[Greasemonkey] Alternative script injection technique proof of concept

Aaron Boodman zboogs at gmail.com
Tue Jul 19 06:55:15 EDT 2005


> Well, I must say I'm surprised there was no comment to this, everything
> else I've posted about this security problem seems to be have been shot
> down in flames.

I'm sorry, I really appreciated your suggestions. Didn't mean to
flame. I was all over the eval idea until I figured out that
GM_xmlhttpRequest would still be accessible via the callstack. I think
the sandbox approach is best because it lessens the chance of me
screwing up and exposing some other way to access api functions.

> Well, I've gone ahead and tried it out. Changed gm to inject in one of
> three ways on a per script basis. I've gone through the two dozen or so
> scripts I have installed:
> if they didn't use any GM_ commands, I flagged them as neutered,
> if they did, I either deleted them or flagged them as trusted. Actually,
> I only deleted one, but I didn't really use it anyway!!

The thing is, it's not really the script you have to trust. It's the
site, right?

Another change which could be made is to add this tiny bit of code to
GM_xmlhttpRequest:

====

  var ioService = Components.classes["@mozilla.org/network/io-service;1"]
                  .getService(Components.interfaces.nsIIOService);
  var scheme = ioService.extractScheme(details.url);

  // This is important - without it, GM_xmlhttpRequest can be used to get
  // access to things like files and chrome. Careful.
  switch (scheme) {
    case "http":
    case "https":
    case "ftp":
      this.chromeWindow.setTimeout(
        GM_hitch(this, "chromeStartRequest", details), 0);
      break;
    default:
      throw new Error("Invalid url: " + details.url);

===

The thing is the thing that made this scare really scary was really
unrelated to scoping or evaling or any of that. It was that
GM_xmlhttpRequest can read files. Yikes! The fact that content can get
access to it makes it really nasty, but it should never have been
possible in the first place, even for files.

> Odd thing is ... I think GreaseMonkey leaks less (if any) memory now ...
> but maybe that's an 0.4 thing!

Yeah I worked on that. Woo!

- a


More information about the Greasemonkey mailing list