Last Comment Bug 444073 - Script evaluated by Components.utils.evalInSandbox() can pollute implicit XPCNativeWrapper
: Script evaluated by Components.utils.evalInSandbox() can pollute implicit XPC...
Status: VERIFIED FIXED
: [sg:moderate][fixed by 441087] potent...
: fixed1.9.1, verified1.8.1.17, verified1.9.0.2
Product: Core
Classification: Components
Component: XPConnect
: unspecified
: x86 Windows XP
: P1 normal (vote)
: ---
Assigned To: Blake Kaplan (:mrbkap)
: xpconnect
:
:
:
  Show dependency treegraph
 
Reported: 2008-07-08 03:12 PDT by moz_bug_r_a4
Modified: 2009-01-27 17:27 PST (History)
8 users (show)
benjamin: blocking1.9.1+
samuel.sidler+old: blocking1.9.0.2+
dveditz: blocking1.8.1.17+
dveditz: wanted1.8.1.x+
asac: blocking1.8.0.next+
See Also:
Crash Signature:


Attachments
testcase - Greasemonkey user script (371 bytes, text/plain)
2008-07-08 03:14 PDT, moz_bug_r_a4
no flags Details

Summon comment box

Description moz_bug_r_a4 2008-07-08 03:12:57 PDT
This is basically the same bug as bug 441087.

When a script is evaluated by Components.utils.evalInSandbox(), the script
inherits the caller's filename.  Thus, the script can access and modify
implicit XPCNativeWrappers.

In bug 441087's case, |event| is an implicit XPCNativeWrapper, and, eval'ed
script cannot access properties of the implicit XPCNativeWrapper due to the fix
for bug 419848.

Note: Greasemonkey user scripts need to access web pages via (explicit)
XPCNativeWrapper.  Otherwise scripts in web pages can abuse GM_* API functions.
Comment 1 moz_bug_r_a4 2008-07-08 03:14:42 PDT
Created attachment 328459 [details]
testcase - Greasemonkey user script

Steps to reproduce:
1. Install Greasemonkey and this user script.
2. Load an html page.
3. Right click on the document.

An alert will appears.
Comment 2 Gavin Sharp 2008-07-08 10:27:07 PDT
Er, woops, didn't mean to request blocking.
Comment 3 Samuel Sidler (old account; do not CC) 2008-08-14 17:08:55 PDT
If it blocks 1.8.1.17, it should block 1.9.0.2. Blake, how's a patch looking for tomorrow? ...
Comment 4 Blake Kaplan (:mrbkap) 2008-08-18 14:57:48 PDT
This was fixed on the trunk and branches bug bug 441087.
Comment 5 moz_bug_r_a4 2008-08-27 04:22:00 PDT
This bug is not fixed on fx-2.0.0.17pre-2008-08-26-03.  See also bug 441087
comment #29.
Comment 6 Samuel Sidler (old account; do not CC) 2008-08-27 13:12:04 PDT
Fix for 441087 was checked in.
Comment 7 Al Billings [:abillings] 2008-09-02 16:44:25 PDT
Verified this as fixed in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17 and that the bug repros in 2.0.0.16.
Comment 8 Al Billings [:abillings] 2008-09-05 17:01:03 PDT
I've verified this for 1.9.0.2 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.2) Gecko/2008090212 Firefox/3.0.2.

Note You need to log in before you can comment on or make changes to this bug.