Ben Turner (not reading bugmail, use the needinfo flag!) Assignee
	Description • 13 years ago

IndexedDB uses the directory service off the main thread, and it shouldn't. See bug 746830. There's no real reason we needed to, I just thought it was safe.

I don't think this is really exploitable (hard to reproduce race) but never hurts to file as a security bug.

	Kyle Huey (Exited; not receiving bugmail, old account, do not use)
	Comment 1 • 13 years ago

Comment on attachment 617157 [details] [diff] [review]
Patch, v1

Review of attachment 617157 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/indexedDB/IndexedDatabaseManager.cpp
@@ +305,5 @@
> +IndexedDatabaseManager::GetDirectoryForOrigin(const nsACString& aASCIIOrigin,
> +                                              nsIFile** aDirectory) const
> +{
> +  nsresult rv;
> +  nsCOMPtr<nsILocalFile> directory =

Just make this nsIFile.  nsILocalFile is useless these days.

@@ +322,5 @@
> +
> +  rv = directory->Append(originSanitized);
> +  NS_ENSURE_SUCCESS(rv, rv);
> +
> +  directory.forget(reinterpret_cast<nsILocalFile**>(aDirectory));

Then this can go away.

	Ben Turner (not reading bugmail, use the needinfo flag!) Assignee
	Comment 2 • 13 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/46e22a07d53a

	(no longer active)
	Comment 3 • 13 years ago

https://hg.mozilla.org/mozilla-central/rev/46e22a07d53a

	Alex Keybl [:akeybl]
	Comment 4 • 13 years ago

IndexedDB landed in FF4, so I'm assuming that the ESR is affected. That being said, this is an sg:moderate so we're choosing to leave this unfixed.