Bugzilla@Mozilla – Bug 464174
The fix in bug 451680 does not fix <field>
Last modified: 2009-01-07 09:32:24 PST
Summon comment box
The fix in bug 451680 does not fix <field>.
Created attachment 347452 [details] testcase This tries to get cookies for www.mozilla.com. This works on trunk, fx3.0.x and fx2.0.0.x.
*sigh*. We probably need to block on this because it affects Firefox 2 and this is our last release there... Blake? :)
Created attachment 348911 [details] [review] Proposed fix This uses the node principal of the bound content's owner document. I *think* that's the right principal to use here.
Comment on attachment 348911 [details] [review] Proposed fix Using content->NodePrincipal() would be slightly safer I think. Should amount to exactly the same thing.
Created attachment 349022 [details] [review] Updated to comments This applies to trunk and the 1.9 branch. I'm looking into backporting it to the 1.8 branch.
...except that the 1.8 branch isn't vulnerable to this exploit because on the branch, field installation is eager and called from nsXBLProtoImpl::InstallImplementation, which, thanks to the backport in bug 451680, now bails out in this case.
Comment on attachment 349022 [details] [review] Updated to comments After talking to beltzner, we'll wait to check this in after beta2.
Hey, want to remove that XXX comment about a better principal since you have one now? ;)
Er, yeah. I've done that locally.
Comment on attachment 349022 [details] [review] Updated to comments Approved for 1.9.0.5, a=dveditz for release-drivers
Fixed on the 1.9 branch.
We took this for 1.9.0, so we can't ship 1.9.1 w/o this. Blocker.
Verified for 1.8.1.19 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.19pre) Gecko/2008112503 BonEcho/2.0.0.19pre. Verified for 1.9.0.5 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5pre) Gecko/2008112505 GranParadiso/3.0.5pre. I'm surprised that we haven't fixed this in Trunk yet though.
Comment on attachment 349022 [details] [review] Updated to comments a191=beltzner
Note to whoever checks this in -- please use the patch that was actually checked into the 1.9 branch or address comment 8 manually. Checkin message: Bug 464174 - Pass a principal in when compiling fields. r+sr=sicking a=beltzner
Missed comment 15 before I pushed, so commit message just has bug number and reviewers: http://hg.mozilla.org/mozilla-central/rev/4cfa752afa85 And addressing comment 8... http://hg.mozilla.org/mozilla-central/rev/60ba92ead6d3