[Webkit-unassigned] [Bug 13570] New: potential security breach
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed May 2 13:12:48 PDT 2007
http://bugs.webkit.org/show_bug.cgi?id=13570
Summary: potential security breach
Product: WebKit
Version: 522+ (nightly)
Platform: Macintosh
OS/Version: Mac OS X 10.4
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore JavaScript
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: ian.eng.webkit at gmail.com
Here is a code snippet from Window::isSafeScript(const ScriptInterpreter*,
const ScriptInterpreter*) in kjs_window.cpp:
WebCore::String targetDomain = targetDocument->domain();
// Always allow local pages to execute any JS.
if (targetDomain.isNull())
return true;
WebCore::String originDomain = originDocument->domain();
// if this document is being initially loaded as empty by its parent
// or opener, allow access from any document in the same domain as
// the parent or opener.
if (shouldLoadAsEmptyDocument(targetFrame->loader()->url())) {
Frame* ancestorFrame = targetFrame->loader()->opener() ?
targetFrame->loader()->opener() : targetFrame->tree()->parent();
while (ancestorFrame &&
shouldLoadAsEmptyDocument(ancestorFrame->loader()->url()))
ancestorFrame = ancestorFrame->tree()->parent();
if (ancestorFrame)
originDomain = ancestorFrame->document()->domain();
}
if ( targetDomain == originDomain )
return true;
......
return false;
Let's imagine that A is a window displaying www.evil.com, and B is a window
displaying www.bank.com. JavaScript code in B opens a new window C of
www.bank.com. A plugin in A tries to access DOM objects in C. It has to go
through NS_jsObject::_isSafeScript, which eventually invokes
Window.isSafeScript(A, C). Window::isSafeScript sets 'originDomain' to A's
domain "www.evil.com", and sets "targetDomain" to C's domain "www.bank.com".
Then it finds C has an opener B, and it updates "originDomain" to B's domain
"www.bank.com". Finally it compares "targetDomain" and "originDomain", and
returns true. This will let A access C's DOM object.
if (ancestorFrame)
originDomain = ancestorFrame->document()->domain();
looks like a typo, it should update "targetDomain" instead of "originDomain" to
ancester's domain.
I cannot create a test case because I know nothing about scripting plugins.
Someone please verify it.
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list