oss-sec mailing list archives
Re: with firefox on X11, any page can pastejack you anytime
From: Turistu <turistu () gmail com>
Date: Thu, 26 Oct 2023 23:11:32 +0300
On Tue, Oct 17, 2023 at 03:17:36AM +0300, turistu wrote:
### Firefox Patch ``` diff -r 9b362770f30b layout/generic/nsFrameSelection.cpp --- a/layout/generic/nsFrameSelection.cpp Fri Oct 06 12:03:17 2023 +0000 +++ b/layout/generic/nsFrameSelection.cpp Sun Oct 08 11:04:41 2023 +0300 @@ -3345,6 +3345,10 @@ return; // Don't care if we are still dragging. } + if (aReason & nsISelectionListener::JS_REASON) { + return; + } + if (!aDocument || aSelection.IsCollapsed()) { #ifdef DEBUG_CLIPBOARD fprintf(stderr, "CLIPBOARD: no selection/collapsed selection\n"); ``` The idea of this patch was to *always* prevent javascript from indirectly messing with the primary selection via the Selection API. However, it turned out that the `JS_REASON` flag was not reliable; if javascript calls some function like `addRange()` or `selectAllChildren()` while the user has started dragging but hasn't released the mouse button yet, that code will be called *without* that flag but with the text set by javascript, not the text selected by the user. However, I think that this patch is still enough
They have recently added a (functionally identical) patch to mozilla-central: https://hg.mozilla.org/mozilla-central/rev/88e0043c5aa4234dada941ac2fd0ded875210508 So the most egregious issue should be fixed in their "nighly" pre-release version of firefox soon. I have updated my write-up with that and more info at: https://github.com/turistu/odds-n-ends/blob/main/firefox/pastejack.md
Current thread:
- Re: with firefox on X11, any page can pastejack you anytime, (continued)
- Re: with firefox on X11, any page can pastejack you anytime David Leadbeater (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime nightmare . yeah27 (Oct 20)
- Re: Re: with firefox on X11, any page can pastejack you anytime Steffen Nurpmeso (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime niekt0 (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Jeffrey Walton (Oct 19)
- Re: with firefox on X11, any page can pastejack you anytime Solar Designer (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime Turistu (Oct 20)
- Re: with firefox on X11, any page can pastejack you anytime Martin Hecht (Oct 24)