Bugzilla@Mozilla – Bug 444073
Script evaluated by Components.utils.evalInSandbox() can pollute implicit XPCNativeWrapper
Last modified: 2009-01-27 17:27:41 PST
Summon comment box
This is basically the same bug as bug 441087. When a script is evaluated by Components.utils.evalInSandbox(), the script inherits the caller's filename. Thus, the script can access and modify implicit XPCNativeWrappers. In bug 441087's case, |event| is an implicit XPCNativeWrapper, and, eval'ed script cannot access properties of the implicit XPCNativeWrapper due to the fix for bug 419848. Note: Greasemonkey user scripts need to access web pages via (explicit) XPCNativeWrapper. Otherwise scripts in web pages can abuse GM_* API functions.
Created attachment 328459 [details] testcase - Greasemonkey user script Steps to reproduce: 1. Install Greasemonkey and this user script. 2. Load an html page. 3. Right click on the document. An alert will appears.
Er, woops, didn't mean to request blocking.
If it blocks 1.8.1.17, it should block 1.9.0.2. Blake, how's a patch looking for tomorrow? ...
This was fixed on the trunk and branches bug bug 441087.
This bug is not fixed on fx-2.0.0.17pre-2008-08-26-03. See also bug 441087 comment #29.
Fix for 441087 was checked in.
Verified this as fixed in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/2008082909 Firefox/2.0.0.17 and that the bug repros in 2.0.0.16.
I've verified this for 1.9.0.2 with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.2) Gecko/2008090212 Firefox/3.0.2.