Closed
Bug 294074
Opened 20 years ago
Closed 19 years ago
arbitrary code execution via sidebar (part 3)
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
VERIFIED
FIXED
People
(Reporter: u115577, Assigned: u115577)
References
Details
(Keywords: fixed-aviary1.0.5, testcase, Whiteboard: [sg:fix])
Attachments
(2 files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
mconnor
:
review+
jay
:
approval-aviary1.0.5+
benjamin
:
approval-aviary1.1a2+
|
Details | Diff | Splinter Review |
My bug 284627 has not been fully fixed. "data:" url check is missing. Augh.
Then, bug 226548 becomes a problem. Links on the sidebar panel send wrong
referer. This could be used for cross-site scripting.
If you are on about:config or chrome url, referer is set to that privileged
content, not to the sidebar panel itself. This allows an attacker to execute
arbitrary code.
|
||
Updated•20 years ago
|
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.5?
Flags: blocking-aviary1.0.5+
Whiteboard: [sg:fix]
|
||
Comment 3•19 years ago
|
||
Comment on attachment 183536 [details] [diff] [review]
patch to check "data:" url as well as "javascript:" url
ok, fair enough. I'm sure this will break something, but people can deal.
Attachment #183536 -
Flags: review+
|
||
Updated•19 years ago
|
Whiteboard: [sg:fix] → [sg:fix] have patch
|
|
||
Updated•19 years ago
|
Assignee: mconnor → bugzilla
|
||
Comment 4•19 years ago
|
||
Comment on attachment 183536 [details] [diff] [review]
patch to check "data:" url as well as "javascript:" url
Let's get this checked in on the Aviary branch. a=jay
Attachment #183536 -
Flags: approval-aviary1.0.5+
|
|
||
Comment 5•19 years ago
|
||
Are we taking this on the Trunk as well?
Whiteboard: [sg:fix] have patch → [sg:fix] need landing
|
|
||
Comment 6•19 years ago
|
||
yeah, needs trunk landing too, I'll get approvals and do that.
|
|
||
Updated•19 years ago
|
Attachment #183536 -
Flags: approval-aviary1.1a2?
|
|
||
Updated•19 years ago
|
Keywords: fixed-aviary1.0.5
Whiteboard: [sg:fix] need landing → [sg:fix]
|
||
Updated•19 years ago
|
Attachment #183536 -
Flags: approval-aviary1.1a2? → approval-aviary1.1a2+
|
|
||
Comment 7•19 years ago
|
||
Please land on the trunk, you have the approvals now
Flags: blocking1.8b3+
Whiteboard: [sg:fix] → [sg:fix] needs trunk landing
|
|
||
Comment 8•19 years ago
|
||
fixed on trunk
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Whiteboard: [sg:fix] needs trunk landing → [sg:fix]
|
|
||
Comment 9•19 years ago
|
||
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9)
Gecko/20050706 Firefox/1.0.5 using attached testcase.
|
|
||
Comment 10•19 years ago
|
||
Adding distributors
|
||
Updated•19 years ago
|
Flags: testcase+
|
|
||
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•