Closed Bug 814153 Opened 12 years ago Closed 12 years ago

Need additional security checks for the "settings" permission

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla20

Project Flags:

blocking-basecamp

Tracking Flags:

Tracking

Status

firefox18

---

fixed

firefox19

---

fixed

firefox20

---

fixed

People

(Reporter: bent.mozilla, Assigned: gwagner)

References

Details

Attachments

(1 file)

patch 12 years ago Gregor Wagner [:gwagner] (deleted), patch	bent.mozilla : review+	Details \| Diff \| Splinter Review

Ben Turner (not reading bugmail, use the needinfo flag!)

Reporter

Description

•

12 years ago

Notes from conversation with gregor:

settings:
  settings-read and settings-write both checked in child for dom access, but returns non-null if access not granted (logs error to console only)
  doesn't assert permission before adding listeners ("Settings:RegisterForMessages")

We should tighten this up a little.

Lawrence Mandel [:lmandel] (use needinfo)

Updated

•

12 years ago

blocking-basecamp: ? → +

Andrew Overholt [:overholt]

Comment 1

•

12 years ago

Gregor, Doug said you should be the lucky owner of this bug.  Congrats!  :)

Assignee: nobody → anygregor

Gregor Wagner [:gwagner]

Assignee

Comment 2

•

12 years ago

Attached patch patch (deleted) — Details — Splinter Review

Gregor Wagner [:gwagner]

Assignee

Comment 3

•

12 years ago

(In reply to ben turner [:bent] from comment #0)
> Notes from conversation with gregor:
> 
> settings:
>   settings-read and settings-write both checked in child for dom access, but
> returns non-null if access not granted (logs error to console only)

fixed by 815398

>   doesn't assert permission before adding listeners
> ("Settings:RegisterForMessages")

This patch

Gregor Wagner [:gwagner]

Assignee

Updated

•

12 years ago

Attachment #686625 - Flags: review?(bent.mozilla)

Ben Turner (not reading bugmail, use the needinfo flag!)

Reporter

Updated

•

12 years ago

Attachment #686625 - Flags: review?(bent.mozilla) → review+

Gregor Wagner [:gwagner]

Assignee

Comment 4

•

12 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/a242c45cc80b

Ed Morley [:emorley]

Comment 5

•

12 years ago

https://hg.mozilla.org/mozilla-central/rev/a242c45cc80b

Status: NEW → RESOLVED

Closed: 12 years ago

Resolution: --- → FIXED

Target Milestone: --- → mozilla20

Ryan VanderMeulen [:RyanVM]

Comment 6

•

12 years ago

https://hg.mozilla.org/releases/mozilla-aurora/rev/5796235869f1
https://hg.mozilla.org/releases/mozilla-beta/rev/b1958d544900

status-firefox18: --- → fixed

status-firefox19: --- → fixed

status-firefox20: --- → fixed

Nobody; OK to take it and work on it

Updated

•

6 years ago

Component: DOM → DOM: Core & HTML

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Need additional security checks for the "settings" permission

Categories

(Core :: DOM: Core & HTML, defect)

Tracking

()

People

(Reporter: bent.mozilla, Assigned: gwagner)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Comment 2

Comment 3

Updated

Updated

Comment 4

Comment 5

Comment 6

Updated

Attachment

General

Description

File Name

Content Type