Closed
Bug 455629
Opened 16 years ago
Closed 16 years ago
<object>s and <embed>s have ways of getting at the document inside them
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: bzbarsky, Assigned: mrbkap)
References
Details
(Whiteboard: [sg:nse] hidden until 455472 is opened)
Attachments
(1 file)
(deleted),
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
<object> has .contentDocument and maybe .getSVGDocument. <embed> has getSVGDocument.
We should probably either add security checks in all these methods or auto-wrap these nodes in XOW.
Flags: blocking1.9.1?
Assignee | ||
Comment 1•16 years ago
|
||
It occurred to me that we probably already do through the magical code in xpcconvert.cpp. If so, can we just close this?
Reporter | ||
Comment 2•16 years ago
|
||
If we do, then yes. That should be mochitestable, right?
Assignee | ||
Comment 3•16 years ago
|
||
Yeah, although currently XOWs do a lot of work to be entirely invisible from JS. The only XOW-specific test I can come up with right now is to test if cross-origin |getSVGDocument().createAttribute.__parent__ === window| i.e., all functions that come off of the cross-origin object actually appear to be from the calling code's scope.
Reporter | ||
Comment 4•16 years ago
|
||
I was more thinking test that the right security checks happen. If we don't hand back an XOW, they won't, right?
Comment 5•16 years ago
|
||
CC'ing moz_bug_r_a4 to see if he can turn this into an XSS flaw (or worse). Inspired by bug 455472
Comment 6•16 years ago
|
||
Not blocking on this as we think this is a non-issue as far as the code goes, right?
Flags: blocking1.9.1? → blocking1.9.1-
Reporter | ||
Comment 7•16 years ago
|
||
Is commnt 1 referring to this part:
1248 // Reaching across scopes from content code. Wrap
1249 // the new object in a XOW.
1250 jsval v = OBJECT_TO_JSVAL(flat);
1251 XPCJSObjectHolder *objHolder = nsnull;
1252 if (!XPC_XOW_WrapObject(ccx, scope, &v) ||
1253 !(objHolder =
1254 XPCJSObjectHolder::newHolder(ccx,
1255 JSVAL_TO_OBJECT(v))))
? If so I agree that it looks like the code is a non-issue. I do think we should block on blake confirming that...
Assignee | ||
Comment 9•16 years ago
|
||
This mochitest proves that there's no security bug here.
Assignee | ||
Updated•16 years ago
|
Attachment #353729 -
Flags: review? → review?(bzbarsky)
Reporter | ||
Comment 10•16 years ago
|
||
Comment on attachment 353729 [details] [diff] [review]
Mochitest
Excellent. Thanks for writing this up!
Attachment #353729 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 11•16 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/202d8f3d8439 - Marking "fixed" though there wasn't a bug here to begin with.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 12•15 years ago
|
||
not a security exploit per comment 9, keeping hidden until bug 455472 is unhidden.
Blocks: CVE-2010-0162
Whiteboard: [sg:low] → [sg:nse] hidden until 455472 is opened
Updated•9 years ago
|
Group: core-security
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•