Closed Bug 762920 Opened 8 years ago Closed 8 years ago

Bug 754202 regressed IsCapabilityEnabled

Categories

(Core :: Security, defect, blocker)

x86
Windows XP
defect
Not set
blocker

Tracking

()

RESOLVED FIXED
Tracking Status
firefox15 --- unaffected
firefox16 + fixed
firefox-esr10 --- unaffected

People

(Reporter: moz_bug_r_a4, Assigned: bholley)

References

Details

(Keywords: regression, sec-critical, testcase, Whiteboard: [advisory-tracking-] new in Fx 16)

When there is no frame, the result of IsCapabilityEnabled is always true.  This is not good since event listeners can be called with no frame.
This uses bug 344495's trick.
This works on trunk.
Over to Bobby.
Assignee: nobody → bobbyholley+bmo
mmmm... did we have no tests for this?
Hmm, the testcase doesn't work for me on trunk...
(In reply to Boris Zbarsky (:bz) from comment #3)
> mmmm... did we have no tests for this?

That used moz_bug_r_a4's stack frame trick? I wasn't sure those were ever checked in.
Blocks: 763129
We don't want to check in tests demonstrating the exploit, but often the specific problem can be demonstrated without using that trick (sometimes requires a chrome testcase to show the wrong thing is getting used/returned in places).
Severity: normal → blocker
This should be fixed by the backout in bug 754202 comment 41 right? I don't think it makes sense to leave open in case we reland it, but of course we should test it again.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Whiteboard: new in Fx 16
I can't get this testcase to do anything on pre-fix trunk builds. The only thing I see that is different pre and post fix on my mozilla central builds is that pre-fix has the following in the webconsole:

[12:02:01.330] Error: Permission denied for <https://bug762920.bugzilla.mozilla.org> to get property XPCComponents.utils

I see the same whether I load it locally or from bugzilla, as in above. Do we have something that repros that issue?
There should be a specific window, between when bug 754202 landed and when it was backed out, where you should get an alert popup (indicating that the exploit was successful).
Yeah, I thought I had it. I'll keep digging.
All right. I was a day off last time. Bug repro's in 6/9 Mozilla Central build and was fixed after back out off bug 754202.
Status: RESOLVED → VERIFIED
bug 754202 has relanded so it'd be safest to reverify this bug.
Status: VERIFIED → RESOLVED
Closed: 8 years ago8 years ago
Whiteboard: new in Fx 16 → [advisory-tracking+] new in Fx 16
Whiteboard: [advisory-tracking+] new in Fx 16 → [advisory-tracking-] new in Fx 16
Group: core-security
You need to log in before you can comment on or make changes to this bug.