Closed
Bug 428672
Opened 17 years ago
Closed 17 years ago
XSS using an event handler attached to the outer window
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9
People
(Reporter: moz_bug_r_a4, Assigned: mrbkap)
Details
(Keywords: verified1.8.1.15, Whiteboard: [sg:high xss] fixed on branch by 432591)
Attachments
(2 files, 5 obsolete files)
(deleted),
text/plain
|
Details | |
(deleted),
patch
|
jst
:
review+
jst
:
superreview+
mtschrep
:
approval1.9+
|
Details | Diff | Splinter Review |
If an event handler attribute is set on <body> element in a document that has
already been unloaded, an event handler function is attached to the outer
window. This allows an attacker to perform an XSS attack.
Updated•17 years ago
|
Flags: wanted1.8.1.x?
Flags: blocking1.9?
Whiteboard: [sg:high xss]
Comment 1•17 years ago
|
||
Dan: should we be fixing this right away? We'll definitely take it if you're taking it for the next branch release ...
Flags: wanted1.9.0.x?
Flags: blocking1.9?
Flags: blocking1.9-
Comment 2•17 years ago
|
||
Would be better to get this into the FF3 release than have it be the first FF3.0.1 advisory, but if it's tricky/risky then we can live with 1.9.0.1
Assignee: dveditz → jst
Flags: wanted1.8.1.x?
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.15?
Updated•17 years ago
|
Flags: blocking1.8.1.15? → blocking1.8.1.15+
Assignee | ||
Comment 3•17 years ago
|
||
The underlying problem here is that the docshell's idea of what a script global object should be is an outer window where the document wants an inner window.
I'm not sure if there's a better way to go from an outer nsIScriptGlobalObject -> inner nsIScriptGlobalObject (without the 2 QIs) or if I should be using "GetCurrentInnerWindow" instead of ensuring one.
Assignee: jst → mrbkap
Status: NEW → ASSIGNED
Attachment #317603 -
Flags: superreview?(jst)
Attachment #317603 -
Flags: review?(jst)
Comment 4•17 years ago
|
||
Comment on attachment 317603 [details] [diff] [review]
Proposed fix v1
Could we get away with calling GetCurrentInnerWindow() here instead to avoid potentially creating a new inner window for a closed window or what not?
r+sr=jst either way.
Attachment #317603 -
Flags: superreview?(jst)
Attachment #317603 -
Flags: superreview+
Attachment #317603 -
Flags: review?(jst)
Attachment #317603 -
Flags: review+
Assignee | ||
Comment 5•17 years ago
|
||
This fixes a security bug.
Attachment #317603 -
Attachment is obsolete: true
Attachment #317626 -
Flags: superreview+
Attachment #317626 -
Flags: review+
Attachment #317626 -
Flags: approval1.9?
Comment 6•17 years ago
|
||
Comment on attachment 317603 [details] [diff] [review]
Proposed fix v1
Given that this is a security bug I think we should try to get this in for RC1...
Attachment #317603 -
Attachment is obsolete: false
Attachment #317603 -
Flags: approval1.9?
Assignee | ||
Updated•17 years ago
|
Attachment #317603 -
Attachment is obsolete: true
Attachment #317603 -
Flags: approval1.9?
Updated•17 years ago
|
Flags: blocking1.9- → blocking1.9+
Comment 7•17 years ago
|
||
Comment on attachment 317626 [details] [diff] [review]
Updated to comments
a1.9=beltzner
Attachment #317626 -
Flags: approval1.9? → approval1.9+
Assignee | ||
Updated•17 years ago
|
Keywords: checkin-needed
Comment 8•17 years ago
|
||
mozilla/content/base/src/nsDocument.cpp 3.825
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Flags: in-testsuite?
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9
Comment 9•17 years ago
|
||
This caused crashes in mochitest and the browser chrome test, consistently on 3 platforms, so I had to back it out.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 10•17 years ago
|
||
I reproduced this crash locally, here's the stack.
Comment 11•17 years ago
|
||
And I did hit the assertion that was added:
###!!! ASSERTION: What kind of global object do we have?: 'pwin', file /Users/gavin/moz/mozilla/content/base/src/nsDocument.cpp, line 2569
###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0', file ../../dist/include/xpcom/nsCOMPtr.h, line 868
Assignee | ||
Comment 12•17 years ago
|
||
Attachment #317626 -
Attachment is obsolete: true
Attachment #318219 -
Flags: superreview?(jst)
Attachment #318219 -
Flags: review?(jst)
Updated•17 years ago
|
Attachment #318219 -
Flags: superreview?(jst)
Attachment #318219 -
Flags: superreview+
Attachment #318219 -
Flags: review?(jst)
Attachment #318219 -
Flags: review+
Assignee | ||
Comment 13•17 years ago
|
||
Comment on attachment 318219 [details] [diff] [review]
With 100% less crashing
Let's try this again. This time, there are no null pointer dereferences lurking!
Attachment #318219 -
Flags: approval1.9?
Assignee | ||
Comment 14•17 years ago
|
||
(I ran the latest patch through mochitests successfully)
Reporter | ||
Comment 15•17 years ago
|
||
I tested with the latest patch. It's still exploitable. On trunk, it's
possible to attach an event handler to a cross-origin window.
Comment 16•17 years ago
|
||
Comment on attachment 318219 [details] [diff] [review]
With 100% less crashing
a=beltzner, can we make that testcase a test and include that as well?
Attachment #318219 -
Flags: approval1.9? → approval1.9+
Updated•17 years ago
|
Whiteboard: [sg:high xss] → [sg:high xss][needs new patch][needs to block?]
Updated•17 years ago
|
Assignee: mrbkap → jst
Status: REOPENED → NEW
Assignee | ||
Comment 17•17 years ago
|
||
Stealing this back. I was worried about this when I attached the first patch.
This should fix all variants of the bug, but now I find myself wondering why we bother looking at the docshell at all in nsDocument::GetScriptGlobalObject. Once ours has been cleared out, we can only ever return an outer window or the *next* inner window in the succession, which is likely to be wrong. jst, do you remember why we do this?
Assignee: jst → mrbkap
Attachment #318219 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #318447 -
Flags: superreview?(jst)
Attachment #318447 -
Flags: review?(jst)
Updated•17 years ago
|
Whiteboard: [sg:high xss][needs new patch][needs to block?] → [sg:high xss][needs new patch]
Comment 18•17 years ago
|
||
I don't remember details, but I know it's not pretty and not something we can change this late in the game. This code came in as part of bug 141295, and I know I've removed it in the past (never got checked in, broke stuff). What's the actual caller of nsDocument::GetScriptGlobalObject() that matters in this case? Can we move the document check there until we have a chance to clean this up?
Updated•17 years ago
|
Attachment #318447 -
Flags: superreview?(jst)
Attachment #318447 -
Flags: superreview-
Attachment #318447 -
Flags: review?(jst)
Attachment #318447 -
Flags: review-
Assignee | ||
Comment 19•17 years ago
|
||
The caller is nsGenericHTMLElement::GetEventListenerManagerForAttr. I can try pushing the check there.
Assignee | ||
Comment 20•17 years ago
|
||
I filed bug 431767 on figuring out what nsDocument::GetScriptGlobalObject should do after the document has been removed from its docshell.
Attachment #318447 -
Attachment is obsolete: true
Attachment #318906 -
Flags: superreview?(jst)
Attachment #318906 -
Flags: review?(jst)
Updated•17 years ago
|
Attachment #318906 -
Flags: superreview?(jst)
Attachment #318906 -
Flags: superreview+
Attachment #318906 -
Flags: review?(jst)
Attachment #318906 -
Flags: review+
Updated•17 years ago
|
Whiteboard: [sg:high xss][needs new patch] → [sg:high xss]
Updated•17 years ago
|
Attachment #318906 -
Flags: approval1.9?
Updated•17 years ago
|
Attachment #318906 -
Flags: approval1.9? → approval1.9+
Updated•17 years ago
|
Whiteboard: [sg:high xss] → [has patch][has review][has approval][sg:high xss]
Comment 21•17 years ago
|
||
nsGenericHTMLElement.cpp: 1.766
Status: ASSIGNED → RESOLVED
Closed: 17 years ago → 17 years ago
Resolution: --- → FIXED
Comment 22•17 years ago
|
||
Johnny, do you have time to make a branch patch for this bug since Blake is out? The patch in comment 22 seems pretty simple, but I'm not sure if it applies to the branch.
Whiteboard: [has patch][has review][has approval][sg:high xss] → [sg:high xss][needs branch patch]
Comment 23•17 years ago
|
||
This problem is fixed on the 1.8 branch by the fix for bug 432591.
Updated•17 years ago
|
Whiteboard: [sg:high xss][needs branch patch] → [sg:high xss] fixed on branch by 432591
Comment 24•17 years ago
|
||
This is the same as the trunk version except for the change to NS_OpenURI() in nsNetUtils.h which was needed by this fix.
Attachment #323646 -
Flags: superreview?(bzbarsky)
Attachment #323646 -
Flags: review?(bzbarsky)
Comment 25•17 years ago
|
||
jst, that doesn't look like a patch for this bug (but for the subscript loader one).
Comment 26•17 years ago
|
||
Comment on attachment 323646 [details] [diff] [review]
Wrong diff.
Yeah, duh.
Attachment #323646 -
Attachment description: 1.8 branch version. → Wrong diff.
Attachment #323646 -
Attachment is obsolete: true
Attachment #323646 -
Flags: superreview?(bzbarsky)
Attachment #323646 -
Flags: review?(bzbarsky)
Comment 28•17 years ago
|
||
Verified testcase 1 (the only one that works in branch) with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15pre) Gecko/2008061005 BonEcho/2.0.0.15pre for 2.0.0.15 release.
Keywords: fixed1.8.1.15 → verified1.8.1.15
Updated•17 years ago
|
Attachment #315281 -
Attachment is private: true
Updated•17 years ago
|
Attachment #318347 -
Attachment is private: true
Updated•17 years ago
|
Group: security
Updated•16 years ago
|
Flags: wanted1.9.0.x?
You need to log in
before you can comment on or make changes to this bug.
Description
•