Closed Bug 628231 Opened 9 years ago Closed 9 years ago

Arbitrary code execution using history.pushState

Categories

(Core :: Security, defect)

x86
Windows XP
defect
Not set

Tracking

()

VERIFIED FIXED
Tracking Status
blocking2.0 --- betaN+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Details

(Whiteboard: [sg:critical][hardblocker][has patch][fx4-fixed-bugday] )

Attachments

(1 file, 2 obsolete files)

When calling history.pushState, nsDocShell::StringifyJSValVariant pushes a JS
context associated with the history object.  Thus, it's possible to call a
native function without a frame or a pushed principal, in which case a result
of nsScriptSecurityManager::IsCapabilityEnabled() is true.

1.9.2/1.9.1 branches do not have history.pushState method.
Attached file testcase
This uses bug 344495's trick.
I've heard discussion of issues like this over desk separators in the office, so conceivably this is known and/or a dup -- adding people in or implicated in those discussions to the CC list.
Attached patch Fix (obsolete) — Splinter Review
There are better fixes. But they'll have to wait until after Firefox 4 has shipped (namely attaching the context principals stack to the compartment).
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #506939 - Flags: review?(jst)
blocking2.0: --- → betaN+
Whiteboard: [sg:critical][hardblocker]
Attachment #506939 - Flags: review?(jst) → review+
Fix landed:

http://hg.mozilla.org/mozilla-central/rev/244738bdb248
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
This got backed out due to crashes on tbpl. mrbkap has a fix, but we deemed it too dangerous to land this late tonight.

http://hg.mozilla.org/mozilla-central/rev/3eaae2138586
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attached patch Updated fix (obsolete) — Splinter Review
The last patch had a dumb mistake in it and would try to do stuff even if we hadn't set obj. This one avoids that mistake.
Attachment #506939 - Attachment is obsolete: true
Attachment #508037 - Flags: review?(jst)
Comment on attachment 508037 [details] [diff] [review]
Updated fix

r=jst, but there's some 2 vs 4 space indentation inconsistencies here. I can fix that when I land this...
Attachment #508037 - Flags: review?(jst) → review+
Attached patch Fixing that tooSplinter Review
Attachment #508037 - Attachment is obsolete: true
Whiteboard: [sg:critical][hardblocker] → [sg:critical][hardblocker][has patch]
Updated fix landed.

http://hg.mozilla.org/mozilla-central/rev/5502c6978c73
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Resolution: --- → FIXED
Verified bad behavior in Firefox 4 b10 and fix in b11 build (Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b11) Gecko/20100101 Firefox/4.0b11) using attached testcase.
Status: RESOLVED → VERIFIED
Whiteboard: [sg:critical][hardblocker][has patch] → [sg:critical][hardblocker][has patch][fx4-fixed-bugday]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.