Closed
Bug 95735
Opened 23 years ago
Closed 22 years ago
Node.attributes.getNamedItem bypasses capability policy check (NamedNodeMap)
Categories
(Core :: Security: CAPS, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: security-bugs)
References
Details
Attachments
(2 files)
|
1.53 KB,
text/html
|
Details | |
|
959 bytes,
patch
|
security-bugs
:
review+
hjtoi-bugzilla
:
superreview+
|
Details | Diff | Splinter Review |
Node.attributes.getNamedItem("attrname") returns an attribute node. I can read
and modify the attribute node's value even if I couldn't access Node.attrname
directly.
Impact: blocks bug 84545, "Review message pane DOM for exploits", by allowing
scripts to get around noAccess on baseURI, innerHTML, etc.
|
Reporter | |
Comment 1•23 years ago
|
||
|
Assignee | |
Updated•23 years ago
|
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.6
|
|
Assignee | |
Comment 2•23 years ago
|
||
Moving from NS-Confidential to the security group.
assignee_accessible: 0 → 1
Group: netscapeconfidential? → security?
CC list accessible: true
qacontact_accessible: 0 → 1
Accessible to reporter
|
|
Assignee | |
Comment 3•23 years ago
|
||
Moving the most time-critical bugs and minor security fixes to 0.9.7
Group: security?
Target Milestone: mozilla0.9.6 → mozilla0.9.7
|
||
Comment 4•23 years ago
|
||
Mass change: It appears that several bugs got accidentally opened up as part of
a mass change - see bug 107718 (now fixed). Moving back to security-sensitive
group. These were open for about 10 days.
Group: security?
|
|
Assignee | |
Updated•23 years ago
|
Target Milestone: mozilla0.9.7 → mozilla0.9.9
|
||
Comment 7•23 years ago
|
||
Dan, gifting to you, not sure how bad this is (can an evil hidden frame script
get a credit card # or SSN if it knows the form layout?), but if we need to hold
1.0 for it, let drivers know ASAP.
/be
Assignee: mstoltz → dveditz
Status: ASSIGNED → NEW
|
|
Assignee | |
Comment 8•23 years ago
|
||
> (can an evil hidden frame script
> get a credit card # or SSN if it knows the form layout?)
No. The same-origin policy will still apply. This bug could allow bypassing some
of the DOM restrictions in MailNews which were put in because of the "wiretap"
bug, but this cannot be used to steal data from 3rd-party web pages, so I don't
consider it a 1.0 stopper.
I think this should be a 1.2beta blocker. Holes like this have a tendency to
suddenly become important in unexpected ways. We should fix it now before we
have to do a firedrill.
Target Milestone: mozilla1.1alpha → mozilla1.2beta
Whiteboard: [sg:blocker]
Blocks: 1.2
|
||
Comment 10•22 years ago
|
||
No work on this bug yet?
|
|
Assignee | |
Comment 11•22 years ago
|
||
I'll take this back for 1.3.
Assignee: dveditz → mstoltz
Target Milestone: mozilla1.2beta → mozilla1.3beta
|
|
||
Comment 12•22 years ago
|
||
Why is this pushed out to 1.3? This is on the 1.2 list. We're likely to hold
for this since it's a security bug.
|
|
Assignee | |
Comment 13•22 years ago
|
||
This bug is minor; I don't recommend holding 1.2 for it. I put it to 1.3 because
that's when I'll have time to work on it.
|
|
Assignee | |
Comment 14•22 years ago
|
||
Clearing milestone for now.
Target Milestone: mozilla1.3beta → ---
|
|
Assignee | |
Comment 15•22 years ago
|
||
OK, turns out we fixed this for mailnews by blocking the "attribute" property of
all objects, so scripts can't use NamedNodeMap functions to read attributes of
mailed documents. We also need to protect GetAttributeNS and GetNamedItemNS.
The more general problem only comes into play when configurable security
policies are used. The problem is that there's more than one path to getting at
the attributes of an element. In Jesse's testcase, blocking access to
HTMLAnchorElement.href is insufficient, because the HREF attribute can still be
accessed using attributes.getNamedItem('href').
We could fix this in code by adding additional security checks to tie the
multiple pathcs to an attribute together under a single security pref. However,
jst suggests that we don't do this. The functions of the attributes object are
used extensively by chrome; adding security checks to them would have a
detrimental effect on performance. Degrading performance for everyone to protect
a few people using configurable security policies in a particular way is not a
good trade-off when a simple alternative is available: in order to protect
HTMLImageElement.src, for example you need to protect .src, .getAttribute,
.getAttributeNS, and .attributes by setting "noAccess" prefs for each one of
those. I will add a note about that to the Configurable Policies instruction page.
Status: NEW → ASSIGNED
QA Contact: ckritzer → carosendahl
Whiteboard: [sg:blocker]
|
|
Assignee | |
Comment 16•22 years ago
|
||
|
|
Assignee | |
Comment 17•22 years ago
|
||
Comment on attachment 115815 [details] [diff] [review]
Patch - protect a couple more properties of mail documents
r=mstoltz (patch is by jst)
Attachment #115815 -
Flags: review+
|
|
Assignee | |
Updated•22 years ago
|
Attachment #115815 -
Flags: superreview?(heikki)
|
||
Updated•22 years ago
|
Attachment #115815 -
Flags: superreview?(heikki) → superreview+
|
|
Assignee | |
Comment 18•22 years ago
|
||
Fix checked in.
|
|
Assignee | |
Comment 19•22 years ago
|
||
.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•21 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•