Closed Bug 821591 Opened 13 years ago Closed 8 years ago

Contacts API access roles (create vs update) is enforced in the child not the parent.

Categories

(Firefox OS Graveyard :: General, defect)

defect
Not set
normal

Tracking

(blocking-b2g:-)

RESOLVED INVALID
blocking-b2g -

People

(Reporter: pauljt, Unassigned)

References

Details

The contacts:save message is used for both saving a contact and create a new contact. The logic for deciding whether the contact is new or an update is in the child[1] which means that a compromised child process with the "create" access role can actually modify existing contacts, as if they had "update". ( I.E. the child could just change the reason for the save to create, but use an existing ID). There should be a check in the parent[2] that if its a create, then make sure the contact doesn't already exist. [1] http://mxr.mozilla.org/mozilla-central/source/dom/contacts/ContactManager.js#517 [2] http://mxr.mozilla.org/mozilla-central/source/dom/contacts/fallback/ContactService.jsm#158
Is this necessary for v1? If so, please nominate for b-b?
I think the risk here is pretty minor - its basically an escalation from contacts read permission to contacts write permission, but only once you have already compromised the child process, by which point you can do way worse things at the moment. So I think this is non-blocking for basecamp.
koi? since it blocks bug 820202 but we don't usually block on meta bugs (which bug 820202 is).
blocking-b2g: --- → koi?
needinfo Paul here to see if this is really a 1.2 blocking given we are already feature complete on that branch, in which case this is koi- .
Flags: needinfo?(ptheriault)
Koi- is fine. All he bugs blocking 820202 should be considered a priority for security hardening but all require an additional vulnerability to exploit. (That is, unless I have explicitly called them out as blocking.)
Flags: needinfo?(ptheriault)
blocking-b2g: koi? → -
Contacts API is gone.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.