will have to be "wontfix" on old branches -- the whole point of Compartments is to fix bugs like this that we couldn't fix another way, and we're not back-porting Compartments and everything else that would require.
blocking1.9.1: needed → -
blocking1.9.2: needed → -
status1.9.1: wanted → wontfix
status1.9.2: wanted → wontfix

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.