Closed
Bug 821591
Opened 13 years ago
Closed 8 years ago
Contacts API access roles (create vs update) is enforced in the child not the parent.
Categories
(Firefox OS Graveyard :: General, defect)
Firefox OS Graveyard
General
Tracking
(blocking-b2g:-)
RESOLVED
INVALID
| blocking-b2g | - |
People
(Reporter: pauljt, Unassigned)
References
Details
The contacts:save message is used for both saving a contact and create a new contact. The logic for deciding whether the contact is new or an update is in the child[1] which means that a compromised child process with the "create" access role can actually modify existing contacts, as if they had "update". ( I.E. the child could just change the reason for the save to create, but use an existing ID). There should be a check in the parent[2] that if its a create, then make sure the contact doesn't already exist.
[1] http://mxr.mozilla.org/mozilla-central/source/dom/contacts/ContactManager.js#517
[2] http://mxr.mozilla.org/mozilla-central/source/dom/contacts/fallback/ContactService.jsm#158
Comment 1•13 years ago
|
||
Is this necessary for v1? If so, please nominate for b-b?
| Reporter | ||
Comment 2•13 years ago
|
||
I think the risk here is pretty minor - its basically an escalation from contacts read permission to contacts write permission, but only once you have already compromised the child process, by which point you can do way worse things at the moment. So I think this is non-blocking for basecamp.
Comment 3•12 years ago
|
||
koi? since it blocks bug 820202 but we don't usually block on meta bugs (which bug 820202 is).
blocking-b2g: --- → koi?
Comment 4•12 years ago
|
||
needinfo Paul here to see if this is really a 1.2 blocking given we are already feature complete on that branch, in which case this is koi- .
Flags: needinfo?(ptheriault)
| Reporter | ||
Comment 5•12 years ago
|
||
Koi- is fine. All he bugs blocking 820202 should be considered a priority for security hardening but all require an additional vulnerability to exploit. (That is, unless I have explicitly called them out as blocking.)
Flags: needinfo?(ptheriault)
Updated•12 years ago
|
blocking-b2g: koi? → -
| Reporter | ||
Comment 6•8 years ago
|
||
Contacts API is gone.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•