Closed Bug 116888 Opened 24 years ago Closed 24 years ago

Java applets inserted as <OBJECT> run in spite of Java is turned off in Preferences.

Categories

(Core Graveyard :: Java: OJI, defect, P1)

Product:
Core Graveyard
Component:
Java: OJI
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.8

People

(Reporter: sinchi, Assigned: nis)

References

(
URL
)

Details

Attachments

(1 file, 7 obsolete files)

new version that checks for prefixes of mimetypes
2.03 KB, patch
peterlubczynski-bugs
: review+
beard
: superreview+
Details | Diff | Splinter Review
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.7) Gecko/20011221 BuildID: 2001122106 When Java is disabled in Preferences, applets described as <OBJECT> tag are starting. Reproducible: Always Steps to Reproduce: 1. Turn off Java in preferences. 2. Go to URL http://www.student.oulu.fi/%7esairwas/object-test/java/test1.html Actual Results: Java applet is running. Expected Results: Java applet must not run and browser must display alternate content instead.
Also seen on Linux 2001122508.
Hmm, that's not good. Not sure who owns this though. Let's try OJI.
Assignee: mstoltz → joe.chou
Component: Security: General → OJI
QA Contact: bsharma → pmac
Please, change status of this bug to "Accepted"
This bug also presents in build 2002011003
Attached patch Proposed patch (obsolete) — Splinter Review
It seems we nether checked for java enabled/disabled for non-applet case. Please, review proposed patch.
-->Igor
Assignee: joe.chou → nis
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment on attachment 64507 [details] [diff] [review] Proposed patch r=peterl
Attachment #64507 - Flags: review+
What if some internal part of the browser wants to use Java, not on behalf of content? I think this is too low level a place to put this logic. We should instead check for <OBJECT> tag invocation of Java, and prevent it there.
Attached patch Updated patch (obsolete) — Splinter Review
Ok, i made new version of patch that does check for Object/Applet/Embed tag. It works for me but i do not know how to test it with any "internal component written in java". This patch obsoletes 64507 (i have no permission to mark it obsolete myself :( ) Anyway, please review.
What if.... + rv = pti2->GetTagType(&tagType); + + if(rv != NS_OK) { + return rv; + } fails for cases when we don't have tags like full-page plugins or "internal components"? Does/should Liveconnect work?
It's necessary don't forget that if Java is turned off, browser must display inner content of <OBJECT> tag. For example, if in HTML code described: <object codetype="application/java" classid="java:mygame.class" width="250" height="250"> You have turned off Java and can't enjoy my wonderful Java game! <img src="/img/emotions/sad.png" /> </object> browser must display text: "You have turned off Java and can't enjoy my wonderful Java game!" and inline image (sad.png) Does your patch support this feature?
peter: Good point. I just updated the patch to fix this. manko: Yes, it shows alternative text if object is disabled. It is the same as in case no java plugin is installed.
Nominating mozilla0.9.8 as this probably is a slight security problem.
Keywords: mozilla0.9.8
OS: Windows 2000 → All
Priority: -- → P1
Hardware: PC → All
Comment on attachment 65600 [details] [diff] [review] Updated patch according to peter comments r=peterl
Attachment #65600 - Flags: review+
a=blizzard on behalf of drivers for 0.9.8
Keywords: mozilla0.9.8mozilla0.9.8+
Keywords: patch, review
Wouldn't it be cleaner to put this logic up in nsPluginHost::InstantiateEmbededPlugin()? There's already code in there that checks to see if Java is enabled. It would be a shame to add yet another test of the same thing...
Attached patch patch v4 (obsolete) — Splinter Review
Well. originally i was thinking about disabling java not only for embeded objects but for full-page too. (what if cgi-script will output something with "java-vm" content-type?) Anyway, with patrick's comment on potential internal java components i'd rather to consider this bug as "case of embeded java object" and in this conditions we can move check one level upper (and this will in fact will not add new checks indeed it will remove some :) Patch is attached. However, i feel that "Disable java" label is quite misleading. (Does this mean we want ot disable access from javascript embeded into page to jvm? What about full-page plugins?) and may be something like "disable applets" will be more correct. Shall we file new bug for this?
To simplify review i'd like to point that we can get to this place only if we haveapplet, embed or object tag type. See http://lxr.mozilla.org/mozilla/source/modules/plugin/base/src/nsPluginHostImpl.cpp#3205 for details
Igor Nekrestyanov wrote: > may be something like "disable applets" will be more correct Yes, i think this is very nice idea. And more, probably, behavior for each type of plugins (Java, Flash, sound and video objects etc.) should be pointed in Preferences separately.
Igor, won't you patch also disable other plugins when Java is disabled? How about something like this: if (tagType == nsPluginTagType_Applet || (tagType == nsPluginTagType_Object && PL_strcasecmp(aMimeType, "application/x-java"))) or just simply checking for "application/x-java".
Oh, could you attach patches in -u format with enough context to see what's going on. Thanks!
peter: thanks for good point. I have added check for java mime-type. Would you please review this one and mark others as obsolete? (Despite the fact i have attached other patches i have no permission to change them myself :( )
Igor, It looks like this would be the third time this comparison is done against the same string. Could this maybe just be done once at the top and then use a boolean throughout the function?
ok. new version of patch is attached.
Attachment #66901 - Attachment is obsolete: true
Attachment #66127 - Attachment is obsolete: true
Attachment #65600 - Attachment is obsolete: true
Attachment #64525 - Attachment is obsolete: true
Attachment #64507 - Attachment is obsolete: true
Comment on attachment 67089 [details] [diff] [review] Patch that eliminate duplicate mimetype checks r=peterl
Attachment #67089 - Flags: review+
Comment on attachment 67089 [details] [diff] [review] Patch that eliminate duplicate mimetype checks In the future please use unified diffs (diff -u). You can still use the test for nsPluginTagType_Applet as a short circuit to identify Java. Use the string compares as *ADDITIONAL* tests if the tag type is not nsPluginTagType_Applet.
Comment on attachment 67099 [details] [diff] [review] Patch adapted to latest comment from beard r=peterl, that looks better, Patrick?
Attachment #67099 - Flags: review+
Taking into account bug 120390 (see comment #15 there) i guess it will be smarter to require identity of prefixes instead of full strings when comparing mime-types. peter: thank you for pointing me to 120390
Attachment #67099 - Attachment is obsolete: true
Igor I suggest that you put a comment on why you do a strncmp instead of a of strcmp. E.g. // use strncmp instead of strcmp to allow for application/x-java-applet;version=... // cf bug 120390 comment #15 Nice team work!
Comment on attachment 67277 [details] [diff] [review] new version that checks for prefixes of mimetypes sr=beard I assume this is to handle the fact that Sun further qualifies these MIME types with version strings. Looks good.
Attachment #67277 - Flags: superreview+
Attachment #67089 - Attachment is obsolete: true
Attachment #67089 - Flags: needs-work+
Comment on attachment 67277 [details] [diff] [review] new version that checks for prefixes of mimetypes r=peterl Igor, do you have CVS check-in access?
Attachment #67277 - Flags: review+
No, i still can not check this in myself. Please do this for me. Thank you in advance.
Checked into trunk and 0.9.8 branch, marking FIXED. Thanks all!
Status: NEW → RESOLVED
Closed: 24 years ago
Keywords: review
Resolution: --- → FIXED
Target Milestone: --- → mozilla0.9.8
verified on all platforms (commercial trunk: 2002-02-06-06-trunk)
Status: RESOLVED → VERIFIED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: