Closed Bug 470720 Opened 16 years ago Closed 16 years ago

XSS using XPCNativeWrapper and quick stubs

Categories

(Core :: Security, defect, P1)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

References

Details

(Whiteboard: [sg:high])

Attachments

(3 files)

testcase 1
(deleted), text/html
Details
testcase 2
(deleted), text/html
Details
Fix
(deleted), patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review
This is trunk/1.9.1 only. By using XPCNativeWrapper, it's possible to call quick stub methods/getters/setters on cross-origin objects. Bug 468552 partially fixes this bug.
Attached file testcase 1 (deleted) —
This tries to get cookies for www.mozilla.com. This works on 1.9.1. On trunk, bug 468552 fixed this testcase.
Attached file testcase 2 (deleted) —
This tries to get cookies for www.mozilla.com. This works on trunk and 1.9.1.
Whiteboard: [sg:high]
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x-
Flags: blocking1.9.1?
Attached patch Fix (deleted) — Splinter Review
I had confused SJOWs with native wrappers when I allowed native wrappers to unwrap XOWs. SJOWs have a CanAccess check above every call, native wrappers don't. In addition, native wrappers allow themselves to be unwrapped cross-origin, which is what hurts us here.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #354231 - Flags: superreview?(jst)
Attachment #354231 - Flags: review?(jst)
Attachment #354231 - Flags: superreview?(jst)
Attachment #354231 - Flags: superreview+
Attachment #354231 - Flags: review?(jst)
Attachment #354231 - Flags: review+
Comment on attachment 354231 [details] [diff] [review] Fix // Unwrap a cross origin wrapper, since we're more restrictive than it is. Since we're no longer unwrapping XOWs, update the comment. r+sr=jst
http://hg.mozilla.org/mozilla-central/rev/abaa242f2300
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Depends on: 472674
Blocks: 472792
looks like this should be ready get approval and to go to the branch, right? is there still time to make the beta? does it need a beta cycle to catch problems?
Priority: -- → P1
Chris: this bug was subsumed by bug 472792. We shouldn't take it on the branch, but we should take my fix for that bug (which fixes this as well).
Flags: blocking1.9.1?
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: