Closed Bug 159605 Opened 22 years ago Closed 12 years ago

image map editor uses eval incorrectly

Categories

(SeaMonkey :: Composer, defect)

Product:
SeaMonkey
Component:
Composer
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: jruderman, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: helpwanted, sec-want, Whiteboard: [sg:want P4] UI for reaching this code is commented out)

Attachments

(1 file, 1 obsolete file)

patch
3.14 KB, patch
timeless
: review+
neil
: superreview-
Details | Diff | Splinter Review 
cutCopy() contains code like this:
  clipboardItem[i] = 'Poly(\"'+coords+'\", \"'+href+'\", \"'+target+'\",
\"'+alt+'\", true)';

paste() contains code like this:
  eval(clipboard[i])

If an attribute includes a " character, this code will fail.  If an attribute
contains malicious code such as "+alert(Components.classes)+", copying and
pasting in the image map editor will execute the malicious code with chrome
privs.  I haven't actually tested this because the image map editor is disabled.

The image map editor could use code like this to avoid reparsing:

clipboard[i] = { func:Poly, params:[coords,href,target,alt,true] }

clipboard[i].func.apply(window, clipboard[i].params);
Blocks: 84303, 88314
Whiteboard: security
Keywords: helpwanted
OS: Windows 2000 → All
Hardware: PC → All
Target Milestone: --- → Future
--> cmanske
Assignee: syd → cmanske
Keywords: nsbeta1+
removing nsbeta1+; seeking re-triage
image map editor is not currently part of the build
Keywords: nsbeta1+nsbeta1
Composer triage team: nsbeta1-
Keywords: nsbeta1nsbeta1-
This could be a serious security bug - please make sure this is fixed *before*
the feature is added to the build.
Whiteboard: security → [sg:fix]
Product: Browser → Seamonkey
Comment on attachment 170292 [details] [diff] [review]
patch

Note that the patch does not make the situation with newlines at the end of the
file worse (biesi confirmed this).
Attachment #170292 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #170292 - Flags: review?(timeless)
Keywords: helpwanted
Whiteboard: [sg:fix] → [sg:fix] [cst: r?]
Target Milestone: Future → mozilla1.8beta
Attachment #170292 - Flags: review?(timeless) → review+
Comment on attachment 170292 [details] [diff] [review]
patch

There's no point serializing an element to a string that we're not going to
evaluate. Might as well just put clones of the element in the clipboard and
append them when you paste.
Attachment #170292 - Flags: superreview?(neil.parkwaycc.co.uk) → superreview-
Whiteboard: [sg:fix] [cst: r?] → [sg:fix] [cst: ]
Whiteboard: [sg:fix] [cst: ] → [sg:fix]
Target Milestone: mozilla1.8beta1 → mozilla1.8beta2
Target Milestone: mozilla1.8beta2 → ---
Keywords: helpwanted
Target Milestone: --- → Future
Whiteboard: [sg:fix] → [sg:want P4] UI for reaching this code is commented out
Assignee: cst → composer
QA Contact: sujay
Assignee: composer → nobody
QA Contact: composer
Target Milestone: Future → ---
MASS-CHANGE:
This bug report is registered in the SeaMonkey product, but has been without a comment since the inception of the SeaMonkey project. This means that it was logged against the old Mozilla suite and we cannot determine that it's still valid for the current SeaMonkey suite. Because of this, we are setting it to an UNCONFIRMED state.

If you can confirm that this report still applies to current SeaMonkey 2.x nightly builds, please set it back to the NEW state along with a comment on how you reproduced it on what Build ID, or if it's an enhancement request, why it's still worth implementing and in what way.
If you can confirm that the report doesn't apply to current SeaMonkey 2.x nightly builds, please set it to the appropriate RESOLVED state (WORKSFORME, INVALID, WONTFIX, or similar).
If no action happens within the next few months, we move this bug report to an EXPIRED state.

Query tag for this change: mass-UNCONFIRM-20090614
Status: NEW → UNCONFIRMED
Do not expire security bugs.
Status: UNCONFIRMED → NEW
This code does not exist in the tree any more. Removed in Bug 717240
=>INVALID/WONTFIX.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: