Bugzilla@Mozilla – Bug 460002
It's possible to circumvent the inner window check in nsXMLHttpRequest::NotifyEventListeners()
Last modified: 2009-01-05 13:08:03 PST
Summon comment box
This bug is for fx3.0.x and fx2.0.0.x. In nsXMLHttpRequest::NotifyEventListeners(), CheckInnerWindowCorrectness() is called only once, and then multiple listeners are called. Thus, it's possible to circumvent the inner window check by using two listeners. (Trunk is also exploitable in the same way, but depends on bug 460001.)
Created attachment 343192 [details] testcase 1 This tries to get cookies for www.mozilla.com. This works on fx3.0.x.
Created attachment 343193 [details] testcase 2 This tries to get cookies for www.mozilla.com. This works on fx2.0.0.x.
For some reason I can't reproduce on ff2.0.0.x, using either of testcase. Testcase 1 shows the bug on FF3
Created attachment 343213 [details] [review] for 1.9.0 Fixes FF3
Created attachment 343214 [details] [review] for 1.8 Should fix 1.8. Note, the first check can't be removed in 1.8, because there is one HandleEvent call before the loop. Anyone who can reproduce on FF2, please verify that this fixes the problem.
I can reproduce "testcase 2" on Windows, but cannot on Linux. I'll attach a new testcase that is reproducible on fx2 on both Windows and Linux. And, using the new testcase on Linux, I verified that the patch fixes the problem.
Created attachment 343366 [details] testcase 3 This tries to get cookies for www.mozilla.com. This works on fx2.0.0.x on Windows and Linux.
Comment on attachment 343214 [details] [review] for 1.8 Approved for 1.8.1.18, a=dveditz for release-drivers
Comment on attachment 343213 [details] [review] for 1.9.0 Approved for 1.9.0.4, a=dveditz for release-drivers
Verified for 1.8.1.18 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.18pre) Gecko/2008102103 BonEcho/2.0.0.18pre.
Verified for 1.9.0.4 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4pre) Gecko/2008102104 GranParadiso/3.0.4pre using both testcases.
Verified that this is not an issue in 3.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2pre) Gecko/20081020 Minefield/3.1b2pre.
Comment on attachment 343214 [details] [review] for 1.8 a=asac for 1.8.0 branch (needs some context adjustments)
Created attachment 347315 [details] [review] 1.8.0 (clean context)