Closed
Bug 16307
Opened 25 years ago
Closed 22 years ago
Name sets added with AddExternalNameSet visible to web scripts
Categories
(Core :: Security, defect, P4)
Tracking
()
People
(Reporter: norrisboyd, Assigned: security-bugs)
References
Details
(Whiteboard: [rtm-])
Calls to nsScriptNameSetRegistry::AddExternalNameSet expose native components to
JavaScript. This introduces security holes because at least some of these native
services expose powerful operations to web JavaScript.
Here are the current list of calls to AddExternalNameSet in mozilla:
/silentdl/nsSilentDownload.cpp, line 338 --
registry->AddExternalNameSet(nameSet); (dougt)
/xpinstall/src/nsSoftwareUpdate.cpp, line 419 --
scriptNameSet->AddExternalNameSet(this); (dougt)
/layout/build/nsLayoutModule.cpp, line 223 --
gRegistry->AddExternalNameSet(nameSet); (kipp)
/xpfe/AppCores/src/nsAppCoresManager.cpp, line 196 --
registry->AddExternalNameSet(nameSet); (rods)
/xpfe/appshell/src/nsAppShellService.cpp, line 195 --
registry->AddExternalNameSet(nameSet); (rpotts)
The occurance you have attributed to me is actually vidur's, so I'm removing
myself from the list.
Comment 2•25 years ago
|
||
nsSilentDownload is not being used anymore. Maybe in 5.1, and by that time, we
may do it a bit different.
nsSoftwareUpdate exposes two objects into the web javascript. The first is
InstallVersion, and the second is InstallTrigger. Both are needed for
XPInstall (aka SmartUpdate).
A review of the security of these exposed APIs may be needed. Norris, should
you be the person to do this?
Reporter | ||
Comment 3•25 years ago
|
||
doug,
Thanks for the clarification. Yes, I'd be the one to review the exposed APIs.
I've opened 16329 for the security review for these two objects.
Reporter | ||
Updated•25 years ago
|
Status: NEW → ASSIGNED
Reporter | ||
Updated•25 years ago
|
Target Milestone: M13
Reporter | ||
Updated•25 years ago
|
Summary: Name sets added with AddExternalNameSet visible to web scripts → [Feature] Name sets added with AddExternalNameSet visible to web scripts
Target Milestone: M13 → M14
Reporter | ||
Updated•25 years ago
|
Target Milestone: M14 → M15
Reporter | ||
Comment 4•25 years ago
|
||
Not required for beta.
Reporter | ||
Comment 5•25 years ago
|
||
Push security review tasks off until M16.
Target Milestone: M15 → M16
Bulk moving all Browser Security bugs to new Security: General component. The
previous Security component for Browser will be deleted.
Component: Security → Security: General
Reporter | ||
Updated•25 years ago
|
Summary: [Feature] Name sets added with AddExternalNameSet visible to web scripts → Name sets added with AddExternalNameSet visible to web scripts
Target Milestone: M16 → M18
Comment 8•25 years ago
|
||
removing self from cc list
Assignee | ||
Comment 9•25 years ago
|
||
Bulk reassigning most of norris's bugs to mstoltz.
Assignee: norris → mstoltz
Status: ASSIGNED → NEW
Assignee | ||
Comment 10•25 years ago
|
||
Security reviews and denial-of-service attacks. These will be addressed in the
post-beta2 timeframe (unless someone's interested in tackling them earlier?)
Status: NEW → ASSIGNED
Comment 13•24 years ago
|
||
We saw this rated as P4. Is this a denial of service attack? If so, we need to
minus it for PR3/RTM.
Otherwise, we need better description.
Thanks,
Jim
Assignee | ||
Comment 14•24 years ago
|
||
It's not an attack, but a necessary security review. There's only a handful of
call sites which need to be reviewed.
Comment 15•24 years ago
|
||
It could be a lot worse than a DOS -- any of those objects might be exploitable
in nasty ways. InstallTrigger is a potential privacy problem, for
example, though equivalent functionality existed in 4.x and it can be turned
off.
Comment 18•24 years ago
|
||
You're not supposed to be removing milestone keyword "nominations" as the fact
of nomination carries information. Instead you should have lobbied the relevant
managers/pdt memebers to mark it [nsbeta3-]
Comment 19•24 years ago
|
||
vidur, rpotts, and rods never commented on their uses of this. dougt's appear
to be benign since there's a pref to turn them off. Do we have a story on the
rest?
Whiteboard: [need info]
Updated•24 years ago
|
QA Contact: czhang → junruh
Comment 20•24 years ago
|
||
PDT marking [rtm-] because there isn't a real bug described here -- only a
potential bug. Clayton to follow up with mitch in case there's an actual exploit
here.
Whiteboard: [need info] → [rtm-]
Comment 22•24 years ago
|
||
Milestone 0.8 has been released. We should either resolve this bug or update its
milestone.
Updated•24 years ago
|
Target Milestone: M18 → ---
Assignee | ||
Comment 23•24 years ago
|
||
Mass adding mozilla0.9 keyword (mass changing milestone doesn't seem to work).
Keywords: mozilla0.9
Assignee | ||
Comment 24•24 years ago
|
||
Mass changing milestone to Moz1.0 - stuff targeted for late spring/early summer.
Target Milestone: --- → mozilla1.0
Comment 25•23 years ago
|
||
Bugs targeted at mozilla1.0 without the mozilla1.0 keyword moved to mozilla1.0.1
(you can query for this string to delete spam or retrieve the list of bugs I've
moved)
Target Milestone: mozilla1.0 → mozilla1.0.1
Comment 26•23 years ago
|
||
don't move bugs that are in the 1.0 dependency tree. sorry.
Target Milestone: mozilla1.0.1 → mozilla1.0
Comment 27•23 years ago
|
||
Moving Netscape owned 0.9.9 and 1.0 bugs that don't have an nsbeta1, nsbeta1+,
topembed, topembed+, Mozilla0.9.9+ or Mozilla1.0+ keyword. Please send any
questions or feedback about this to adt@netscape.com. You can search for
"Moving bugs not scheduled for a project" to quickly delete this bugmail.
Target Milestone: mozilla1.0 → mozilla1.2
Assignee | ||
Updated•22 years ago
|
Target Milestone: mozilla1.2alpha → mozilla1.2beta
Assignee | ||
Comment 28•22 years ago
|
||
Clearing milestone for now.
Target Milestone: mozilla1.2beta → ---
Assignee | ||
Comment 29•22 years ago
|
||
*** This bug has been marked as a duplicate of 7262 ***
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•