[Webkit-unassigned] [Bug 13570] New: potential security breach

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 2 13:12:48 PDT 2007 

http://bugs.webkit.org/show_bug.cgi?id=13570

           Summary: potential security breach
           Product: WebKit
           Version: 522+ (nightly)
          Platform: Macintosh
        OS/Version: Mac OS X 10.4
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore JavaScript
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: ian.eng.webkit at gmail.com


Here is a code snippet from Window::isSafeScript(const ScriptInterpreter*,
const ScriptInterpreter*) in kjs_window.cpp:

    WebCore::String targetDomain = targetDocument->domain();

    // Always allow local pages to execute any JS.
    if (targetDomain.isNull())
        return true;

    WebCore::String originDomain = originDocument->domain();

    // if this document is being initially loaded as empty by its parent
    // or opener, allow access from any document in the same domain as
    // the parent or opener.
    if (shouldLoadAsEmptyDocument(targetFrame->loader()->url())) {
        Frame* ancestorFrame = targetFrame->loader()->opener() ?
targetFrame->loader()->opener() : targetFrame->tree()->parent();
        while (ancestorFrame &&
shouldLoadAsEmptyDocument(ancestorFrame->loader()->url()))
            ancestorFrame = ancestorFrame->tree()->parent();
        if (ancestorFrame)
            originDomain = ancestorFrame->document()->domain();
    }

    if ( targetDomain == originDomain )
        return true;

    ......
    return false;

Let's imagine that A is a window displaying www.evil.com, and B is a window
displaying www.bank.com. JavaScript code in B opens a new window C of
www.bank.com. A plugin in A tries to access DOM objects in C. It has to go
through NS_jsObject::_isSafeScript, which  eventually invokes
Window.isSafeScript(A, C). Window::isSafeScript sets 'originDomain' to A's
domain "www.evil.com", and sets "targetDomain" to C's domain "www.bank.com".
Then it finds C has an opener B, and it updates "originDomain" to B's domain
"www.bank.com". Finally it compares "targetDomain" and "originDomain", and
returns true. This will let A access C's DOM object.

        if (ancestorFrame)
            originDomain = ancestorFrame->document()->domain();
looks like a typo, it should update "targetDomain" instead of "originDomain" to
ancester's domain.

I cannot create a test case because I know nothing about scripting plugins.
Someone please verify it.


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list