Closed Bug 86147 Opened 23 years ago Closed 23 years ago

SECURITY: should require same-origin when defining a getter/setter

Categories

(Core :: Security, defect, P1)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.3

People

(Reporter: jruderman, Assigned: jst)

Details

(Whiteboard: [PDT+])

Attachments

(2 files)

testcase
564 bytes, text/html
Details
Proposed fix.
2.88 KB, patch
Details | Diff | Splinter Review
A page can define getters and setters for attribute of any object in another domain as long as they can get a reference to the parent object. Putting a getter on an object lets me give it a different value (as well as find out when the page accesses that value), and putting a setter on an object lets me find out what values the page tries to assign to that object. Using this hole, I can find out what foopy is if the page does passwd = foopy; or document.getElementById(foopy); (by redefining document.getElementById to be a function defined by me) or document.frm.password = foopy; (by redefining document.frm to be an object with a setter for the 'password' property which is defined by me). This bug exists with at least two methods of defining getter or setter: * otherWindow.variable getter = function () { ... }; [deprecated syntax] * otherWindow.__defineGetter__ ("variable", function () { ... });
Attached file testcase
I'm sure we've seen this before, and I thought we fixed it. Oh well. I'd consider this an RTM stopper.
Keywords: nsBranch
Target Milestone: --- → mozilla0.9.3
Status: NEW → ASSIGNED
Priority: -- → P1
Adding nsBranch keyword as these bugs need to get into RTM.
Assigining the getter/setter cross-domain was blocked in 0.9, but not now, so this is a regression. There used to be a callback from the JS engine when a getter was assigned; maybe this got blown away by XPCDOM?
I am marking [PDT+] to track this security bug as RTM stopper as per Mitch's comment on 6-20 17:17. Don't want to lose this bug in all of the nsbranch keyword bugs.
Summary: should require same-origin when defining a getter/setter → SECURITY: should require same-origin when defining a getter/setter
Whiteboard: [PDT+]
Taking bug, I know how to fix this, we can re-introduce the old security check that caught this in pre-XPCDOM builds.
OS: Windows NT → All
Hardware: PC → All
Really taking bug...
Assignee: mstoltz → jst
Status: ASSIGNED → NEW
Attached patch Proposed fix.Splinter Review
The attached patch fixes this problem, along with fixing a bug in the JS engine which is required for the real fix for this problem. Mitchell, could you review? Brendan, could you sr?
Status: NEW → ASSIGNED
Do you need to set *_retval unconditionally at the top of nsDOMClassInfo::CheckAccess, or is it "inout" in the sense that it comes in with a sane default value? Other than that, sr=brendan@mozilla.org. /be
Brendan, *_retval is meant to be only an out parameter but jband and I decided to default the value of *_retval to a sane value (PR_TRUE) in XPConnect so that we wouldn't need to set it in all scriptable helper methods. We only need to set it to false to indicate failure. Thanks for the sr.
Keywords: mozilla0.9.3
Perfect...r=mstoltz
Fix checked in on both the trunk and the .92 branch.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Marking VERIFIED FIXED on: -MacOS91 2001-07-10-03-0.9.2 -LinRH62 2001-07-10-08-0.9.2 -Win98SE 2001-07-10-05-0.9.2
Status: RESOLVED → VERIFIED
See also bug 90591, a security hole that allows me to get around this check.
Removing NS_Confidential flag.
Group: netscapeconfidential?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: