Yavor Doganov
yavor****@gnu*****
2009年 11月 15日 (日) 19:03:04 JST
Greetings, The following security bug was reported to Debian against the kazehakase package: CVE-2007-1084[0]: | Mozilla Firefox 2.0.0.1 and earlier does not prompt users before | saving bookmarklets, which allows remote attackers to bypass the | same-domain policy by tricking a user into saving a bookmarklet with a | data: scheme, which is executed in the context of the last visited web | page. [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1084 More information and a reproducible test case are available at http://lcamtuf.coredump.cx/ffbook/. I propose the attached patch. -------------- next part -------------- 2009-11-15 Yavor Doganov <yavor****@gnu*****> * src/actions/kz-actions.c (act_add_bookmark): Disallow adding bookmarks with data:/javascript: URIs (CVE-2007-1084). --- kazehakase-0.5.8~/src/actions/kz-actions.c +++ kazehakase-0.5.8/src/actions/kz-actions.c @@ -1010,6 +1010,23 @@ if (!uri) return; + /* Refuse to add a bookmark if the URI is data:/javascript: + (CVE-2007-1084). */ + if (g_str_has_prefix(uri, "data:") + || g_str_has_prefix(uri, "javascript:")) + { + GtkWidget *dialog; + + dialog = gtk_message_dialog_new(NULL, + GTK_DIALOG_DESTROY_WITH_PARENT, + GTK_MESSAGE_WARNING, + GTK_BUTTONS_CLOSE, + _("Adding this bookmark is disallowed for security reasons.")); + gtk_dialog_run(GTK_DIALOG(dialog)); + gtk_widget_destroy(dialog); + return; + } + bookmark = kz_bookmark_new_with_attrs(title, uri, desc); /* FIXME! show dialog */ if (sibling)