Bugzilla@Mozilla – Bug 478433
XPCNativeWrapper's toString's __proto__ comes from the wrong scope
Last modified: 2010-02-13 12:45:08 PST
Summon comment box
This is a similar problem to bug 370127. If chrome code calls content.toString.call(), then content-defined functions can be called by chrome code. Also, it's possible to use this bug to bypass XOW and perform bug 369334's XSS attack.
Created attachment 362261 [details] [review] Fix for this bug This fixes this bug. I'm re-evaluating how these toString methods are implemented though.
http://hg.mozilla.org/mozilla-central/rev/6b6128b32170
Comment on attachment 362261 [details] [review] Fix for this bug This applies as-is to the 1.9.0 branch.
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/636b381bd764
Comment on attachment 362261 [details] [review] Fix for this bug Approved for 1.9.0.8, a=dveditz for release-drivers
Fixed on the 1.9.0 branch.
Verified for 1.9.0.8 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.8pre) Gecko/2009031904 GranParadiso/3.0.8pre. Verified for 1.9.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090319 Shiretoko/3.5b4pre.
Created attachment 371857 [details] [review] 1.8.0 backport
Comment on attachment 371857 [details] [review] 1.8.0 backport Can you please confirm this one?
Created attachment 374793 [details] [review] for 1.8 branch this patch fixes both testcases on 1.8; avoided not exported js_SetSlotThreadSafe by using (funobj)->slots[JSSLOT_PARENT] directly. Hope thats the right approach.
Comment on attachment 374793 [details] [review] for 1.8 branch >+ // avoid not exported js_SetSlotThreadSafe >+ (funobj)->slots[JSSLOT_PARENT] = OBJECT_TO_JSVAL(obj); I think you want JS_SetParent(cx, funobj, obj) here.
Created attachment 378031 [details] [review] for 1.8 branch (attempt 2) with ::JS_SetParent (see comment 13)
Comment on attachment 378031 [details] [review] for 1.8 branch (attempt 2) >+ // avoid not exported js_SetSlotThreadSafe >+ JS_SetParent (cx, funobj, obj); I don't think the code comment is necessary, and get rid of the space before the paren (not that it matters, it's your branch!).
Comment on attachment 378031 [details] [review] for 1.8 branch (attempt 2) Approved for 1.8.1.22, a=dveditz for release-drivers
new revision: 1.31.2.25; previous revision: 1.31.2.24
Verified for 1.8.1 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.22pre) Gecko/20090602 SeaMonkey/1.1.17pre using testcases.