Talk:XPCNativeWrapper: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
No edit summary
mNo edit summary
Line 6: Line 6:


[[User:Asqueella|asqueella]] 04:13, 22 Mar 2005 (PST)
[[User:Asqueella|asqueella]] 04:13, 22 Mar 2005 (PST)
----
----
 
There are two bugs related to this attack on [http://www.squarefree.com/securitytips/mozilla-developers.html Jesse Ruderman's Security Page]:
There are (at least) two bugs related to this attack on [http://www.squarefree.com/securitytips/mozilla-developers.html Jesse Ruderman's Security Page]:


[http://bugzilla.mozilla.org/show_bug.cgi?id=249332 security hole in markLinkVisited (exploit with link.href setter = eval)]
[http://bugzilla.mozilla.org/show_bug.cgi?id=249332 security hole in markLinkVisited (exploit with link.href setter = eval)]


[http://bugzilla.mozilla.org/show_bug.cgi?id=249332 Bypassing CheckLoadURI using custom getters and changing toString returns]
[http://bugzilla.mozilla.org/show_bug.cgi?id=249332 Bypassing CheckLoadURI using custom getters and changing toString returns]
[[User:Em_te]]

Revision as of 17:21, 22 March 2005

You scared me with "Attack Scenarios" paragraph, because *a lot* of extensions access _content.document's properties without this wrapper. However, when I tried to access Components.classes in document.title setter and accessed that from Extension Developer's Extension's JS Shell (chrome priviledges) it (fortunately) failed with permission denied error.

I see however, that code in Firefox uses XPCNativeWrapper when accessing page's document.

Can someone explain me it / give a working attack page, because if we should really use XPCNativeWrapper, then almost everybody using extensions is vulnerable.

asqueella 04:13, 22 Mar 2005 (PST)


There are two bugs related to this attack on Jesse Ruderman's Security Page:

security hole in markLinkVisited (exploit with link.href setter = eval)

Bypassing CheckLoadURI using custom getters and changing toString returns