web page can load (but not see) about:*

VERIFIED FIXED in mozilla0.9.4

Status

()

Core
DOM: Core & HTML
P1
normal
VERIFIED FIXED
17 years ago
10 years ago

People

(Reporter: bbaetz, Assigned: Mitchell Stoltz (not reading bugmail))

Tracking

Trunk
mozilla0.9.4
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: patch)

Attachments

(4 attachments)

(Reporter)

Description

17 years ago
By using document.appendChild to add stuff to an about:blank document, a web
page can cause about:* to load (because checkloaduri will then pass the
same-domain test). We can't view its contents though, because that check is
stricter.

.appendChild (and other dom methods?) probably needs to do what document.write
does when writing to about:blank, and change the document url to that of the
page doing the writing.
(Reporter)

Comment 1

17 years ago
oops, wrong component

-> dom core
Component: DOM Content Models → DOM Core
QA Contact: lchiang → stummala
(Reporter)

Comment 2

17 years ago
Created attachment 43062 [details]
demo

Updated

17 years ago
Assignee: jst → mstoltz
Over to mstoltz based on discussion with him.
(Assignee)

Updated

17 years ago
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.0
(Assignee)

Comment 4

17 years ago
Created attachment 45261 [details] [diff] [review]
ANother demo - Georgi's version
(Assignee)

Comment 5

17 years ago
Created attachment 45262 [details]
Actually, use this one instead.
(Assignee)

Comment 6

17 years ago
Upping the priority on this one as it's more exploitable than I thought.
Severity: minor → normal
Priority: -- → P1
Target Milestone: mozilla1.0 → mozilla0.9.4
(Reporter)

Comment 7

17 years ago
Its still not readable from a script though, is it?
(Assignee)

Comment 8

17 years ago
Yes it is, when combined with bug 94551. Fix coming soon (for this bug).
(Assignee)

Updated

17 years ago
Whiteboard: patch
Remove the extra line just after the if statement:

+    if(nsCRT::strcasecmp(scheme, aboutScheme) == 0)
+            *aScheme = PL_strdup(scheme);
+    {

(cut n' paste?)

with that, sr=jst
(Assignee)

Updated

17 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
(Assignee)

Comment 11

17 years ago
Fix checked in.

Comment 12

17 years ago
verified 2001-09-12-05. securitymanager raised flag which is shown in console..
Status: RESOLVED → VERIFIED
(Assignee)

Comment 13

17 years ago
Removing NS_Confidential flag.
Group: netscapeconfidential?

Updated

10 years ago
Component: DOM: Core → DOM: Core & HTML
QA Contact: stummala → general
You need to log in before you can comment on or make changes to this bug.