|
Message-ID: <841313aeae2c595e9ed3cf2f7197a7c3.939be4cb@humanizers.horsehide> Date: Thu, 26 Oct 2023 23:11:32 +0300 From: Turistu <turistu@...il.com> To: oss-security@...ts.openwall.com Subject: Re: with firefox on X11, any page can pastejack you anytime On Tue, Oct 17, 2023 at 03:17:36AM +0300, turistu wrote: > ### Firefox Patch > ``` > diff -r 9b362770f30b layout/generic/nsFrameSelection.cpp > --- a/layout/generic/nsFrameSelection.cpp Fri Oct 06 12:03:17 2023 +0000 > +++ b/layout/generic/nsFrameSelection.cpp Sun Oct 08 11:04:41 2023 +0300 > @@ -3345,6 +3345,10 @@ > return; // Don't care if we are still dragging. > } > > + if (aReason & nsISelectionListener::JS_REASON) { > + return; > + } > + > if (!aDocument || aSelection.IsCollapsed()) { > #ifdef DEBUG_CLIPBOARD > fprintf(stderr, "CLIPBOARD: no selection/collapsed selection\n"); > ``` > > The idea of this patch was to *always* prevent javascript from indirectly > messing with the primary selection via the Selection API. However, it turned > out that the `JS_REASON` flag was not reliable; if javascript calls some > function like `addRange()` or `selectAllChildren()` while the user has started > dragging but hasn't released the mouse button yet, that code will be called > *without* that flag but with the text set by javascript, not the text > selected by the user. However, I think that this patch is still enough They have recently added a (functionally identical) patch to mozilla-central: https://hg.mozilla.org/mozilla-central/rev/88e0043c5aa4234dada941ac2fd0ded875210508 So the most egregious issue should be fixed in their "nighly" pre-release version of firefox soon. I have updated my write-up with that and more info at: https://github.com/turistu/odds-n-ends/blob/main/firefox/pastejack.md
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.