Audit passing null URIs in IPC.

NEW
Unassigned

Status

()

P5
normal
6 years ago
4 months ago

People

(Reporter: wchen, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
Follow up for https://bugzilla.mozilla.org/show_bug.cgi?id=775377#c6

cjones: we need to audit passing null URIs
cjones: sometimes that means "system principal", which has full privileges
cjones: content shouldn't be able to forge that across process boundaries
It might be better to get a bit more context here.
principal.URI can return null in more situations than the system principal. Indeed, the system principal will return a null URI but so do extended principals and so can regular principals.
OS: Mac OS X → All
Hardware: x86 → All
Version: unspecified → Trunk
Didn't follow that, but maybe we're not on the same page.

We deserialize nsIURI here

http://mxr.mozilla.org/mozilla-central/source/netwerk/ipc/NeckoMessageUtils.h#86

.  The code lets null be deserialized.  Is there anywhere that null nsIURI can flow that would cause harm?
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046

Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.