Closed
Bug 286629
Opened 20 years ago
Closed 20 years ago
Allow untrusted script access to Components.lookupMethod
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
People
(Reporter: ted, Assigned: jst)
References
Details
Attachments
(3 files)
(deleted),
patch
|
dveditz
:
review+
brendan
:
superreview+
chofmann
:
approval1.8b2+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
Details | Diff | Splinter Review | |
(deleted),
text/html
|
Details |
Components.lookupMethod allows script to get the "original" implementation of a
method. In XBL that is bound to an untrusted DOM, this method is not available,
so webpages can break XBL bindings by redefining necessary methods such as
createElement.
This can be seen in particular in the Flashblock extension, which attaches an
XBL binding to embed tags, and uses document.createElement, which means
arbitrary pages can redefine that function and break the binding, thus letting
Flash through.
Assignee | ||
Comment 1•20 years ago
|
||
This change lets anyone call Components.lookupMethod() from anywhere. I can't
see any harm in permitting that, so I'm proposing we check this in.
Attachment #177799 -
Flags: superreview?(brendan)
Attachment #177799 -
Flags: review?(dveditz)
Comment 2•20 years ago
|
||
Comment on attachment 177799 [details] [diff] [review]
Let anyone call Components.lookupMethod
r=dveditz
If we're going to make changes here, how 'bout allowing isSuccessCode too? No
reason to block it, and could prevent errors in code that doesn't expect a
non-zero success.
Attachment #177799 -
Flags: review?(dveditz) → review+
Comment 3•20 years ago
|
||
Comment on attachment 177799 [details] [diff] [review]
Let anyone call Components.lookupMethod
>+ static const char* allowed[] = { "lookupMethod", nsnull};
Uber-nit: space after nsnull before the closing brace?
I agree with Dan, why not expose isSuccessCode too? Gotta stick up for
NS_COMFALSE (blech! ;-) here.
/be
Attachment #177799 -
Flags: superreview?(brendan) → superreview+
Comment 4•20 years ago
|
||
Do we still perform the correct security checks at some point? (I'm not up on
whether we do the method security checks at invocation or reference).
Assignee | ||
Comment 5•20 years ago
|
||
(In reply to comment #4)
> Do we still perform the correct security checks at some point? (I'm not up on
> whether we do the method security checks at invocation or reference).
The security check happens in XPCWrappedNative::CallMethod(), which is invoked
no matter how you get at a JS function for a XPConnect implemented
method/getter/setter on a native wrapper, so it's all good AFAIKT (and testing
verified this too).
Assignee | ||
Comment 6•20 years ago
|
||
Assignee | ||
Comment 7•20 years ago
|
||
Assignee | ||
Updated•20 years ago
|
Attachment #177799 -
Flags: approval1.8b2?
Comment 8•20 years ago
|
||
Comment on attachment 177799 [details] [diff] [review]
Let anyone call Components.lookupMethod
a=chofmann
Attachment #177799 -
Flags: approval1.8b2? → approval1.8b2+
Assignee | ||
Comment 9•20 years ago
|
||
FIXED.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•