Closed Bug 868528 Opened 12 years ago Closed 12 years ago

content._content is not Xray

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla23
Tracking Flags:
Tracking Status
firefox21 --- unaffected
firefox22 --- unaffected
firefox23 --- verified
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: moz_bug_r_a4, Assigned: bholley)

References

Details

(Keywords: regression, sec-moderate, Whiteboard: [adv-main23-])

Attachments

(2 files)

testcase
297 bytes, text/html
Details
Don't expose _content over Xrays. v1
3.15 KB, patch
mccr8
: review+
Details | Diff | Splinter Review
When chrome accesses content._content, a content-defined "content" property can be accessed. This is a regression from bug 861530.
Attached file testcase
What's the security rating here?
status-firefox22: --- → unaffected
status-firefox23: --- → affected
Flags: needinfo?(dveditz)
Maybe we should just ban chrome from accessing _content...
(In reply to Andrew McCreight [:mccr8] from comment #3) > Maybe we should just ban chrome from accessing _content... Given that _content isn't available in other UAs, I'd presumed that this was primarily a compat hack for addon code. So if we don't care about that, maybe we should just remove support for this stuff entirely.
I don't think we can break all the add-ons -- capped at 1000 hits and doesn't look like I got very far in the list https://mxr.mozilla.org/addons/search?string=._content&find=&findi=&filter=_content\b&hitlimit=&tree=addons CC'ing Jorge to keep an eye on this in case you decide to persue that approach anyway, but I think you'll need to find another fix. In the short term what happens if we back out "sec-audit" bug 861530? Was that fixing a problem more severe than indicated by the security rating?
Flags: needinfo?(dveditz)
Keywords: regression
Yeah, I filed bug 869229 to remove _content, then bholley pointed out it is used all over the place, so I closed it WONTFIX.
I can take this.
Assignee: nobody → bobbyholley+bmo
Keywords: sec-moderate
Actually, it looks like we never supported this over Xrays at all before, so all those addon usages are probably doing it against their own (privileged) windows. As such, I think we can just kill this over Xray. I'll write a patch.
Attachment #746665 - Flags: review?(continuation)
Comment on attachment 746665 [details] [diff] [review] Don't expose _content over Xrays. v1 Review of attachment 746665 [details] [diff] [review]: ----------------------------------------------------------------- Nice! ::: dom/base/nsDOMClassInfo.cpp @@ +5027,5 @@ > *objp = obj; > return NS_OK; > } > > + // NB: By accident, we previously idn't support this over Xrays. This is a idn't --> didn't
Attachment #746665 - Flags: review?(continuation) → review+
https://hg.mozilla.org/mozilla-central/rev/ade6bafb19e4
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox23: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Keywords: verifyme
QA Contact: ioana.budnar
Verified as fixed on: Mozilla/5.0 (Windows NT 5.1; rv:23.0) Gecko/20100101 Firefox/23.0 (20130718163513) Mozilla/5.0 (Windows NT 5.1; rv:25.0) Gecko/20130718 Firefox/25.0 (20130718030201)* *On the latest Nightly, I tested with the Browser Console, since that's supposed to replace the Error Console.
Status: RESOLVED → VERIFIED
status-firefox23: fixedverified
Keywords: verifyme
Whiteboard: [adv-main23-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: