Issue metadata
Sign in to add a comment
|
Security: Universal XSS converting IDL array/sequence values |
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS This is an issue similar to 605910, found as a follow-up to fixing that. In some cases, when an C++ array of objects is converted by toV8() with a window proxy object as the "creation context", a malicious script can override the actual creation context used, and gain access to other origins. The underlying issue exists in M50, but I have not been able to get the exploit working. It's not unlikely that the issue can be exploited in M50 as well. VERSION Chrome Version: 51.0.2704.22 beta Operating System: all
,
Apr 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/eb335fd1006cef3299221ebd14a8795679660e32 commit eb335fd1006cef3299221ebd14a8795679660e32 Author: jl <jl@opera.com> Date: Thu Apr 28 17:04:58 2016 Use correct creation context when converting sequences to V8 The |creationContext| argument is often a reference to a window proxy object, that may become incorrect to use if the frame is navigated and/or detached during the loop that converts values. BUG= 607483 Review-Url: https://codereview.chromium.org/1924073003 Cr-Commit-Position: refs/heads/master@{#390408} [modify] https://crrev.com/eb335fd1006cef3299221ebd14a8795679660e32/third_party/WebKit/Source/bindings/core/v8/ToV8.h
,
Apr 28 2016
,
Apr 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/650cd4ace843e976e28fa87fa40bd9c017d39f63 commit 650cd4ace843e976e28fa87fa40bd9c017d39f63 Author: jl <jl@opera.com> Date: Fri Apr 29 10:08:27 2016 Use [[DefineOwnProperty]] when converting IDL array values This means using v8::Object::CreateDataProperty() rather than Set(), and is in line with how the conversion is defined in WebIDL. The incorrect use of Set() is observable by scripts that define setters on Array.prototype for the properties "0", "1", "2" and so on. Also apply the same fix to conversion of Vector<std::pair<>> into object. BUG= 607483 Review-Url: https://codereview.chromium.org/1936433002 Cr-Commit-Position: refs/heads/master@{#390610} [add] https://crrev.com/650cd4ace843e976e28fa87fa40bd9c017d39f63/third_party/WebKit/LayoutTests/fast/js/webidl-sequence-conversion.html [modify] https://crrev.com/650cd4ace843e976e28fa87fa40bd9c017d39f63/third_party/WebKit/Source/bindings/core/v8/ToV8.h
,
May 3 2016
,
May 3 2016
Adding Merge-Triage label for tracking purposes. Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label. When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com. - Your friendly ClusterFuzz
,
May 9 2016
,
May 9 2016
Your change meets the bar and is auto-approved for M51 (branch: 2704)
,
May 10 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/29352c3d107adf7fadecf6c5073fa492f1ece220 commit 29352c3d107adf7fadecf6c5073fa492f1ece220 Author: Jens Widell <jl@opera.com> Date: Tue May 10 11:07:26 2016 Use correct creation context when converting sequences to V8 The |creationContext| argument is often a reference to a window proxy object, that may become incorrect to use if the frame is navigated and/or detached during the loop that converts values. BUG= 607483 Review-Url: https://codereview.chromium.org/1924073003 Cr-Commit-Position: refs/heads/master@{#390408} (cherry picked from commit eb335fd1006cef3299221ebd14a8795679660e32) Review URL: https://codereview.chromium.org/1965613003 . Cr-Commit-Position: refs/branch-heads/2704@{#466} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [modify] https://crrev.com/29352c3d107adf7fadecf6c5073fa492f1ece220/third_party/WebKit/Source/bindings/core/v8/ToV8.h
,
May 10 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/010f3edb08426c16a4374dd13e25ff3538fb43dc commit 010f3edb08426c16a4374dd13e25ff3538fb43dc Author: Jens Widell <jl@opera.com> Date: Tue May 10 11:11:53 2016 Use [[DefineOwnProperty]] when converting IDL array values This means using v8::Object::CreateDataProperty() rather than Set(), and is in line with how the conversion is defined in WebIDL. The incorrect use of Set() is observable by scripts that define setters on Array.prototype for the properties "0", "1", "2" and so on. Also apply the same fix to conversion of Vector<std::pair<>> into object. BUG= 607483 Review-Url: https://codereview.chromium.org/1936433002 Cr-Commit-Position: refs/heads/master@{#390610} (cherry picked from commit 650cd4ace843e976e28fa87fa40bd9c017d39f63) Review URL: https://codereview.chromium.org/1961343003 . Cr-Commit-Position: refs/branch-heads/2704@{#467} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [add] https://crrev.com/010f3edb08426c16a4374dd13e25ff3538fb43dc/third_party/WebKit/LayoutTests/fast/js/webidl-sequence-conversion.html [modify] https://crrev.com/010f3edb08426c16a4374dd13e25ff3538fb43dc/third_party/WebKit/Source/bindings/core/v8/ToV8.h
,
May 24 2016
,
Jul 14 2016
,
Aug 9 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Apr 28 2016