Closed Bug 868528 Opened 9 years ago Closed 9 years ago

content._content is not Xray


(Core :: Security, defect)

Windows XP
Not set



Tracking Status
firefox21 --- unaffected
firefox22 --- unaffected
firefox23 --- verified
firefox-esr17 --- unaffected
b2g18 --- unaffected


(Reporter: moz_bug_r_a4, Assigned: bholley)



(Keywords: regression, sec-moderate, Whiteboard: [adv-main23-])


(2 files)

When chrome accesses content._content, a content-defined "content" property can be accessed.

This is a regression from bug 861530.
Attached file testcase
What's the security rating here?
Flags: needinfo?(dveditz)
Maybe we should just ban chrome from accessing _content...
(In reply to Andrew McCreight [:mccr8] from comment #3)
> Maybe we should just ban chrome from accessing _content...

Given that _content isn't available in other UAs, I'd presumed that this was primarily a compat hack for addon code. So if we don't care about that, maybe we should just remove support for this stuff entirely.
I don't think we can break all the add-ons -- capped at 1000 hits and doesn't look like I got very far in the list\b&hitlimit=&tree=addons

CC'ing Jorge to keep an eye on this in case you decide to persue that approach anyway, but I think you'll need to find another fix. In the short term what happens if we back out "sec-audit" bug 861530? Was that fixing a problem more severe than indicated by the security rating?
Flags: needinfo?(dveditz)
Keywords: regression
Yeah, I filed bug 869229 to remove _content, then bholley pointed out it is used all over the place, so I closed it WONTFIX.
I can take this.
Assignee: nobody → bobbyholley+bmo
Keywords: sec-moderate
Actually, it looks like we never supported this over Xrays at all before, so all those addon usages are probably doing it against their own (privileged) windows.

As such, I think we can just kill this over Xray. I'll write a patch.
Attachment #746665 - Flags: review?(continuation)
Comment on attachment 746665 [details] [diff] [review]
Don't expose _content over Xrays. v1

Review of attachment 746665 [details] [diff] [review]:


::: dom/base/nsDOMClassInfo.cpp
@@ +5027,5 @@
>      *objp = obj;
>      return NS_OK;
>    }
> +  // NB: By accident, we previously idn't support this over Xrays. This is a

idn't --> didn't
Attachment #746665 - Flags: review?(continuation) → review+
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Keywords: verifyme
QA Contact: ioana.budnar
Verified as fixed on:
Mozilla/5.0 (Windows NT 5.1; rv:23.0) Gecko/20100101 Firefox/23.0 (20130718163513)
Mozilla/5.0 (Windows NT 5.1; rv:25.0) Gecko/20130718 Firefox/25.0 (20130718030201)*

*On the latest Nightly, I tested with the Browser Console, since that's supposed to replace the Error Console.
Keywords: verifyme
Whiteboard: [adv-main23-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.