Closed Bug 868528 Opened 7 years ago Closed 6 years ago

content._content is not Xray

Categories

(Core :: Security, defect)

x86
Windows XP
defect
Not set

Tracking

()

VERIFIED FIXED
mozilla23
Tracking Status
firefox21 --- unaffected
firefox22 --- unaffected
firefox23 --- verified
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: moz_bug_r_a4, Assigned: bholley)

References

Details

(Keywords: regression, sec-moderate, Whiteboard: [adv-main23-])

Attachments

(2 files)

When chrome accesses content._content, a content-defined "content" property can be accessed.

This is a regression from bug 861530.
Attached file testcase
What's the security rating here?
Flags: needinfo?(dveditz)
Maybe we should just ban chrome from accessing _content...
(In reply to Andrew McCreight [:mccr8] from comment #3)
> Maybe we should just ban chrome from accessing _content...

Given that _content isn't available in other UAs, I'd presumed that this was primarily a compat hack for addon code. So if we don't care about that, maybe we should just remove support for this stuff entirely.
I don't think we can break all the add-ons -- capped at 1000 hits and doesn't look like I got very far in the list
https://mxr.mozilla.org/addons/search?string=._content&find=&findi=&filter=_content\b&hitlimit=&tree=addons

CC'ing Jorge to keep an eye on this in case you decide to persue that approach anyway, but I think you'll need to find another fix. In the short term what happens if we back out "sec-audit" bug 861530? Was that fixing a problem more severe than indicated by the security rating?
Flags: needinfo?(dveditz)
Keywords: regression
Yeah, I filed bug 869229 to remove _content, then bholley pointed out it is used all over the place, so I closed it WONTFIX.
I can take this.
Assignee: nobody → bobbyholley+bmo
Keywords: sec-moderate
Actually, it looks like we never supported this over Xrays at all before, so all those addon usages are probably doing it against their own (privileged) windows.

As such, I think we can just kill this over Xray. I'll write a patch.
Attachment #746665 - Flags: review?(continuation)
Comment on attachment 746665 [details] [diff] [review]
Don't expose _content over Xrays. v1

Review of attachment 746665 [details] [diff] [review]:
-----------------------------------------------------------------

Nice!

::: dom/base/nsDOMClassInfo.cpp
@@ +5027,5 @@
>      *objp = obj;
>      return NS_OK;
>    }
>  
> +  // NB: By accident, we previously idn't support this over Xrays. This is a

idn't --> didn't
Attachment #746665 - Flags: review?(continuation) → review+
https://hg.mozilla.org/mozilla-central/rev/ade6bafb19e4
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Keywords: verifyme
QA Contact: ioana.budnar
Verified as fixed on:
Mozilla/5.0 (Windows NT 5.1; rv:23.0) Gecko/20100101 Firefox/23.0 (20130718163513)
Mozilla/5.0 (Windows NT 5.1; rv:25.0) Gecko/20130718 Firefox/25.0 (20130718030201)*

*On the latest Nightly, I tested with the Browser Console, since that's supposed to replace the Error Console.
Status: RESOLVED → VERIFIED
Whiteboard: [adv-main23-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.