Closed Bug 582913 Opened 15 years ago Closed 14 years ago

Bypassing XOW by using chrome XBL or JS

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
blocking1.9.2 --- -
status1.9.2 --- wontfix
blocking1.9.1 --- -
status1.9.1 --- wontfix

People

(Reporter: moz_bug_r_a4, Assigned: mrbkap)

Details

(Whiteboard: [needs answer to comment 10 from mrbkap][sg:high])

http://mxr.mozilla.org/mozilla-central/source/js/src/xpconnect/src/nsXPConnect.cpp#2546 2475 nsXPConnect::GetWrapperForObject(JSContext* aJSContext, 2476 JSObject* aObject, 2477 JSObject* aScope, 2478 nsIPrincipal* aPrincipal, 2479 PRUint32 aFilenameFlags, 2480 jsval* _retval) 2481 { ... 2546 // We can do nothing if: 2547 // - We're wrapping a system object 2548 // or 2549 // - We're from the same *scope* AND 2550 // - We're not about to force a XOW (e.g. for "window") OR 2551 // - We're not actually going to create a XOW (we're wrapping for 2552 // chrome). 2553 if(aObject->isSystem() || 2554 (sameScope && 2555 (!forceXOW || (aFilenameFlags & JSFILENAME_SYSTEM)))) 2556 return NS_OK; With the attached testcase, aObject is a content window, sameScope is 1, forceXOW is 1, and aFilenameFlags is 3, thus the window is not wrapped in a security wrapper.
Attached file testcase
This tries to get cookies for www.mozilla.com.
I get Error: Permission denied for <https://bug582913.bugzilla.mozilla.org> to get property Window.eval from <http://www.mozilla.com>. Source File: https://bug582913.bugzilla.mozilla.org/attachment.cgi?id=461169&t=vmrreYjVPp Line: 33
(In reply to comment #2) > I get Error: Permission denied for <https://bug582913.bugzilla.mozilla.org> to > get property Window.eval from <http://www.mozilla.com>. > Source File: > https://bug582913.bugzilla.mozilla.org/attachment.cgi?id=461169&t=vmrreYjVPp > Line: 33 Do you get the error only on trunk? If so, which text do you see near the iframe? "null" or "[object HTMLElement]"? I can reproduce the testcase on trunk, 1.9.2 and 1.9.1 on Windows and Linux.
trunk mac os x 10.5. [object HTMLElement] 500 is what i saw next to the iframe. I'll check the others in a bit.
On trunk, the testcase tries to force GC in order to remove a cached XOW. If GC happens, the text should be "null" instead of "[object HTMLElement]". In my machines, GC can happen after looping about 100 times. What happens if you change the code in function gc: 500 into a larger number?
Attached file testcase 2
This does not try to force GC. I can reproduce this on trunk. Bob, could you test this?
Whiteboard: [sg:high]
testcase1 and testcase2 work in 1.9.1, 1.9.2 but not 1.9.3 on mac os x.
Assignee: nobody → mrbkap
This was fixed by compartments. moz_bug_r_a4, can you verify?
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Yes. On fx-4.0b8pre-2010-11-09-07, I cannot reproduce the testcases, and I get this error: Error: Permission denied to access property 'eval'
Status: RESOLVED → VERIFIED
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Is there any possibility of a non-compartments fix for the branches?
blocking1.9.1: ? → needed
blocking1.9.2: ? → needed
Whiteboard: [sg:high] → [needs answer to comment 10 from mrbkap][sg:high]
This will have to be "wontfix" on old branches -- the whole point of Compartments is to fix bugs like this that we couldn't fix another way, and we're not back-porting Compartments and everything else that would require.
blocking1.9.1: needed → -
blocking1.9.2: needed → -
status1.9.1: wantedwontfix
status1.9.2: wantedwontfix
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.