Closed
Bug 940085
Opened 11 years ago
Closed 10 years ago
It's possible to call some methods on a cross-origin window by using bug 936056
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
mozilla29
| Tracking | Status | |
|---|---|---|
| firefox25 | --- | wontfix |
| firefox26 | --- | wontfix |
| firefox27 | --- | fixed |
| firefox28 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| firefox-esr24 | --- | fixed |
| b2g18 | --- | unaffected |
| b2g-v1.1hd | --- | unaffected |
| b2g-v1.2 | --- | fixed |
| b2g-v1.3 | --- | fixed |
| b2g-v1.3T | --- | fixed |
| b2g-v1.4 | --- | fixed |
People
(Reporter: moz_bug_r_a4, Assigned: peterv)
References
Details
(Keywords: sec-high, Whiteboard: [fixed by 938640 and 936056: see comment 8])
Attachments
(2 files)
Bug 936056 allows script to get the inner window, and it's possible to call some methods on a cross-origin window by using the inner window. This bug is similar to bug 938640, which affects fx27,28, but this bug affects fx24-28.
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Comment 2•11 years ago
|
||
|
||
Comment 3•11 years ago
|
||
Yeah, this is the same exact thing in bug 938640 except there we manage to invoke these on an inner that's not same-origin with its outer via WebIDL the global computation in WebIDL methods and here we just do it more directly. I would think that the same fix as for bug 938640, appropriately backported, would help here.
|
||
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox25:
--- → wontfix
status-firefox26:
--- → affected
status-firefox27:
--- → affected
status-firefox28:
--- → affected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → affected
|
||
Comment 4•11 years ago
|
||
Boris explained to me on IRC that this generalizes the attack from bug 938640 so that it's no longer just a regression from webidl quickstubs, but affects anything that bug 936056 affects, because it uses the JIT, rather than bareword references, to operate on a non-current inner.
Depends on: CVE-2014-1481
|
|
||
Comment 5•11 years ago
|
||
Peter is looking at bug 938640, and comment 3 says the fix for this will be the same or at least similar, so I'm going to set him as assigned here.
Assignee: nobody → peterv
|
|
||
Comment 7•10 years ago
|
||
Is this fixed by bug 938640, moz_bug_r_a4? Thanks.
Flags: needinfo?(moz_bug_r_a4)
|
|
Reporter | |
Comment 8•10 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #7) > Is this fixed by bug 938640, moz_bug_r_a4? Thanks. This is fixed by bug 938640 on fx >= 27, but this is fixed by bug 936056 on esr24.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(moz_bug_r_a4)
Resolution: --- → FIXED
|
|
||
Updated•10 years ago
|
Flags: needinfo?(peterv)
|
|
||
Updated•10 years ago
|
Whiteboard: [fixed by 938640 and 936056: see comment 8]
|
||
Updated•10 years ago
|
status-b2g-v1.1hd:
--- → unaffected
status-b2g-v1.2:
--- → fixed
status-b2g-v1.3:
--- → fixed
status-b2g-v1.4:
--- → fixed
Target Milestone: --- → mozilla29
Nominating in-testsuite given this has testcases.
Flags: in-testsuite?
|
|
||
Updated•10 years ago
|
status-b2g-v1.3T:
--- → fixed
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•