[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] with firefox on X11, any page can pastejack you anytime
From:       Turistu <turistu () gmail ! com>
Date:       2023-10-26 20:11:32
Message-ID: 841313aeae2c595e9ed3cf2f7197a7c3.939be4cb () humanizers ! horsehide
[Download RAW message or body]

On Tue, Oct 17, 2023 at 03:17:36AM +0300, turistu wrote:
> ### Firefox Patch
> ```
> diff -r 9b362770f30b layout/generic/nsFrameSelection.cpp
> --- a/layout/generic/nsFrameSelection.cpp	Fri Oct 06 12:03:17 2023 +0000
> +++ b/layout/generic/nsFrameSelection.cpp	Sun Oct 08 11:04:41 2023 +0300
> @@ -3345,6 +3345,10 @@
>      return;  // Don't care if we are still dragging.
>    }
>  
> +  if (aReason & nsISelectionListener::JS_REASON) {
> +    return;
> +  }
> +
>    if (!aDocument || aSelection.IsCollapsed()) {
>  #ifdef DEBUG_CLIPBOARD
>      fprintf(stderr, "CLIPBOARD: no selection/collapsed selection\n");
> ```
> 
> The idea of this patch was to *always* prevent javascript from indirectly
> messing with the primary selection via the Selection API. However, it turned
> out that the `JS_REASON` flag was not reliable; if javascript calls some
> function like `addRange()` or `selectAllChildren()` while the user has started
> dragging but hasn't released the mouse button yet, that code will be called
> *without* that flag but with the text set by javascript, not the text
> selected by the user. However, I think that this patch is still enough

They have recently added a (functionally identical) patch to mozilla-central:
https://hg.mozilla.org/mozilla-central/rev/88e0043c5aa4234dada941ac2fd0ded875210508

So the most egregious issue should be fixed in their "nighly" pre-release
version of firefox soon.

I have updated my write-up with that and more info at:
https://github.com/turistu/odds-n-ends/blob/main/firefox/pastejack.md
[prev in list] [next in list] [prev in thread] [next in thread]