Security problem with History object

RESOLVED FIXED

Status

()

Core
Security
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Tracking

unspecified
x86
Windows XP
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox5 unaffected, blocking2.0 final+, status1.9.2 unaffected, status1.9.1 unaffected)

Details

(Whiteboard: [sg:high] fixed by bug 608872[hardblocker])

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
1. Get a History object from a same-origin window.
2. Load a target page in that window.

On trunk, it's possible to call history.pushState/replaceState on the target
page.

On 1.9.2/1.9.1 branches, History object does not have abusable methods.
(Reporter)

Comment 1

7 years ago
Created attachment 497792 [details]
testcase - XSS

This tries to get cookies for html5demos.com.
This works on trunk.

http://html5demos.com/history/ basically does:
elem.innerHTML = event.state.x;
Looking at this.
Assignee: nobody → justin.lebar+bug
Is bug 608872 intended to fix this?
blocking2.0: --- → ?
(In reply to comment #3)
> Is bug 608872 intended to fix this?

Yes, says mrbkap.
Depends on: 608872

Updated

7 years ago
blocking2.0: ? → final+
Whiteboard: [sg:high]
Assignee: justin.lebar+bug → nobody

Updated

7 years ago
Assignee: nobody → mrbkap
Whiteboard: [sg:high] → [sg:high] fixed by bug 608872

Updated

7 years ago
Whiteboard: [sg:high] fixed by bug 608872 → [sg:high] fixed by bug 608872, hardblocker

Updated

7 years ago
Whiteboard: [sg:high] fixed by bug 608872, hardblocker → [sg:high] fixed by bug 608872[hardblocker]
(Assignee)

Comment 5

7 years ago
Created attachment 508662 [details] [diff] [review]
Proposed fix

I'm about to send this through try.
Attachment #508662 - Flags: review?(jst)

Updated

7 years ago
Attachment #508662 - Flags: review?(jst) → review+
This passed on try, so I landed it on m-c. And I forgot to update the bug number in the coment, where 691359 should be 619359, even though I pointed out that mistake to mrbkap myself last night :(

http://hg.mozilla.org/mozilla-central/rev/a79b46eef8f2
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Group: core-security
status-firefox5: --- → unaffected
You need to log in before you can comment on or make changes to this bug.