Closed Bug 1045460 Opened 10 years ago Closed 6 years ago

Resource stats API performs unsafe toJSON conversions on content objects

Categories

(Core :: DOM: Device Interfaces, defect)

Product:
Core
Component:
DOM: Device Interfaces
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: bzbarsky, Unassigned)

References

Details

(Keywords: sec-other)

[Blocking Requested - why for this release]: Just like bug 1015540 but a different addAlarm API...
Group: core-security
Component: General → DOM: Device Interfaces
Product: Firefox OS → Core
Note that I had put this in the component where the buggy code was added...
(In reply to Boris Zbarsky [:bz] from comment #1) > Note that I had put this in the component where the buggy code was added... Oh. We've been trying to migrate as many bugs as possible out of General, since General typically can be a black hole. If it helps, we could move the blocking bug over to DOM: Device Interfaces as well.
Looks like we'd better solve this before going any further in either NetworkStats and ResourceStats. CC Ethan Tzeng, who may also help the transition.
Blocks: 1043830
How about we just fix bug 1036214 and nail up this class of attacks for good (at least for 33 onward, where we have bug 856067)? We may still need a fully-backportable solution for this of course.
Keywords: sec-high
Paul - Is this a blocker from a security perspective?
Flags: needinfo?(ptheriault)
Jason: yes this should be treated as a blocker (allows script privilege escalation from content to chrome IIUC).
Flags: needinfo?(ptheriault)
blocking-b2g: 2.0? → 2.0+
QA Whiteboard: [2.0-signoff-need-]
None of the blocking bugs on this issue seem to have landed on 2.0, so i don't think we should be concerned fixing this on 2.0. Can someone confirm ?
Flags: needinfo?(selin)
Flags: needinfo?(selin) → needinfo?(vyang)
AFAIK, Resource Stats API is guarded by permission "resourcestats-manage" and we do not have any app certificated for this even in Gaia master branch. No one is really using Resource Stats API but some test cases. It's incomplete and is still under development.
Flags: needinfo?(vyang)
(In reply to Vicamo Yang [:vicamo][:vyang] from comment #8) > AFAIK, Resource Stats API is guarded by permission "resourcestats-manage" > and we do not have any app certificated for this even in Gaia master branch. > No one is really using Resource Stats API but some test cases. It's > incomplete and is still under development. Ok. If this API is accessible to the web yet it's probably moot, because bug 928415 will be fixed this cycle (which should fix this bug). Once bug 928415 is marked fixed, we'll need to verify this is fixed. Marking sec-other for now.
Keywords: sec-highsec-other
(In reply to (PTO 8/22 - 9/1) from comment #9) > (In reply to Vicamo Yang [:vicamo][:vyang] from comment #8) > > AFAIK, Resource Stats API is guarded by permission "resourcestats-manage" > > and we do not have any app certificated for this even in Gaia master branch. > > No one is really using Resource Stats API but some test cases. It's > > incomplete and is still under development. > > Ok. If this API is accessible to the web yet it's probably moot, because bug > 928415 will be fixed this cycle (which should fix this bug). > > Once bug 928415 is marked fixed, we'll need to verify this is fixed. Marking > sec-other for now. clearing the nom for 2.0 in that case, please renom for 2.1 as needed.
blocking-b2g: 2.0+ → ---
Group: core-security → dom-core-security
resource stats api has been removed as part of B2G removal.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.