Closed Bug 793426 Opened 12 years ago Closed 11 years ago

crash in NS_GetInnermostURI

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: martijn.martijn, Unassigned)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

testcase (uses specialpowers)
348 bytes, text/html
Details
updated testcase (uses specialpowers)
275 bytes, text/html
Details 
This bug was filed from the Socorro interface and is 
report bp-3a08f037-83b8-47cd-b18f-961ee2120922 .
============================================================= 
0 	xul.dll 	NS_GetInnermostURI 	obj-firefox/dist/include/nsNetUtil.h:1639
1 	xul.dll 	NS_SecurityHashURI 	obj-firefox/dist/include/nsNetUtil.h:1680
2 	xul.dll 	nsScriptSecurityManager::HashPrincipalByOrigin 	caps/src/nsScriptSecurityManager.cpp:996
3 	xul.dll 	nsPrincipal::GetHashValue 	caps/src/nsPrincipal.cpp:961
4 	xul.dll 	PrincipalKey::HashKey 	caps/include/nsScriptSecurityManager.h:99
5 	xul.dll 	nsTHashtable<nsBaseHashtableET<PrincipalKey,nsCOMPtr<nsIPrincipal> > >::s_HashKe 	obj-firefox/dist/include/nsTHashtable.h:432
6 	xul.dll 	PL_DHashTableOperate 	obj-firefox/xpcom/build/pldhash.cpp:576
7 	xul.dll 	nsTHashtable<nsPtrHashKey<nsObjectFrame> >::GetEntry 	obj-firefox/dist/include/nsTHashtable.h:149
8 	xul.dll 	nsRefPtrHashtable<nsPtrHashKey<PRThread>,nsThread>::Get 	obj-firefox/dist/include/nsInterfaceHashtable.h:90
9 	xul.dll 	nsScriptSecurityManager::GetCodebasePrincipalInternal 	caps/src/nsScriptSecurityManager.cpp:2068
10 	xul.dll 	nsScriptSecurityManager::GetNoAppCodebasePrincipal 	caps/src/nsScriptSecurityManager.cpp:2011


See testcase, which uses specialpowers. The testcase crashes on permissionmanager.testPermission({}, "");
Keywords: testcase
OS: Windows NT → Windows 7
Version: unspecified → Trunk
So the real problem here is that XPConnect manufactures a completely bogus nsIURI impl for us here.  Then we construct a principal for it.  Then we try to hash the URI, and hit this code:

1635     NS_PRECONDITION(uri, "Must have URI");
1636     
1637     nsCOMPtr<nsINestedURI> nestedURI(do_QueryInterface(uri));
1638     if (!nestedURI) {
1639         NS_ADDREF(uri);
1640         return uri;
1641     }

This is crashing with a null-deref on the NS_ADDREF.  So presumably uri is null?  I wonder how that happened, actually...

Martijn, how do I actually run this testcase?
The problem is in nsScriptSecurityManager::HashPrincipalByOrigin.  The code looks like this:

992         nsCOMPtr<nsIURI> uri;
993         aPrincipal->GetDomain(getter_AddRefs(uri));
994         if (!uri)
995             aPrincipal->GetURI(getter_AddRefs(uri));
996         return SecurityHashURI(uri);

But GetURI can return null if the URI could not be marked immutable, which will be the case with the bogo-URI here.

We really need to switch to always-immutable URIs.  :(
I had to update the testcase, because Components doesn't exist anymore in content.
This testcase doesn't seem to crash anymore in trunk, I'm now getting this js error in the console:
Timestamp: 5/20/13 1:57:47 AM
Error: [Exception... "'JavaScript component does not have a method named: "clone"' when calling method: [nsIURI::clone]"  nsresult: "0x80570030 (NS_ERROR_XPC_JSOBJECT_HAS_NO_FUNCTION_NAMED)"  location: "JS frame :: chrome://specialpowers/content/specialpowersAPI.js :: doApply :: line 83"  data: no]
Source File: chrome://specialpowers/content/specialpowersAPI.js
Line: 83
Timestamp: 5/20/13 1:57:47 AM
Error: [Exception... "'JavaScript component does not have a method named: "clone"' when calling method: [nsIURI::clone]"  nsresult: "0x80570030 (NS_ERROR_XPC_JSOBJECT_HAS_NO_FUNCTION_NAMED)"  location: "JS frame :: chrome://specialpowers/content/specialpowersAPI.js :: doApply :: line 83"  data: no]
Source File: chrome://specialpowers/content/specialpowersAPI.js
Line: 83
Timestamp: 5/20/13 1:57:47 AM
Error: NS_ERROR_XPC_JSOBJECT_HAS_NO_FUNCTION_NAMED: 'JavaScript component does not have a method named: "clone"' when calling method: [nsIURI::clone]
Source File: chrome://specialpowers/content/specialpowersAPI.js
Line: 83
I guess this bug can be closed then, right?
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: