Closed Bug 716262 Opened 13 years ago Closed 6 years ago

Components.stack looses stacks of function has dipatchEvent via iframe.src

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INACTIVE

People

(Reporter: teramako, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0a1) Gecko/20120106 Firefox/12.0a1
Build ID: 20120106081835

Steps to reproduce:

on Greasemonkey, some GM_* apis validate either the api is called from the contents or not using Components.stack.
This validator is GM_apiLeakCheck [1] .

In many case, this validator works good.
But in some case I noticed, does'nt work because the stack doesn't appear in Components.stack.

A test code and Componets.stack results are here [2];

UserScript:

* addEventListener and call GM_* apis in the callback function

PageContent:

* define function sendEvent
  * createEvent and dispatchEvent
* create iframe and set src 'javascript:window.top.sendEvent()'


[1]: https://github.com/greasemonkey/greasemonkey/blob/master/components/greasemonkey.js#L51
[2]: https://gist.github.com/1565506
Component: General → XPConnect
QA Contact: general → xpconnect
Additionally I reported to Greasemonkey.
https://github.com/greasemonkey/greasemonkey/issues/1494
Confirmed; mostly-just-clickable steps recorded in GM's issue.

I have to think about it a little bit, but this could be anywhere from helpful to benign to a dangerous security hole, for Greasemonkey.  Re-worded explanation:

When Greasemonkey sees a call to one of its privileged APIs, it examines Components.stack to see where the call is coming from.  If _any_ part of the stack trace comes from anything but three well defined locations (parts of Greasemonkey itself) by "stack.filename" prefix, we abort the call.  This works because the GM scripts themselves are attributed to the point where we evalInSandbox() them.

In this bug, teramako is reporting a way to completely bypass this: the content window (about:blank or javascript:... nor the http:... page executing the ".src=") location is nowhere within the trace.  Regardless of the fact that the same sendEvent() function is doing the work, and the stack is as expected when being called directly.
(Oh, and FWIW, confirmed on:

Mozilla/5.0 (X11; Linux i686 on x86_64; rv:10.0) Gecko/20100101 Firefox/10.0

)
Confirmed on:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20130729 Firefox/25.0
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.