Closed
Bug 87980
Opened 24 years ago
Closed 24 years ago
javascript code in message subject runs, with system principal (settimeout)
Categories
(MailNews Core :: Composition, defect, P1)
Tracking
(Not tracked)
VERIFIED
FIXED
mozilla0.9.2
People
(Reporter: jruderman, Assigned: bugzilla)
References
Details
(Whiteboard: [PDT+]; critical for 0.9.2; Fixed in the branch; security)
Attachments
(1 file)
(deleted),
patch
|
Details | Diff | Splinter Review |
I can get code to run with system principal on a victim's computer by if I can
get him/her to send a message with a subject of my choice. (One way to do this
would be to send a message with the code as the subject, and hope that the
victim will reply to the message.)
Sending a message with the following subject
'); alert(Components.classes); ('
causes this javascript code to run, and run with system principal.
Here's the problematic code in sendProgress.js:
//We need to delay the set title else dom will overwrite it
return window.setTimeout( "SetTitle('" + subject + "');", 0 );
This seems to be part of code that sets the title of the "sending message:
[subject]" dialog, because using a subject of b'+'lah results in that having
"blah" in its title.
Reporter | ||
Updated•24 years ago
|
Group: netscapeconfidential?
Updated•24 years ago
|
Whiteboard: [PDT+] → [PDT+]; critical for 0.9.2
Comment 2•24 years ago
|
||
we need a good fix for this as soon as we can get it.
Comment 3•24 years ago
|
||
adding brendan and jst in case they can help.
Updated•24 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla0.9.2
Assignee | ||
Comment 5•24 years ago
|
||
Assignee | ||
Updated•24 years ago
|
Whiteboard: [PDT+]; critical for 0.9.2 → [PDT+]; critical for 0.9.2; Have fix
Assignee | ||
Comment 6•24 years ago
|
||
jesse, can you review the patch?
Comment 7•24 years ago
|
||
Great catch! r/sr=vidur for J-F's fix.
Calls to eval() and new Function() might be other places where similar patterns
could exist.
Comment 8•24 years ago
|
||
eval, Script or new Script or Script.prototype.compile, Function or new
Function, are all callable ase setTimeout("...", t) is -- they all take a string
and compile and possibly execute it. Beware.
r/sr=brendan@mozilla.org on the patch.
/be
Comment 9•24 years ago
|
||
a=chofmann
Assignee | ||
Comment 10•24 years ago
|
||
Fix checked in the branch, still need to check it in the trunk.
Whiteboard: [PDT+]; critical for 0.9.2; Have fix → [PDT+]; critical for 0.9.2; Fixed in the branch
Assignee | ||
Comment 11•24 years ago
|
||
Fixed in the trunk too.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Comment 12•24 years ago
|
||
JFD,
How do I verify this bug?
Reporter | ||
Comment 13•24 years ago
|
||
To verify:
- Send a message to yourself with the subject
'); alert(Components.classes); ('
You should not get an alert, and there should be no errors on the JavaScript
console.
- Send a message to yourself with some interesting characters in the subject,
such as ", ', :, \, <, and &. The subject should appear unmangled in the title
of the "Sending message..." progress window, and there should be no errors on
the JavaScript console.
Comment 14•24 years ago
|
||
verified based on comments above
trunk builds: 2001070206-win98, mac, 2001062906 linux
Branch builds: 2001070206 win98, mac, linux.
Status: RESOLVED → VERIFIED
Comment 15•23 years ago
|
||
*** Bug 86613 has been marked as a duplicate of this bug. ***
Reporter | ||
Updated•22 years ago
|
Group: netscapeconfidential?
Reporter | ||
Updated•21 years ago
|
Whiteboard: [PDT+]; critical for 0.9.2; Fixed in the branch → [PDT+]; critical for 0.9.2; Fixed in the branch; security
Updated•20 years ago
|
Product: MailNews → Core
Updated•16 years ago
|
Product: Core → MailNews Core
You need to log in
before you can comment on or make changes to this bug.
Description
•