Closed
Bug 159605
Opened 22 years ago
Closed 12 years ago
image map editor uses eval incorrectly
Categories
(SeaMonkey :: Composer, defect)
SeaMonkey
Composer
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: jruderman, Unassigned)
References
(Blocks 1 open bug, )
Details
(Keywords: helpwanted, sec-want, Whiteboard: [sg:want P4] UI for reaching this code is commented out)
Attachments
(1 file, 1 obsolete file)
3.14 KB,
patch
|
timeless
:
review+
neil
:
superreview-
|
Details | Diff | Splinter Review |
cutCopy() contains code like this: clipboardItem[i] = 'Poly(\"'+coords+'\", \"'+href+'\", \"'+target+'\", \"'+alt+'\", true)'; paste() contains code like this: eval(clipboard[i]) If an attribute includes a " character, this code will fail. If an attribute contains malicious code such as "+alert(Components.classes)+", copying and pasting in the image map editor will execute the malicious code with chrome privs. I haven't actually tested this because the image map editor is disabled. The image map editor could use code like this to avoid reparsing: clipboard[i] = { func:Poly, params:[coords,href,target,alt,true] } clipboard[i].func.apply(window, clipboard[i].params);
Reporter | ||
Updated•22 years ago
|
Updated•22 years ago
|
Comment 2•22 years ago
|
||
removing nsbeta1+; seeking re-triage image map editor is not currently part of the build
Comment 4•22 years ago
|
||
This could be a serious security bug - please make sure this is fixed *before* the feature is added to the build.
Updated•20 years ago
|
Whiteboard: security → [sg:fix]
Updated•20 years ago
|
Product: Browser → Seamonkey
Assignee: cmanske → cst
Status: NEW → ASSIGNED
Attachment #170262 -
Attachment is obsolete: true
Comment on attachment 170292 [details] [diff] [review] patch Note that the patch does not make the situation with newlines at the end of the file worse (biesi confirmed this).
Attachment #170292 -
Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #170292 -
Flags: review?(timeless)
Keywords: helpwanted
Whiteboard: [sg:fix] → [sg:fix] [cst: r?]
Target Milestone: Future → mozilla1.8beta
Attachment #170292 -
Flags: review?(timeless) → review+
Comment 8•20 years ago
|
||
Comment on attachment 170292 [details] [diff] [review] patch There's no point serializing an element to a string that we're not going to evaluate. Might as well just put clones of the element in the clipboard and append them when you paste.
Attachment #170292 -
Flags: superreview?(neil.parkwaycc.co.uk) → superreview-
Whiteboard: [sg:fix] [cst: r?] → [sg:fix] [cst: ]
Whiteboard: [sg:fix] [cst: ] → [sg:fix]
Target Milestone: mozilla1.8beta1 → mozilla1.8beta2
Updated•19 years ago
|
Target Milestone: mozilla1.8beta2 → ---
Keywords: helpwanted
Target Milestone: --- → Future
Status: ASSIGNED → NEW
Reporter | ||
Updated•19 years ago
|
Whiteboard: [sg:fix] → [sg:want P4] UI for reaching this code is commented out
Assignee: cst → composer
QA Contact: sujay
Updated•16 years ago
|
Assignee: composer → nobody
QA Contact: composer
Target Milestone: Future → ---
Comment 9•15 years ago
|
||
MASS-CHANGE: This bug report is registered in the SeaMonkey product, but has been without a comment since the inception of the SeaMonkey project. This means that it was logged against the old Mozilla suite and we cannot determine that it's still valid for the current SeaMonkey suite. Because of this, we are setting it to an UNCONFIRMED state. If you can confirm that this report still applies to current SeaMonkey 2.x nightly builds, please set it back to the NEW state along with a comment on how you reproduced it on what Build ID, or if it's an enhancement request, why it's still worth implementing and in what way. If you can confirm that the report doesn't apply to current SeaMonkey 2.x nightly builds, please set it to the appropriate RESOLVED state (WORKSFORME, INVALID, WONTFIX, or similar). If no action happens within the next few months, we move this bug report to an EXPIRED state. Query tag for this change: mass-UNCONFIRM-20090614
Status: NEW → UNCONFIRMED
Comment 11•12 years ago
|
||
This code does not exist in the tree any more. Removed in Bug 717240 =>INVALID/WONTFIX.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•