Closed Bug 87980 Opened 20 years ago Closed 20 years ago

javascript code in message subject runs, with system principal (settimeout)

Categories

(MailNews Core :: Composition, defect, P1)

x86
Windows NT
defect

Tracking

(Not tracked)

VERIFIED FIXED
mozilla0.9.2

People

(Reporter: jruderman, Assigned: bugzilla)

References

Details

(Whiteboard: [PDT+]; critical for 0.9.2; Fixed in the branch; security)

Attachments

(1 file)

I can get code to run with system principal on a victim's computer by if I can
get him/her to send a message with a subject of my choice.  (One way to do this
would be to send a message with the code as the subject, and hope that the
victim will reply to the message.)

Sending a message with the following subject
  '); alert(Components.classes); ('
causes this javascript code to run, and run with system principal.

Here's the problematic code in sendProgress.js:
  //We need to delay the set title else dom will overwrite it
  return window.setTimeout( "SetTitle('" + subject + "');", 0 );

This seems to be part of code that sets the title of the "sending message:
[subject]" dialog, because using a subject of b'+'lah results in that having
"blah" in its title.
Group: netscapeconfidential?
I'll mark PDT+ to get on PDT radar.
Whiteboard: [PDT+]
Whiteboard: [PDT+] → [PDT+]; critical for 0.9.2
we need a good fix for this as soon as we can get it.
adding brendan and jst in case they can help. 
Priority: -- → P1
Target Milestone: --- → mozilla0.9.2
accepting...
Status: NEW → ASSIGNED
Attached patch Proposed fix, v1Splinter Review
Whiteboard: [PDT+]; critical for 0.9.2 → [PDT+]; critical for 0.9.2; Have fix
jesse, can you review the patch?
Great catch! r/sr=vidur for J-F's fix.

Calls to eval() and new Function() might be other places where similar patterns
could exist.
eval, Script or new Script or Script.prototype.compile, Function or new
Function, are all callable ase setTimeout("...", t) is -- they all take a string
and compile and possibly execute it.  Beware.

r/sr=brendan@mozilla.org on the patch.

/be
a=chofmann
Fix checked in the branch, still need to check it in the trunk.
Whiteboard: [PDT+]; critical for 0.9.2; Have fix → [PDT+]; critical for 0.9.2; Fixed in the branch
Fixed in the trunk too.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
JFD,
How do I verify this bug?
To verify:

- Send a message to yourself with the subject 
  '); alert(Components.classes); ('
  You should not get an alert, and there should be no errors on the JavaScript
console.

- Send a message to yourself with some interesting characters in the subject,
such as ", ', :, \, <, and &.  The subject should appear unmangled in the title
of the "Sending message..." progress window, and there should be no errors on
the JavaScript console.
verified based on comments above
trunk builds: 2001070206-win98, mac, 2001062906 linux
Branch builds: 2001070206 win98, mac, linux.
Status: RESOLVED → VERIFIED
*** Bug 86613 has been marked as a duplicate of this bug. ***
Group: netscapeconfidential?
Whiteboard: [PDT+]; critical for 0.9.2; Fixed in the branch → [PDT+]; critical for 0.9.2; Fixed in the branch; security
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.