Closed Bug 959531 (CVE-2014-1489) Opened 10 years ago Closed 10 years ago

settings & history ID bug

Categories

(Firefox :: General, defect)

26 Branch
x86_64
Windows 7
defect
Not set
normal

Tracking

()

VERIFIED FIXED
Firefox 29
Tracking Status
firefox26 --- wontfix
firefox27 --- fixed
firefox28 + verified
firefox29 + verified
firefox-esr24 --- unaffected
b2g18 --- unaffected
b2g-v1.1hd --- unaffected
b2g-v1.2 --- unaffected
b2g-v1.3 --- unaffected
b2g-v1.4 --- unaffected

People

(Reporter: zaanx91, Assigned: billm)

References

Details

(Keywords: csectype-dos, regression, sec-low, Whiteboard: [adv-main27+])

Attachments

(4 files)

Attached image bug.png
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0 (Beta/Release)
Build ID: 20131205075310

Steps to reproduce:

Create an html page with the following markup:

<button name="settings" id="settings">settings</button>
<button name="history" id="history">history</button>


Actual results:

when i click on the settings button, it opens the settings of the firefox, 
same results for the histroy button, it opens the firefox histroy window.


Expected results:

It should invoke my code whether its JavaScript or any other action.
Attached file testcase 959531.html
I can't reproduce with Firefox 26 or 29 (Nightly) on Linux.
But I could on Windows 7 with Firefox 26 and 29 but not Firefox 25.
yes it's on windows 7 and not every time, sometimes it happens and sometimes it doesn't.
i figured it out, the innerHTML of the button is case sensitive ("Settings", "History"), it happens in this case only, in addition to the element ID

<button type="button" class="abutton" id="settings">Settings</button>
<button id="history" class="abutton" type="button">History</button>
Reproducing this requires that the tab in question have loaded about:home first.

This is a regression from bug 899222, where about:home adds event listeners to operate the settings/bookmarks buttons. It appears that these listeners are being set on the window and not the document, so they are not unset on page navigation.

This is unlikely to be an actual security issue, but since I'm not certain I'll leave it for billm to decide whether to leave this bug private.
Component: Untriaged → General
Blocks: 899222
Keywords: regression
ok thanks alot .
I think that "Restore Previous Session" is the worst that could happen here. Your current session would be lost, which is pretty bad.
Assignee: nobody → wmccloskey
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
oh ok, thanks Bill !
Attached patch about-home-fixSplinter Review
Ugh, a frustrating bug. I used |this| inside an event handler. In the fix, I wanted to use an arrow function, but the function also needs to refer to itself, which arrow functions can't do.
Attachment #8360727 - Flags: review?(felipc)
Attached patch about-home-testSplinter Review
Fails without the patch, passes with it.
Attachment #8360728 - Flags: review?(felipc)
Attachment #8360727 - Flags: review?(felipc) → review+
Attachment #8360728 - Flags: review?(felipc) → review+
The patch fixes it, but should we make it more robust by double checking onClick that our doc is about:home?
Somehow this didn't get resolved.
https://hg.mozilla.org/mozilla-central/rev/76cf1178c524
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 29
Comment on attachment 8360727 [details] [diff] [review]
about-home-fix

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 899222
User impact if declined: A malicious site could make a button that causes the user's session to be lost (and the previous one restored).
Testing completed (on m-c, etc.): On m-c.
Risk to taking this patch (and alternatives if risky): Pretty low. It's a very straightforward change.
String or IDL/UUID changes made by this patch: None
Attachment #8360727 - Flags: approval-mozilla-beta?
Attachment #8360727 - Flags: approval-mozilla-aurora?
Attachment #8360727 - Flags: approval-mozilla-beta?
Attachment #8360727 - Flags: approval-mozilla-beta+
Attachment #8360727 - Flags: approval-mozilla-aurora?
Attachment #8360727 - Flags: approval-mozilla-aurora+
Keywords: verifyme
Do you mind taking care of this Ryan? Thanks.
Flags: in-testsuite?
Whiteboard: [adv-main27+]
Alias: CVE-2014-1489
Depends on: 968597
For whatever reason, I wasn't able to reproduce on a Win7 system with Fx26, even when about:home was open previously. However, I am able to see it consistently on the Mac.

Verified Fx28 release build.
Verified Fx29, build from 2014-02-10.
Status: RESOLVED → VERIFIED
Keywords: verifyme
Group: core-security
Setting in-testsuite+ as this bug has a browser chrome test.
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.