Closed
Bug 829331
Opened 13 years ago
Closed 12 years ago
compartment mismatch in nsJSIID::NewResolve
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: mccr8, Unassigned)
Details
(Keywords: sec-audit)
Found by inspection in bug 826741: "nsJSIID::NewResolve looks slightly questionable, but maybe it is okay. It grabs an interface, then a member, then a constant off the member, then sticks it as a property on obj. Maybe GetConstantValue() always returns something that doesn't have a compartment, so compartment mismatches aren't an issue?"
from bholley: "Well, it might be a string or something. XPCNativeMember::Resolve ends up invoking XPCConvert::NativeData2JS, which is going to use whatever compartment ccx is in. I agree that it's unlikely to be a problem (and when do people Xray to an nsJSIID anyway?), but let's fix it while we're at it."
Marking as sec-audit because it seems like this probably not a problem in practice.
|
Reporter | |
Updated•13 years ago
|
Summary: compartment mismatch in nsJSIIDL::NewResolve → compartment mismatch in nsJSIID::NewResolve
|
|
Reporter | |
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INCOMPLETE
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•