Closed
Bug 619359
Opened 14 years ago
Closed 14 years ago
Security problem with History object
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox5 | --- | unaffected |
| blocking2.0 | --- | final+ |
| status1.9.2 | --- | unaffected |
| status1.9.1 | --- | unaffected |
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
References
Details
(Whiteboard: [sg:high] fixed by bug 608872[hardblocker])
Attachments
(1 file)
|
16.85 KB,
patch
|
jst
:
review+
|
Details | Diff | Splinter Review |
1. Get a History object from a same-origin window.
2. Load a target page in that window.
On trunk, it's possible to call history.pushState/replaceState on the target
page.
On 1.9.2/1.9.1 branches, History object does not have abusable methods.
|
Reporter | |
Comment 1•14 years ago
|
||
This tries to get cookies for html5demos.com.
This works on trunk.
http://html5demos.com/history/ basically does:
elem.innerHTML = event.state.x;
Is bug 608872 intended to fix this?
|
||
Updated•14 years ago
|
blocking2.0: --- → ?
|
||
Comment 4•14 years ago
|
||
(In reply to comment #3)
> Is bug 608872 intended to fix this?
Yes, says mrbkap.
|
||
Updated•14 years ago
|
blocking2.0: ? → final+
Whiteboard: [sg:high]
|
|
||
Updated•14 years ago
|
Assignee: justin.lebar+bug → nobody
|
|
||
Updated•14 years ago
|
Assignee: nobody → mrbkap
Whiteboard: [sg:high] → [sg:high] fixed by bug 608872
|
||
Updated•14 years ago
|
Whiteboard: [sg:high] fixed by bug 608872 → [sg:high] fixed by bug 608872, hardblocker
|
|
||
Updated•14 years ago
|
Whiteboard: [sg:high] fixed by bug 608872, hardblocker → [sg:high] fixed by bug 608872[hardblocker]
|
Assignee | |
Comment 5•14 years ago
|
||
I'm about to send this through try.
Attachment #508662 -
Flags: review?(jst)
|
|
||
Updated•14 years ago
|
Attachment #508662 -
Flags: review?(jst) → review+
|
|
||
Comment 6•14 years ago
|
||
This passed on try, so I landed it on m-c. And I forgot to update the bug number in the coment, where 691359 should be 619359, even though I pointed out that mistake to mrbkap myself last night :(
http://hg.mozilla.org/mozilla-central/rev/a79b46eef8f2
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•14 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
|
|
||
Updated•14 years ago
|
Group: core-security
status-firefox5:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•