Closed
Bug 965082
Opened 11 years ago
Closed 11 years ago
XrayWrapper::{get,set}PrototypeOf is callable for SecurityWrappers
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
mozilla29
Tracking | Status | |
---|---|---|
firefox28 | --- | unaffected |
firefox29 | --- | fixed |
firefox-esr24 | --- | unaffected |
People
(Reporter: bholley, Assigned: bholley)
References
Details
(Keywords: regression, sec-other)
Attachments
(3 files)
10.49 KB,
patch
|
mrbkap
:
review+
gkrizsanits
:
review+
|
Details | Diff | Splinter Review |
2.48 KB,
patch
|
mrbkap
:
review+
gkrizsanits
:
review+
|
Details | Diff | Splinter Review |
2.27 KB,
patch
|
mrbkap
:
review+
gkrizsanits
:
review+
|
Details | Diff | Splinter Review |
This is a regression from bug 926012. When we override the ::getPrototypeOf and ::setPrototypeOf traps for XrayWrappers, we end up doing so for SecurityWrapper as well, which is not great.
This allows callers to instantiate an expando object on cross-origin objects, and munge the proto. This isn't a security problem per-se, but it's dicey. Marking s-s just to be safe.
Also, bug 926012 is only on Nightly, so we have some time.
Assignee | ||
Updated•11 years ago
|
Summary: XrayWrapper → XrayWrapper::{get,set}PrototypeOf is callable for SecurityWrappers
Updated•11 years ago
|
status-firefox28:
--- → unaffected
status-firefox29:
--- → affected
Assignee | ||
Comment 1•11 years ago
|
||
Assignee | ||
Comment 2•11 years ago
|
||
Conceptually, these all boil down to "is this a security wrapper?"
Attachment #8367430 -
Flags: review?(mrbkap)
Attachment #8367430 -
Flags: review?(gkrizsanits)
Assignee | ||
Comment 3•11 years ago
|
||
Attachment #8367431 -
Flags: review?(mrbkap)
Attachment #8367431 -
Flags: review?(gkrizsanits)
Assignee | ||
Comment 4•11 years ago
|
||
Attachment #8367432 -
Flags: review?(mrbkap)
Attachment #8367432 -
Flags: review?(gkrizsanits)
Updated•11 years ago
|
Attachment #8367430 -
Flags: review?(mrbkap) → review+
Updated•11 years ago
|
Attachment #8367431 -
Flags: review?(mrbkap) → review+
Updated•11 years ago
|
Attachment #8367432 -
Flags: review?(mrbkap) → review+
Updated•11 years ago
|
Attachment #8367430 -
Flags: review?(gkrizsanits) → review+
Updated•11 years ago
|
Attachment #8367431 -
Flags: review?(gkrizsanits) → review+
Comment 5•11 years ago
|
||
Comment on attachment 8367432 [details] [diff] [review]
Part 3 - Tests. v1
Review of attachment 8367432 [details] [diff] [review]:
-----------------------------------------------------------------
+
+
+ </script>
+</head>
Extra new line
Attachment #8367432 -
Flags: review?(gkrizsanits) → review+
Assignee | ||
Comment 6•11 years ago
|
||
Comment 7•11 years ago
|
||
landed on central
https://hg.mozilla.org/mozilla-central/rev/f8768358ad0f
https://hg.mozilla.org/mozilla-central/rev/2d36a17e88c5
https://hg.mozilla.org/mozilla-central/rev/b1974150d1a5
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Updated•11 years ago
|
status-firefox-esr24:
--- → unaffected
Assignee | ||
Updated•10 years ago
|
Flags: in-testsuite? → in-testsuite+
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•