Bugzilla@Mozilla – Bug 424188
[FIX]Possible to exploit relative xul:script URIs in signed jars
Last modified: 2008-07-02 15:57:34 PDT
Summon comment box
See bug 418996 comment 1 and bug 418996 comment 21.
The problem is presumably that XUL doesn't use the scriptloader for <xul:script> and hence doesn't do the downgrading that the scriptloader does?
*** Bug 424190 has been marked as a duplicate of this bug. ***
Created attachment 310841 [details] [review] Fix
Comment on attachment 310841 [details] [review] Fix Looks good
Comment on attachment 310841 [details] [review] Fix Extend to XUL the protection HTML already had. Only affects non-chrome XUL served inside a signed jar. Such XUL can no longer keep its signed status if it includes unsigned scripts. Might be worth beta exposure.
Can we get a test for this?
I'm not going to have time to write one in time for beta... We need some tests for bug 418996 too, and to test this we need to either copy the server-side stuff Collin set up or (better) come up with some custom signed jars that mochitests can use...
Comment on attachment 310841 [details] [review] Fix Can I get a promise that we'll get a test case for this and bug 418996? :) a1.9+ & a1.9beta5+=damons
> Can I get a promise that we'll get a test case for this and bug 418996? :) Absolutely. It's on my short-list of bugs to write tests for as soon as I have the time. I'm just not sure that will be before 1.9 ship... If someone picks this up in the meantime, great. If not, once I finish this whole dissertation thing, I'll just do it.
Filed bug 424488 on having a decent way to test this in a good controlled manner.
Checked in. Marking fixed in the sense that XUL and HTML now behave the same, though Collin found bug 424426, which affects both for now.
The branch patch in bug 424426 fixes this bug.
Fixed on the branch by the fix for bug 424426.
(In reply to comment #0) > See bug 418996 comment 1 and bug 418996 comment 21. > I tested the fix with the linked test case in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15pre) Gecko/2008061005 BonEcho/2.0.0.15pre and the case doesn't repro like it does for 2.0.0.14. Is there additional testing that we should do to verify this?