Closed Bug 16307 Opened 25 years ago Closed 22 years ago

Name sets added with AddExternalNameSet visible to web scripts

Categories

(Core :: Security, defect, P4)

All
Windows NT
defect

Tracking

()

RESOLVED DUPLICATE of bug 7262

People

(Reporter: norrisboyd, Assigned: security-bugs)

References

Details

(Whiteboard: [rtm-])

Calls to nsScriptNameSetRegistry::AddExternalNameSet expose native components to JavaScript. This introduces security holes because at least some of these native services expose powerful operations to web JavaScript. Here are the current list of calls to AddExternalNameSet in mozilla: /silentdl/nsSilentDownload.cpp, line 338 -- registry->AddExternalNameSet(nameSet); (dougt) /xpinstall/src/nsSoftwareUpdate.cpp, line 419 -- scriptNameSet->AddExternalNameSet(this); (dougt) /layout/build/nsLayoutModule.cpp, line 223 -- gRegistry->AddExternalNameSet(nameSet); (kipp) /xpfe/AppCores/src/nsAppCoresManager.cpp, line 196 -- registry->AddExternalNameSet(nameSet); (rods) /xpfe/appshell/src/nsAppShellService.cpp, line 195 -- registry->AddExternalNameSet(nameSet); (rpotts)
The occurance you have attributed to me is actually vidur's, so I'm removing myself from the list.
nsSilentDownload is not being used anymore. Maybe in 5.1, and by that time, we may do it a bit different. nsSoftwareUpdate exposes two objects into the web javascript. The first is InstallVersion, and the second is InstallTrigger. Both are needed for XPInstall (aka SmartUpdate). A review of the security of these exposed APIs may be needed. Norris, should you be the person to do this?
doug, Thanks for the clarification. Yes, I'd be the one to review the exposed APIs. I've opened 16329 for the security review for these two objects.
Status: NEW → ASSIGNED
Target Milestone: M13
Summary: Name sets added with AddExternalNameSet visible to web scripts → [Feature] Name sets added with AddExternalNameSet visible to web scripts
Target Milestone: M13 → M14
Target Milestone: M14 → M15
Not required for beta.
Push security review tasks off until M16.
Target Milestone: M15 → M16
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
Summary: [Feature] Name sets added with AddExternalNameSet visible to web scripts → Name sets added with AddExternalNameSet visible to web scripts
Target Milestone: M16 → M18
Changing Qa contact to myself.
QA Contact: dshea → junruh
removing self from cc list
Bulk reassigning most of norris's bugs to mstoltz.
Assignee: norris → mstoltz
Status: ASSIGNED → NEW
Security reviews and denial-of-service attacks. These will be addressed in the post-beta2 timeframe (unless someone's interested in tackling them earlier?)
Status: NEW → ASSIGNED
Assigning QA to czhang
QA Contact: junruh → czhang
nsbeta3/p4
Keywords: nsbeta3
Priority: P3 → P4
We saw this rated as P4. Is this a denial of service attack? If so, we need to minus it for PR3/RTM. Otherwise, we need better description. Thanks, Jim
It's not an attack, but a necessary security review. There's only a handful of call sites which need to be reviewed.
It could be a lot worse than a DOS -- any of those objects might be exploitable in nasty ways. InstallTrigger is a potential privacy problem, for example, though equivalent functionality existed in 4.x and it can be turned off.
Blocks: 26603
Marking security reviews as rtm.
Keywords: rtm
Removing nsbeta3 to make queries clearer.
Keywords: nsbeta3
You're not supposed to be removing milestone keyword "nominations" as the fact of nomination carries information. Instead you should have lobbied the relevant managers/pdt memebers to mark it [nsbeta3-]
vidur, rpotts, and rods never commented on their uses of this. dougt's appear to be benign since there's a pref to turn them off. Do we have a story on the rest?
Whiteboard: [need info]
QA Contact: czhang → junruh
PDT marking [rtm-] because there isn't a real bug described here -- only a potential bug. Clayton to follow up with mitch in case there's an actual exploit here.
Whiteboard: [need info] → [rtm-]
Mass changing QA to ckritzer.
QA Contact: junruh → ckritzer
Milestone 0.8 has been released. We should either resolve this bug or update its milestone.
Target Milestone: M18 → ---
Mass adding mozilla0.9 keyword (mass changing milestone doesn't seem to work).
Keywords: mozilla0.9
Mass changing milestone to Moz1.0 - stuff targeted for late spring/early summer.
Target Milestone: --- → mozilla1.0
Bugs targeted at mozilla1.0 without the mozilla1.0 keyword moved to mozilla1.0.1 (you can query for this string to delete spam or retrieve the list of bugs I've moved)
Target Milestone: mozilla1.0 → mozilla1.0.1
don't move bugs that are in the 1.0 dependency tree. sorry.
Target Milestone: mozilla1.0.1 → mozilla1.0
Moving Netscape owned 0.9.9 and 1.0 bugs that don't have an nsbeta1, nsbeta1+, topembed, topembed+, Mozilla0.9.9+ or Mozilla1.0+ keyword. Please send any questions or feedback about this to adt@netscape.com. You can search for "Moving bugs not scheduled for a project" to quickly delete this bugmail.
Target Milestone: mozilla1.0 → mozilla1.2
Target Milestone: mozilla1.2alpha → mozilla1.2beta
Clearing milestone for now.
Target Milestone: mozilla1.2beta → ---
*** This bug has been marked as a duplicate of 7262 ***
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.