Closed
Bug 765527
(CVE-2012-3994)
Opened 13 years ago
Closed 12 years ago
Object.defineProperty can shadow |top|
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
People
(Reporter: marius.mlynski, Assigned: mccr8)
References
Details
(Keywords: reporter-external, sec-high, Whiteboard: [advisory-tracking+])
Attachments
(5 files, 1 obsolete file)
300 bytes,
text/html
|
Details | |
532 bytes,
text/html
|
Details | |
5.04 KB,
patch
|
mrbkap
:
review+
justin.lebar+bug
:
feedback+
lsblakk
:
approval-mozilla-beta+
lsblakk
:
approval-mozilla-esr10+
|
Details | Diff | Splinter Review |
4.94 KB,
patch
|
Details | Diff | Splinter Review | |
2.43 KB,
patch
|
Details | Diff | Splinter Review |
Filing a new bug, as requested by Boris in Bug 756719 comment 10.
With bug 750307 fixed, the location property itself seems to be hardened well enough, but plugins may try to access it through |top.location| -- for instance, Adobe Flash Player opens javascript:top.location+"__flashplugin_unique__" to determine the page origin. And it is possible to shadow |top| using Object.defineProperty.
Incidentally, Google Chrome seems to disallow redefining |top|.
Reporter | ||
Updated•13 years ago
|
Attachment #633854 -
Attachment mime type: text/plain → text/html
Updated•13 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 2•13 years ago
|
||
Can we give the flash player Xray wrappers by default or something?
Comment 3•13 years ago
|
||
(In reply to Blake Kaplan (:mrbkap) from comment #2)
> Can we give the flash player Xray wrappers by default or something?
That would involve running NPAPI JS in a separate compartment. Which would be great, but I'm not signing up for that...
Comment 4•13 years ago
|
||
Even before we get that far: does flash JS need to see things like global variables by default? If so, we're sunk before we start.
Comment 5•13 years ago
|
||
Can we simply disallow mucking with top (and parent/owner while you're at it?).
Keywords: sec-high
Updated•13 years ago
|
status-firefox-esr10:
--- → affected
status-firefox13:
--- → wontfix
status-firefox14:
--- → affected
status-firefox15:
--- → affected
status-firefox16:
--- → affected
tracking-firefox-esr10:
--- → ?
tracking-firefox14:
--- → +
tracking-firefox15:
--- → +
tracking-firefox16:
--- → +
Updated•13 years ago
|
status-firefox17:
--- → affected
tracking-firefox17:
--- → +
Comment 6•13 years ago
|
||
Andrew says he can look into this, and yes, I think the answer here is to make window.top permanent so it can't be mucked with.
Assignee: nobody → continuation
Assignee | ||
Comment 7•12 years ago
|
||
Per jst's suggestion, I just copied what is done for sNavigator_id. I'm going to try to understand what it actually is doing...
Anyways, with this patch, the test produces this error:
JavaScript error: file:///Users/amccreight/mz/tests/765527.html, line 3: can't redefine non-configurable property 'top'
and does not produce a pop alert.
Assignee | ||
Comment 8•12 years ago
|
||
The original test seemed to hang my browser. This does the same thing, it just checks top.location.toString() directly instead of using a plugin. Without the patch, it evaluates to the bogus string, with it, it produces the correct URL.
Assignee | ||
Comment 9•12 years ago
|
||
I was getting some browser element failures, but jlebar pointed out GetScriptableTop(), and switching to that fixed the problem with those tests.
Attachment #650340 -
Attachment is obsolete: true
Assignee | ||
Comment 10•12 years ago
|
||
Comment on attachment 650991 [details] [diff] [review]
v2, cargo culted patch
I don't know this code very well. If top changes, this isn't going to be right because we're caching the result, but I think that's not possible, unless it is possible for the weird scripted stuff. If you could give feedback on the scripted top stuff, Justin (eg can it change) that would be good...
Attachment #650991 -
Flags: review?(mrbkap)
Attachment #650991 -
Flags: feedback?(justin.lebar+bug)
Assignee | ||
Comment 11•12 years ago
|
||
Comment on attachment 650991 [details] [diff] [review]
v2, cargo culted patch
If Justin says that we can't just cache the top value, we'll need a different approach that replaces the getter or something, so I'm clearing the review flag for now.
Attachment #650991 -
Flags: review?(mrbkap)
Comment 12•12 years ago
|
||
Suppose I move an iframe from one document to another. Does the iframe's contentWindow's outer window survive the re-parenting? That is, if I do
var w = iframe.contentWindow;
[move iframe from one document to another]
w.src = "http://google.com";
does that have any effect? If so, then the outer window's .top changes, so GetScriptableTop should change to match.
If not, then the only other circumstance I can think of which would cause GetScriptableTop to change is if you change a docshell's is-browser or is-app property, which you shouldn't do, and will likely break all sorts of other things.
Comment 13•12 years ago
|
||
(In reply to Justin Lebar [:jlebar] from comment #12)
> Suppose I move an iframe from one document to another.
In that case we reload the iframe.
Comment 14•12 years ago
|
||
... and in fact re-create docshell too.
Comment 15•12 years ago
|
||
If we re-create the docshell, then this should be fine.
Updated•12 years ago
|
Attachment #650991 -
Flags: feedback?(justin.lebar+bug) → feedback+
Assignee | ||
Comment 16•12 years ago
|
||
Comment on attachment 650991 [details] [diff] [review]
v2, cargo culted patch
Thanks for the analysis!
Attachment #650991 -
Flags: review?(mrbkap)
Comment 17•12 years ago
|
||
Comment on attachment 650991 [details] [diff] [review]
v2, cargo culted patch
Who knows what evil lurks in the hearts of men?
Attachment #650991 -
Flags: review?(mrbkap) → review+
Comment 18•12 years ago
|
||
Let's wait for this to be fixed on trunk before tracking for a specific ESR version again.
tracking-firefox-esr10:
15+ → ---
Comment 19•12 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #16)
> Comment on attachment 650991 [details] [diff] [review]
> v2, cargo culted patch
>
> Thanks for the analysis!
Let's get this landed on m-c for possible aurora/beta 16 uplift.
Assignee | ||
Comment 20•12 years ago
|
||
Comment 21•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Assignee | ||
Comment 22•12 years ago
|
||
This should get a testcase checked in, once it is made public.
Updated•12 years ago
|
Assignee | ||
Comment 23•12 years ago
|
||
Comment on attachment 650351 [details]
friendlier version of the original test
[Approval Request Comment]
User impact if declined: possible security risks with Flash
Bug caused by (feature/regressing bug #): none
Fix Landed on Version: it has been on 17 for a few days
Risk to taking this patch (and alternatives if risky): This changes web-exposed behavior which could potentially be bad, but Chrome already does this, so jst doesn't think it should be too bad. No real alternatives. I could leave it on Aurora and Nightly for another week or two to see if anything pops up.
String or UUID changes made by this patch: none
Attachment #650351 -
Flags: approval-mozilla-esr10?
Attachment #650351 -
Flags: approval-mozilla-beta?
Assignee | ||
Updated•12 years ago
|
Attachment #650351 -
Flags: approval-mozilla-esr10?
Attachment #650351 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 24•12 years ago
|
||
Comment on attachment 650991 [details] [diff] [review]
v2, cargo culted patch
Err, that message was for this attachment, not the other one...
Attachment #650991 -
Flags: approval-mozilla-esr10?
Attachment #650991 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 25•12 years ago
|
||
The test will have "GOOD!" in it twice if it passes, in the popup, otherwise one or both will be "BAD!" instead.
Comment 26•12 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #23)
> Risk to taking this patch (and alternatives if risky): This changes
> web-exposed behavior which could potentially be bad, but Chrome already does
> this, so jst doesn't think it should be too bad. No real alternatives. I
> could leave it on Aurora and Nightly for another week or two to see if
> anything pops up.
Let's target this fix for Beta 3, so that we can have a week on Aurora 17 of bake time. Normally I'd approve a change like this as early as possible to find regressions, but I'm concerned that if we land it on Beta and then find regressions, we'll be committed to still fixing in 16.
Updated•12 years ago
|
Attachment #650991 -
Flags: approval-mozilla-esr10?
Attachment #650991 -
Flags: approval-mozilla-esr10+
Attachment #650991 -
Flags: approval-mozilla-beta?
Attachment #650991 -
Flags: approval-mozilla-beta+
Assignee | ||
Comment 27•12 years ago
|
||
It works fine for beta, with minor adjustments. On ESR10, I had to change GetScriptedTop to GetTop, but even with that the test still fails with the patch applied, even though we are hitting the code I added. I'm not sure why that is.
Assignee | ||
Comment 28•12 years ago
|
||
Ah, so, this isn't working on ESR10 because bug 756719 never landed on ESR10.
Assignee | ||
Comment 29•12 years ago
|
||
I'll wait until that other bug lands on ESR10 to land this one there.
https://hg.mozilla.org/releases/mozilla-beta/rev/e7bcf3d49761
Blocks: CVE-2012-4209
Assignee | ||
Updated•12 years ago
|
Depends on: CVE-2012-1956
Updated•12 years ago
|
Whiteboard: [advisory-tracking+]
Updated•12 years ago
|
Alias: CVE-2012-3994
Assignee | ||
Comment 30•12 years ago
|
||
I confirmed that it worked on ESR10 with bug 756719, but it ended up getting backed out, so I'll wait until that sorts itself out before landing.
Assignee | ||
Comment 31•12 years ago
|
||
Assignee | ||
Comment 32•12 years ago
|
||
Backed out because bug 756719 (née bug 750307) was backed out:
https://hg.mozilla.org/releases/mozilla-esr10/rev/96931ca23431
Assignee | ||
Comment 33•12 years ago
|
||
Once more, with feeling.
https://hg.mozilla.org/releases/mozilla-esr10/rev/d3922c1c120e
Updated•12 years ago
|
Group: core-security
Flags: sec-bounty+
Assignee | ||
Comment 36•11 years ago
|
||
I don't really know what I'm doing here, so I'd appreciate a review. I'm not sure how useful this test really is, as this will be much harder to mess up in the WebIDL world, but it is probably useful.
Attachment #8462846 -
Flags: review?(bugs)
Assignee | ||
Comment 37•11 years ago
|
||
Comment on attachment 8462846 [details] [diff] [review]
Add test for shadowing window.top.
test fails on try
Attachment #8462846 -
Flags: review?(bugs)
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
Updated•8 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•