New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

onApi* message handlers have no privilege checking #2777

Closed
Sxderp opened this Issue Dec 21, 2017 · 1 comment

Comments

Projects
None yet
2 participants
@Sxderp
Contributor

Sxderp commented Dec 21, 2017

If you just copy the code that is normally injected when asking for a @grant into the userscript, you can perform the action (send a message to the background) without a problem. Fixed by adding a permission check (against script uuid) for onApi* messages in on-message.js, or for the case of notification (which uses a port) in the port handler.

Ex:

// ==UserScript==
// @name     Testing APIs
// @version  1
// ==/UserScript==

function GM_notification(text, title, image, onclick) {
  let opt;

  if (typeof text == 'object') {
    opt = text;
    if (typeof title == 'function') opt.ondone = title;
  } else {
    opt = { title, text, image, onclick };
  }

  if (typeof opt.text != 'string') {
    throw new Error('GM.notification: "text" must be a string');
  }

  if (typeof opt.title != 'string') opt.title = 'Greasemonkey';
  if (typeof opt.image != 'string') opt.image = 'skin/icon32.png';

  let port = chrome.runtime.connect({name: 'UserScriptNotification'});
  port.onMessage.addListener(msg => {
    const msgType = msg.type;
    if (typeof opt[msgType] == 'function') opt[msgType]();
  });
  port.postMessage({
    name: 'create',
    details: {
        title: opt.title,
        text: opt.text,
        image: opt.image
    }
  });
}

GM_notification('Hello', 'Popsicle', null, function() {
  console.log('clicked');
});

@Sxderp Sxderp changed the title from onApi* message handlers have no priviledge checking to onApi* message handlers have no privilege checking Dec 21, 2017

@arantius arantius added this to the 4.2 milestone Dec 22, 2017

@arantius arantius closed this in 8b5b650 Jan 9, 2018

@arantius

This comment has been minimized.

Collaborator

arantius commented Jan 9, 2018

The above fix is packaged in version 4.2beta2:
https://addons.mozilla.org/firefox/downloads/file/833159/greasemonkey-4.2beta2-an+fx.xpi?src=devhub

Testing is always appreciated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment