Closed Bug 965082 Opened 6 years ago Closed 6 years ago

XrayWrapper::{get,set}PrototypeOf is callable for SecurityWrappers

Categories

(Core :: XPConnect, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla29
Tracking Status
firefox28 --- unaffected
firefox29 --- fixed
firefox-esr24 --- unaffected

People

(Reporter: bholley, Assigned: bholley)

References

Details

(Keywords: regression, sec-other)

Attachments

(3 files)

This is a regression from bug 926012. When we override the ::getPrototypeOf and ::setPrototypeOf traps for XrayWrappers, we end up doing so for SecurityWrapper as well, which is not great.

This allows callers to instantiate an expando object on cross-origin objects, and munge the proto. This isn't a security problem per-se, but it's dicey. Marking s-s just to be safe.

Also, bug 926012 is only on Nightly, so we have some time.
Summary: XrayWrapper → XrayWrapper::{get,set}PrototypeOf is callable for SecurityWrappers
Conceptually, these all boil down to "is this a security wrapper?"
Attachment #8367430 - Flags: review?(mrbkap)
Attachment #8367430 - Flags: review?(gkrizsanits)
Attachment #8367432 - Flags: review?(mrbkap)
Attachment #8367432 - Flags: review?(gkrizsanits)
Attachment #8367430 - Flags: review?(mrbkap) → review+
Attachment #8367431 - Flags: review?(mrbkap) → review+
Attachment #8367432 - Flags: review?(mrbkap) → review+
Attachment #8367430 - Flags: review?(gkrizsanits) → review+
Attachment #8367431 - Flags: review?(gkrizsanits) → review+
Comment on attachment 8367432 [details] [diff] [review]
Part 3 - Tests. v1

Review of attachment 8367432 [details] [diff] [review]:
-----------------------------------------------------------------

+
+
+  </script>
+</head>

Extra new line
Attachment #8367432 - Flags: review?(gkrizsanits) → review+
landed on central
https://hg.mozilla.org/mozilla-central/rev/f8768358ad0f
https://hg.mozilla.org/mozilla-central/rev/2d36a17e88c5
https://hg.mozilla.org/mozilla-central/rev/b1974150d1a5
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Flags: in-testsuite? → in-testsuite+
Group: core-security
You need to log in before you can comment on or make changes to this bug.