Closed
Bug 531176
Opened 15 years ago
Closed 15 years ago
Add assertion that it's safe to run scripts before dispatching any events (and fix the cases when events are dispatched at unsafe time)
Categories
(Core :: DOM: Events, defect)
Core
DOM: Events
Tracking
()
People
(Reporter: justin.lebar+bug, Assigned: smaug)
References
Details
(Keywords: fixed1.9.0.20, verified1.9.1, verified1.9.2, Whiteboard: [sg:critical?])
Attachments
(3 files, 4 obsolete files)
|
20.66 KB,
patch
|
sicking
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
|
19.46 KB,
patch
|
beltzner
:
approval1.9.2.4+
|
Details | Diff | Splinter Review |
|
17.39 KB,
patch
|
jst
:
review+
beltzner
:
approval1.9.1.10+
dveditz
:
approval1.9.0.next+
|
Details | Diff | Splinter Review |
It doesn't appear that we check nsContentUtils::IsSafeToRunScripts() before running the event dispatch code. We probably should add an assertion to this effect to help catch unsafe event dispatches.
|
Assignee | |
Updated•15 years ago
|
Assignee: nobody → Olli.Pettay
|
|
Assignee | |
Updated•15 years ago
|
Group: core-security
|
|
Assignee | |
Comment 1•15 years ago
|
||
Posted this to tryserver. Passes at least mochitest locally.
Attachment #414740 -
Flags: review?(jonas)
|
|
Assignee | |
Comment 2•15 years ago
|
||
The problematic cases I found weren't common while running mochitest.
|
|
Assignee | |
Comment 3•15 years ago
|
||
Comment on attachment 414740 [details] [diff] [review] patch > #ifdef DEBUG >+ nsresult rv = NS_ERROR_FAILURE; >+ if (target->GetContextForEventHandlers(&rv) || >+ NS_FAILED(rv)) { >+ NS_ERROR("This is unsafe!"); >+ } It is ok to dispatch events to non-scriptable, data-only documents, which don't have context for script event handlers. This is basically XBL documents, where load event is used to detect that they are loaded.
|
|
Assignee | |
Comment 4•15 years ago
|
||
This should compile even on scratchbox
Attachment #414740 -
Attachment is obsolete: true
Attachment #414746 -
Flags: review?(jonas)
Attachment #414740 -
Flags: review?(jonas)
|
|
Assignee | |
Comment 5•15 years ago
|
||
I found yet another event; error event from scripts. This contains some tests for error event.
Attachment #414746 -
Attachment is obsolete: true
Attachment #414850 -
Flags: superreview?(jst)
Attachment #414850 -
Flags: review?(jonas)
Attachment #414746 -
Flags: review?(jonas)
|
||
Comment 6•15 years ago
|
||
Does the bug summary need to be updated? Seems like you've gone beyond adding a helpful assert to fixing security vulns uncovered by the assert.
Whiteboard: [sg:critical?]
|
|
Assignee | |
Updated•15 years ago
|
Summary: Add assertion that it's safe to run scripts before dispatching any events → Add assertion that it's safe to run scripts before dispatching any events (and fix the cases when events are dispatched at unsafe time)
|
||
Comment 7•15 years ago
|
||
> + NS_ERROR("This is unsafe!");
Please use a more descriptive assertion message, such as "dispatching an event when it is not safe to run script".|
|
||
Comment 8•15 years ago
|
||
Please consider using separate, public bugs for the changes other than adding the assertion. If they cause regressions, having a public bug will make tracking easier, draw less attention to the security aspect, and make life less painful if we have to back something out.
Comment on attachment 414850 [details] [diff] [review] +script error So this wouldn't fire assertions if the event is dispatched against chrome documents? I wonder if we ideally would like to assert event then, just to avoid having to teach developers which events are unsafe to do what from. Do you know which events fire at chrome while there are script blockers? r=me to land this for now anyhow.
Attachment #414850 -
Flags: review?(jonas) → review+
|
|
Assignee | |
Comment 10•15 years ago
|
||
(In reply to comment #9) > (From update of attachment 414850 [details] [diff] [review]) > So this wouldn't fire assertions if the event is dispatched against chrome > documents? Yes it does fire the assertion. It doesn't fire assertion with non-scriptable documents. Basically data documents which don't have script handling object.
|
Reporter | |
Comment 11•15 years ago
|
||
Um...did adding a blocking item just un-secure this bug? I really didn't mean to do that.
(In reply to comment #10) > (In reply to comment #9) > > (From update of attachment 414850 [details] [diff] [review] [details]) > > So this wouldn't fire assertions if the event is dispatched against chrome > > documents? > > Yes it does fire the assertion. It doesn't fire assertion with > non-scriptable documents. Basically data documents which don't have > script handling object. Why do you need that distinction? Is this related to loading of XBL-documents by any chance?
|
|
Assignee | |
Comment 13•15 years ago
|
||
(In reply to comment #12) > Why do you need that distinction? Is this related to loading of XBL-documents > by any chance? Yes. We load XBL documents which don't have script handling object but still use (C++) event listener to get the load event.
(In reply to comment #11) > Um...did adding a blocking item just un-secure this bug? I really didn't mean > to do that. Anyone that doesn't have access to this bug won't be able to see any sensitive information about the bug. Just the bug number and if it's resolved or not IIRC.
Blocks: 515190
That's what I recall from adding this assertion synchronously... It's annoying to add an exception just for this one case. Though I guess its ok since we won't ever run any scripted event handlers, is that correct? Also, ideally the sync loading of XBL should go away eventually.
Another thing that would be good to do is to add assertions is to the mutation events code. Currently we'll only trigger the assertion added in your patch if there actually are mutation event listeners since we won't attempt to fire the event otherwise. I think this can be accomplished by adding an assertion to nsContentUtils::HasMutationListeners that checks if all current blockers are removable. IIRC I found one case in the cssframeconstructor that triggered such an assertion, which was easily fixable by setting aNotify to false or some such. Do you want a separate bug for this?
|
|
Assignee | |
Comment 17•15 years ago
|
||
I'll do that in a separate bug.
|
|
Assignee | |
Comment 18•15 years ago
|
||
jst, want to sr? This is a security sensitive bug, so needs r and sr.
|
||
Comment 19•15 years ago
|
||
Comment on attachment 414850 [details] [diff] [review] +script error Looks good. sr=jst
Attachment #414850 -
Flags: superreview?(jst) → superreview+
|
|
Assignee | |
Comment 20•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/e58c2ef1d65b
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Have you considered taking this on branches? It appears to fix bug 496366.
|
|
Assignee | |
Comment 22•14 years ago
|
||
Yeah, we should probably take this to branches. Not sure about the assertion, but the other parts of the patch. I'll update the patch for branches. (3.5 will need significant changes)
Blocks: 496366
|
|
Assignee | |
Comment 23•14 years ago
|
||
I'll upload this to tryserver
|
|
Assignee | |
Comment 24•14 years ago
|
||
I think we may not want to add the assertion to branches.
Attachment #432835 -
Attachment is obsolete: true
Attachment #432907 -
Flags: approval1.9.2.3?
|
|
Assignee | |
Comment 25•14 years ago
|
||
a merge problem fixed; ValueChange should bubble.
Attachment #432907 -
Attachment is obsolete: true
Attachment #432914 -
Flags: approval1.9.2.3?
Attachment #432907 -
Flags: approval1.9.2.3?
|
|
Assignee | |
Comment 26•14 years ago
|
||
I'm posting this to tryserver. Since 1.9.1 doesn't have the focusmanager, the FocusBlurEvent part doesn't really apply to that branch. Otherwise only minor changes to trunk patch. Fixes Bug 496366.
Attachment #432918 -
Flags: review?(jst)
|
|
||
Updated•14 years ago
|
Attachment #432918 -
Flags: review?(jst) → review+
|
|
Assignee | |
Updated•14 years ago
|
Attachment #432918 -
Flags: approval1.9.1.10?
|
|
||
Updated•14 years ago
|
blocking1.9.1: --- → .10+
blocking1.9.2: --- → .3+
status1.9.1:
--- → wanted
status1.9.2:
--- → wanted
|
|
||
Comment 27•14 years ago
|
||
Comment on attachment 432914 [details] [diff] [review] for 1.9.2 without the assertion Are bug 535887 and bug 535926 from the "depends on" field regressions that need to be fixed before taking this on branches?
|
|
||
Updated•14 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?][needs answer to comment 27 from Olli]
|
|
Assignee | |
Comment 28•14 years ago
|
||
Those aren't regressions. They are cases where the assertion fires, but the assertion itself doesn't change behavior. The patch did change other behavior, but I haven't heard of regressions related to those changes.
|
||
Comment 30•14 years ago
|
||
Comment on attachment 432914 [details] [diff] [review] for 1.9.2 without the assertion a=beltzner for 1.9.2.3 and 1.9.1.10
Attachment #432914 -
Flags: approval1.9.2.3? → approval1.9.2.3+
|
|
||
Updated•14 years ago
|
Attachment #432918 -
Flags: approval1.9.1.10? → approval1.9.1.10+
|
|
Assignee | |
Comment 31•14 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/a4975fb9c048 http://hg.mozilla.org/releases/mozilla-1.9.1/rev/8cbc449170d5
Whiteboard: [sg:critical?][needs answer to comment 27 from Olli] → [sg:critical?]
|
||
Comment 32•14 years ago
|
||
Is there a way to easily test this fix? It looks like bug 496366 can be used, per comment 21. Are we sure it is this checkin that fixed that bug?
|
|
Assignee | |
Comment 33•14 years ago
|
||
(In reply to comment #32) > Is there a way to easily test this fix? > > It looks like bug 496366 can be used, per comment 21. Yeah, there is a testcase in that bug. > Are we sure it is this > checkin that fixed that bug? Yes.
|
|
||
Comment 34•14 years ago
|
||
Verified for 1.9.2 via the testcase in bug 496366 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4pre) Gecko/20100408 Lorentz/3.6.4pre (.NET CLR 3.5.30729). Verified for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.10pre) Gecko/20100407 Shiretoko/3.5.10pre (.NET CLR 3.5.30729).
Keywords: verified1.9.1,
verified1.9.2
|
|
||
Updated•14 years ago
|
Group: core-security
Comment on attachment 432918 [details] [diff] [review] for 1.9.1 without the assertion and without the FocusBlurEvent Requesting approval1.9.0.next on this patch so that we can take it in upcoming Camino 2.0.x security and stability updates. If approved, I'll handle the checkins, unless the patch author requests otherwise.
Attachment #432918 -
Flags: approval1.9.0.next?
|
|
||
Comment 36•14 years ago
|
||
Comment on attachment 432918 [details] [diff] [review] for 1.9.1 without the assertion and without the FocusBlurEvent Approved for 1.9.0.20, a=dveditz
Attachment #432918 -
Flags: approval1.9.0.next? → approval1.9.0.next+
Checking in dom/src/base/nsGlobalWindow.cpp; /cvsroot/mozilla/dom/src/base/nsGlobalWindow.cpp,v <-- nsGlobalWindow.cpp new revision: 1.1027; previous revision: 1.1026 done Checking in dom/src/base/nsJSEnvironment.cpp; /cvsroot/mozilla/dom/src/base/nsJSEnvironment.cpp,v <-- nsJSEnvironment.cpp new revision: 1.401; previous revision: 1.400 done Checking in dom/tests/mochitest/bugs/Makefile.in; /cvsroot/mozilla/dom/tests/mochitest/bugs/Makefile.in,v <-- Makefile.in new revision: 1.32; previous revision: 1.31 done RCS file: /cvsroot/mozilla/dom/tests/mochitest/bugs/test_bug531176.html,v done Checking in dom/tests/mochitest/bugs/test_bug531176.html; /cvsroot/mozilla/dom/tests/mochitest/bugs/test_bug531176.html,v <-- test_bug531176.html initial revision: 1.1 done Checking in layout/forms/nsComboboxControlFrame.cpp; /cvsroot/mozilla/layout/forms/nsComboboxControlFrame.cpp,v <-- nsComboboxControlFrame.cpp new revision: 1.432; previous revision: 1.431 done
Keywords: fixed1.9.0.20
You need to log in
before you can comment on or make changes to this bug.
Description
•