javascript code in message subject runs, with system principal (settimeout)

VERIFIED FIXED in mozilla0.9.2

Status

P1
critical
VERIFIED FIXED
18 years ago
8 years ago

People

(Reporter: jruderman, Assigned: bugzilla)

Tracking

Trunk
mozilla0.9.2
x86
Windows NT

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [PDT+]; critical for 0.9.2; Fixed in the branch; security)

Attachments

(1 attachment)

(Reporter)

Description

18 years ago
I can get code to run with system principal on a victim's computer by if I can
get him/her to send a message with a subject of my choice.  (One way to do this
would be to send a message with the code as the subject, and hope that the
victim will reply to the message.)

Sending a message with the following subject
  '); alert(Components.classes); ('
causes this javascript code to run, and run with system principal.

Here's the problematic code in sendProgress.js:
  //We need to delay the set title else dom will overwrite it
  return window.setTimeout( "SetTitle('" + subject + "');", 0 );

This seems to be part of code that sets the title of the "sending message:
[subject]" dialog, because using a subject of b'+'lah results in that having
"blah" in its title.
(Reporter)

Updated

18 years ago
Group: netscapeconfidential?

Comment 1

18 years ago
I'll mark PDT+ to get on PDT radar.
Whiteboard: [PDT+]
Whiteboard: [PDT+] → [PDT+]; critical for 0.9.2

Comment 2

18 years ago
we need a good fix for this as soon as we can get it.

Comment 3

18 years ago
adding brendan and jst in case they can help. 

Updated

18 years ago
Priority: -- → P1
Target Milestone: --- → mozilla0.9.2
(Assignee)

Comment 4

18 years ago
accepting...
Status: NEW → ASSIGNED
(Assignee)

Comment 5

18 years ago
(Assignee)

Updated

18 years ago
Whiteboard: [PDT+]; critical for 0.9.2 → [PDT+]; critical for 0.9.2; Have fix
(Assignee)

Comment 6

18 years ago
jesse, can you review the patch?

Comment 7

18 years ago
Great catch! r/sr=vidur for J-F's fix.

Calls to eval() and new Function() might be other places where similar patterns
could exist.
eval, Script or new Script or Script.prototype.compile, Function or new
Function, are all callable ase setTimeout("...", t) is -- they all take a string
and compile and possibly execute it.  Beware.

r/sr=brendan@mozilla.org on the patch.

/be

Comment 9

18 years ago
a=chofmann
(Assignee)

Comment 10

18 years ago
Fix checked in the branch, still need to check it in the trunk.
Whiteboard: [PDT+]; critical for 0.9.2; Have fix → [PDT+]; critical for 0.9.2; Fixed in the branch
(Assignee)

Comment 11

18 years ago
Fixed in the trunk too.
Status: ASSIGNED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED

Comment 12

18 years ago
JFD,
How do I verify this bug?
(Reporter)

Comment 13

18 years ago
To verify:

- Send a message to yourself with the subject 
  '); alert(Components.classes); ('
  You should not get an alert, and there should be no errors on the JavaScript
console.

- Send a message to yourself with some interesting characters in the subject,
such as ", ', :, \, <, and &.  The subject should appear unmangled in the title
of the "Sending message..." progress window, and there should be no errors on
the JavaScript console.

Comment 14

18 years ago
verified based on comments above
trunk builds: 2001070206-win98, mac, 2001062906 linux
Branch builds: 2001070206 win98, mac, linux.
Status: RESOLVED → VERIFIED
*** Bug 86613 has been marked as a duplicate of this bug. ***
(Reporter)

Updated

17 years ago
Group: netscapeconfidential?
(Reporter)

Updated

16 years ago
Whiteboard: [PDT+]; critical for 0.9.2; Fixed in the branch → [PDT+]; critical for 0.9.2; Fixed in the branch; security
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.