Closed Bug 589144 Opened 15 years ago Closed 13 years ago

It's possible to make WrapJSValue use the wrong principal

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
1.9.2 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
status2.0 --- unaffected
blocking1.9.2 --- needed
status1.9.2 --- wontfix
blocking1.9.1 --- needed
status1.9.1 --- wanted

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Details

(Whiteboard: [sg:high])

It's possible to make WrapJSValue use the wrong principal by changing an unsafe object's principal during an unsafe function is being called on that object. In WrapJSValue, if subjPrincipal and valObjPrincipal are the same origin, and srcObjPrincipal is another origin, a new safe wrapper's principal slot is set to srcObjPrincipal. 1.9.2 and 1.9.1 branches are affected. Trunk is not affected. It seems that WrapJSValue code does not match the current SJOW structure (a SJOW's parent is no longer an unsafe object).
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
Whiteboard: [sg:high]
blocking1.9.1: ? → .13+
blocking1.9.2: ? → .10+
Assignee: nobody → mrbkap
sg:high -> punt to next version.
blocking1.9.1: .14+ → needed
blocking1.9.2: .11+ → needed
Blake, this needs some branch attention once you have time for that.
Version: unspecified → 1.9.2 Branch
blocking1.9.2: needed → ?
blocking1.9.2: ? → needed
It has been four months here with no movement. Since this is 1.9.2 only and we've had our last 1.9.2 release, should we "won't fix" this now?
Doesn't affect trunk, only 1.9.2. Resolving with the EOL of 1.9.2.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
Group: core-security
You need to log in before you can comment on or make changes to this bug.