Bugzilla@Mozilla – Bug 444077
XPCNativeWrapper pollution using chrome JS
Last modified: 2009-01-27 17:25:49 PST
Summon comment box
It's possible to modify an implicit XPCNativeWrapper within a function loaded from chrome: url without using eval-like methods nor __defineGetter__. (See also the second paragraph of bug 387390 comment #21.)
Blake: welcome back! ;-)
The patch in bug 441087 fixes this.
Fixed by bug 441087.
Marking fixed to follow bug 441087.
This bug is not fixed on fx-2.0.0.17pre-2008-08-26-03. See also bug 441087 comment #29.
Fix for 441087 was checked in.
I can reproduce at will using the testcase in comment 1 using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16, but not using 2.0.0.17 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17). Verified FIXED; replacing fixed1.8.1.17 with verified1.8.1.17.
Verified for 1.9.0.2 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.2) Gecko/2008090212 Firefox/3.0.2.
Landed before branching