Closed Bug 821573 (CVE-2014-8631) Opened 7 years ago Closed 5 years ago
Stop allowing COWs to be passed as native interfaces
My patches in bug 658909 effectively make them so, and I discovered that this breaks the contact API, because it expects to be able to pass COWs into native XPCOM methods and have them appear as XPCJWrappedJS. There's a pretty low chance that this is exploitable. Exploiting it involve finding a content-accessible native method that accepts an interface type not marked builtin-class whose method/property requirements are somehow satisfied by those on content-accessible chrome object and that somehow manipulates the XPCWrappedJS-wrapped chrome object in a harmful way. I think this is unlikely, and this will be fixed by bug 658909 anyway. Still, I wanted to get it on file. So I'm flagging sec-low and marking the dep.
Just making moz_bug_r_a4 aware in case this trick is useful somehow :-)
Now that PeerConnection and Contacts are on WebIDL, we should hopefully be able to get rid of this case. https://tbpl.mozilla.org/?tree=Try&rev=d73009dd967a
Looks like we also need to remove COWs from: * mozApps * browser-element CustomEvents * indexedDB IPC tests
Depends on: 899322
I'd wait a little bit before actually landing anything that relies on Contacts being WebIDL, as it has a lot of regressions filed against it.
Summary: COWs are not SCRIPT_ACCESS_ONLY → Stop allowing COWs to be passed as native interfaces
I think we may be able to do this now. https://tbpl.mozilla.org/?tree=Try&rev=2307927f1c4e
Attachment #8475702 - Flags: review?(gkrizsanits) → review+
Looks like the ICS xpcshell bustage is actually present on the underlying revision on m-c. Looks green otherwise. https://hg.mozilla.org/integration/mozilla-inbound/rev/a23b03bf9f61
You need to log in before you can comment on or make changes to this bug.