Closed
Bug 665548
(CVE-2011-2999)
Opened 13 years ago
Closed 13 years ago
Named frames can shadow window.location sometimes
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla6
People
(Reporter: bzbarsky, Assigned: mounir)
Details
(Whiteboard: [sg:high])
Attachments
(3 files, 2 obsolete files)
4.28 KB,
patch
|
jst
:
approval-mozilla-aurora+
mounir
:
checkin+
|
Details | Diff | Splinter Review |
1.59 KB,
patch
|
Details | Diff | Splinter Review | |
5.08 KB,
patch
|
jst
:
review+
dveditz
:
approval1.9.2.20+
|
Details | Diff | Splinter Review |
location is a non-configurable property, so if you look up window.location before there is a <frame name="location"> you will always get the right window.location after that. But if you look it up for the first time _after_ such a frame exists, you will get the Window for the frame.
Effectively, the fix for bug 541530 can be circumvented by this means.
Comment 1•13 years ago
|
||
Mounir, you want to look into fixing this? I think it should be as simple as reordering the location specific code in nsWindowSH::NewResolve().
Assignee: nobody → mounir.lamouri
Assignee | ||
Updated•13 years ago
|
OS: Mac OS X → All
Hardware: x86 → All
Assignee | ||
Comment 2•13 years ago
|
||
I moved .location, .content and .onhaschange before frame name resolution to make sure they are not shadowed.
Attachment #540611 -
Flags: review?(jst)
Assignee | ||
Updated•13 years ago
|
Status: NEW → ASSIGNED
Whiteboard: [needs review]
Comment 3•13 years ago
|
||
Do we want all those not-shadowed.
does
function onhashchange() {
}
register hashchange listener?
Does the patch affect to that behavior?
Reporter | ||
Updated•13 years ago
|
Summary: Names frames can shadow window.location sometimes → Named frames can shadow window.location sometimes
Reporter | ||
Comment 4•13 years ago
|
||
I'd really like to keep this bug to the location case, since that's the JSPROP_PERMANENT case here, right?
Assignee | ||
Comment 5•13 years ago
|
||
This patch only moves window.location resolution before named frames.
Attachment #540611 -
Attachment is obsolete: true
Attachment #540611 -
Flags: review?(jst)
Attachment #540703 -
Flags: review?(jst)
Assignee | ||
Comment 6•13 years ago
|
||
BTW, how is that security sensitive?
Reporter | ||
Comment 7•13 years ago
|
||
For the same reasons bug 541530 was: this bug allows circumventing Flash player's same-origin policies....
Comment 8•13 years ago
|
||
Comment on attachment 540703 [details] [diff] [review]
Make sure window.location isn't shadowed
r=jst!
Attachment #540703 -
Flags: review?(jst) → review+
Assignee | ||
Updated•13 years ago
|
Whiteboard: [needs review]
Assignee | ||
Comment 9•13 years ago
|
||
r=jst
Attachment #540703 -
Attachment is obsolete: true
Attachment #540987 -
Flags: checkin+
Assignee | ||
Comment 10•13 years ago
|
||
Pushed to m-c:
http://hg.mozilla.org/mozilla-central/rev/433a6c04a18d
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 11•13 years ago
|
||
r=jst
Assignee | ||
Updated•13 years ago
|
Assignee | ||
Comment 12•13 years ago
|
||
Comment on attachment 540987 [details] [diff] [review]
Patch
Only asking approval for Aurora given that I suppose the Beta channel is the same as the release channel.
Attachment #540987 -
Flags: approval-mozilla-aurora?
Assignee | ||
Updated•13 years ago
|
Whiteboard: [needs branch]
Updated•13 years ago
|
Attachment #540987 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 13•13 years ago
|
||
Pushed in Aurora:
http://hg.mozilla.org/releases/mozilla-aurora/rev/ae5547ff8e67
Comment 14•13 years ago
|
||
Can we get a 1.9.2 patch? Or is branch unaffected?
Updated•13 years ago
|
Whiteboard: [needs branch] → [sg:high][needs branch]
Target Milestone: --- → mozilla7
Comment 15•13 years ago
|
||
This bug affects the 1.9.2 branch. Even though we've done "final" builds we may need to take this in 1.9.2.20 to avoid exposing our users to this when we release Firefox 6.
blocking1.9.2: --- → .20+
status1.9.2:
--- → wanted
Comment 16•13 years ago
|
||
Do we have a specific testcase for this?
Assignee | ||
Comment 17•13 years ago
|
||
(In reply to Al Billings [:abillings] from comment #16)
> Do we have a specific testcase for this?
data:text/html,<iframe name='location'></iframe><script>alert(window.location);</script>
should show "data:text/html,<iframe name='location'></iframe><script>alert(window.location);</script>" instead of "[object Window]" in the alert box.
I'm going to attach a patch for 1.9.2.20 in a few minutes. Sorry if I didn't do that before, I obviously missed Christian's comment :(
Target Milestone: mozilla7 → mozilla6
Assignee | ||
Comment 18•13 years ago
|
||
Attachment #551623 -
Flags: review?(jst)
Comment 19•13 years ago
|
||
Dan, Christian, are we definitely going to rebuild for this? Who wants to tell release-drivers if the answer is "yes?"
Updated•13 years ago
|
Attachment #551623 -
Flags: review?(jst) → review+
Comment 20•13 years ago
|
||
It looks like the testcase was not yet checked in to m-c/aurora/beta so we could possibly get away with waiting for the next 3.6.x release. But it's a simple patch (moves a block earlier in the file) and we haven't gone to beta yet. I'd be happier putting this in 3.6.20
Flags: in-testsuite?
Comment 21•13 years ago
|
||
FYI, This will delay the beta.
If we check in and go to build "now," QA will likely not get builds until tomorrow. Our contract resources are time shifted 9 or 10 hours (in Europe) so we would have to have builds in the next six or seven hours for them to test. This means that we'd need to run automation tomorrow in MV and then have staff locally run the manual tests that contractors normally run, as well as test new snippets for betatest (and snippets must be generated for .19 and .18 both given the unique nature of .19).
This likely means a Wednesday Beta, assuming nothing goes wrong.
Comment 22•13 years ago
|
||
Comment on attachment 551623 [details] [diff] [review]
1.9.2 patch
Approved for 1.9.2.20, a=dveditz for release-drivers
Attachment #551623 -
Flags: approval1.9.2.20+
Comment 23•13 years ago
|
||
Comment 24•13 years ago
|
||
We decided not to respin 3.6.20 for this, so we won't announce the Fx6 fix until we release 3.6.21.
blocking1.9.2: .20+ → .21+
Whiteboard: [sg:high][needs branch] → [sg:high][needs branch] don't announce until Fx7
Comment 25•13 years ago
|
||
qa- as no QA fix verification needed
Whiteboard: [sg:high][needs branch] don't announce until Fx7 → [sg:high][needs branch] don't announce until Fx7 [qa-]
Comment 26•13 years ago
|
||
Do we have a CVE id for this issue?
Updated•13 years ago
|
Alias: CVE-2011-2999
Updated•13 years ago
|
Group: core-security
Comment 27•12 years ago
|
||
This test never landed.
Comment 28•12 years ago
|
||
Comment on attachment 540988 [details] [diff] [review]
Tests
Can I go ahead and land this, Mounir? With the Makefile unbitrotted, the test passes locally for me.
Attachment #540988 -
Flags: feedback?(mounir)
Assignee | ||
Comment 29•12 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #27)
> This test never landed.
Just did:
https://hg.mozilla.org/integration/mozilla-inbound/rev/938c4afc92b9
Assignee | ||
Updated•12 years ago
|
Whiteboard: [sg:high][needs branch] don't announce until Fx7 [qa-] → [sg:high]
Assignee | ||
Updated•12 years ago
|
Attachment #540988 -
Flags: feedback?(mounir)
Comment 31•12 years ago
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•