oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: with firefox on X11, any page can pastejack you anytime

From: Turistu <turistu () gmail com>
Date: Thu, 26 Oct 2023 23:11:32 +0300
On Tue, Oct 17, 2023 at 03:17:36AM +0300, turistu wrote:

### Firefox Patch
```
diff -r 9b362770f30b layout/generic/nsFrameSelection.cpp
--- a/layout/generic/nsFrameSelection.cpp     Fri Oct 06 12:03:17 2023 +0000
+++ b/layout/generic/nsFrameSelection.cpp     Sun Oct 08 11:04:41 2023 +0300
@@ -3345,6 +3345,10 @@
     return;  // Don't care if we are still dragging.
   }
 
+  if (aReason & nsISelectionListener::JS_REASON) {
+    return;
+  }
+
   if (!aDocument || aSelection.IsCollapsed()) {
 #ifdef DEBUG_CLIPBOARD
     fprintf(stderr, "CLIPBOARD: no selection/collapsed selection\n");
```

The idea of this patch was to *always* prevent javascript from indirectly
messing with the primary selection via the Selection API. However, it turned
out that the `JS_REASON` flag was not reliable; if javascript calls some
function like `addRange()` or `selectAllChildren()` while the user has started
dragging but hasn't released the mouse button yet, that code will be called
*without* that flag but with the text set by javascript, not the text
selected by the user. However, I think that this patch is still enough


They have recently added a (functionally identical) patch to mozilla-central:
https://hg.mozilla.org/mozilla-central/rev/88e0043c5aa4234dada941ac2fd0ded875210508

So the most egregious issue should be fixed in their "nighly" pre-release
version of firefox soon.

I have updated my write-up with that and more info at:
https://github.com/turistu/odds-n-ends/blob/main/firefox/pastejack.md
Previous By Date Next
Previous By Thread Next

Current thread: