[Kazehakase-devel 2930] CVE-2007-1084 bookmarklets cross-site info disclosure

Zurück zum Archiv-Index

Yavor Doganov yavor****@gnu*****
2009年 11月 15日 (日) 19:03:04 JST


Greetings,

The following security bug was reported to Debian against the
kazehakase package:

CVE-2007-1084[0]:
| Mozilla Firefox 2.0.0.1 and earlier does not prompt users before
| saving bookmarklets, which allows remote attackers to bypass the
| same-domain policy by tricking a user into saving a bookmarklet with a
| data: scheme, which is executed in the context of the last visited web
| page.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1084

More information and a reproducible test case are available at
http://lcamtuf.coredump.cx/ffbook/.

I propose the attached patch.
-------------- next part --------------
2009-11-15  Yavor Doganov  <yavor****@gnu*****>

	* src/actions/kz-actions.c (act_add_bookmark): Disallow adding
	bookmarks with data:/javascript: URIs (CVE-2007-1084).

--- kazehakase-0.5.8~/src/actions/kz-actions.c
+++ kazehakase-0.5.8/src/actions/kz-actions.c
@@ -1010,6 +1010,23 @@
 
 	if (!uri) return;
 
+	/* Refuse to add a bookmark if the URI is data:/javascript:
+	   (CVE-2007-1084).  */
+	if (g_str_has_prefix(uri, "data:")
+	    || g_str_has_prefix(uri, "javascript:"))
+		{
+			GtkWidget *dialog;
+
+			dialog = gtk_message_dialog_new(NULL,
+							GTK_DIALOG_DESTROY_WITH_PARENT,
+							GTK_MESSAGE_WARNING,
+							GTK_BUTTONS_CLOSE,
+							_("Adding this bookmark is disallowed for security reasons."));
+			gtk_dialog_run(GTK_DIALOG(dialog));
+			gtk_widget_destroy(dialog);
+			return;
+		}
+
 	bookmark = kz_bookmark_new_with_attrs(title, uri, desc);
 	/* FIXME! show dialog */
 	if (sibling)



Kazehakase-devel メーリングリストの案内
Zurück zum Archiv-Index