Closed
Bug 91714
Opened 23 years ago
Closed 23 years ago
web page can load (but not see) about:*
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla0.9.4
People
(Reporter: bbaetz, Assigned: security-bugs)
Details
(Whiteboard: patch)
Attachments
(4 files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
Details | Diff | Splinter Review | |
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
Details | Diff | Splinter Review |
By using document.appendChild to add stuff to an about:blank document, a web
page can cause about:* to load (because checkloaduri will then pass the
same-domain test). We can't view its contents though, because that check is
stricter.
.appendChild (and other dom methods?) probably needs to do what document.write
does when writing to about:blank, and change the document url to that of the
page doing the writing.
|
Reporter | |
Comment 1•23 years ago
|
||
oops, wrong component
-> dom core
Component: DOM Content Models → DOM Core
QA Contact: lchiang → stummala
|
|
Reporter | |
Comment 2•23 years ago
|
||
|
||
Updated•23 years ago
|
Assignee: jst → mstoltz
|
|
||
Comment 3•23 years ago
|
||
Over to mstoltz based on discussion with him.
|
Assignee | |
Updated•23 years ago
|
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.0
|
|
Assignee | |
Comment 4•23 years ago
|
||
|
|
Assignee | |
Comment 5•23 years ago
|
||
|
|
Assignee | |
Comment 6•23 years ago
|
||
Upping the priority on this one as it's more exploitable than I thought.
Severity: minor → normal
Priority: -- → P1
Target Milestone: mozilla1.0 → mozilla0.9.4
|
|
Reporter | |
Comment 7•23 years ago
|
||
Its still not readable from a script though, is it?
|
|
Assignee | |
Comment 8•23 years ago
|
||
Yes it is, when combined with bug 94551. Fix coming soon (for this bug).
|
|
Assignee | |
Comment 9•23 years ago
|
||
|
|
Assignee | |
Updated•23 years ago
|
Whiteboard: patch
|
|
||
Comment 10•23 years ago
|
||
Remove the extra line just after the if statement:
+ if(nsCRT::strcasecmp(scheme, aboutScheme) == 0)
+ *aScheme = PL_strdup(scheme);
+ {
(cut n' paste?)
with that, sr=jst
|
|
Assignee | |
Updated•23 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 11•23 years ago
|
||
Fix checked in.
|
||
Comment 12•23 years ago
|
||
verified 2001-09-12-05. securitymanager raised flag which is shown in console..
Status: RESOLVED → VERIFIED
Component: DOM: Core → DOM: Core & HTML
QA Contact: stummala → general
You need to log in
before you can comment on or make changes to this bug.
Description
•