Closed Bug 151933 Opened 22 years ago Closed 22 years ago

xml:base should not allow setting chrome URLs

Categories

(Core :: XML, defect, P1)

Product:
Core
Component:
XML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0.1

People

(Reporter: hjtoi-bugzilla, Assigned: hjtoi-bugzilla)

References

Details

(Whiteboard: [ADT2 RTM][fixed on trunk 6/24, branch 6/26])

Attachments

(2 files, 2 obsolete files)

Fix 3
3.12 KB, patch
harishd
: review+
jst
: superreview+
jud
: approval+
Details | Diff | Splinter Review
Simple test case
689 bytes, text/xml
Details 
It seems HTML base tag will not let you set chrome URLs, but xml:base does.
Quick test did not show this to cause security issues (for example link to
chrome did still not work, nor did a script on a page get chrome privileges),
but this should be fixed nevertheless in case there are other issues that I have
not tested.
keyword foo. Nominating, priority 2.
Keywords: mozilla1.0.1, nsbeta1
Whiteboard: [ADT2 RTM]
Keywords: nsbeta1nsbeta1+
Priority: -- → P1
Target Milestone: --- → mozilla1.0.1
Attached patch Proposed fix (obsolete) — Splinter Review 
This adds a security check at the end of GetXMLBaseURI(), similar to
nsDocument::SetBaseURL(nsIURI* aURL). 

Because XML Base is calculated on demand and not cached, the side effect is
that we'll get security warnings every time someone tries to acces baseURI
property with illegal value. There is an old bug open that would fix XML Base
so that it's value is cached correctly (it is not trivial, DOM changes can
change XML Base value).
Comment on attachment 88582 [details] [diff] [review]
Proposed fix

Don't we want to pass back the parent element's base URI and not the document's
URI if the security manager denies access to the current element's base URI?
Comment on attachment 88582 [details] [diff] [review]
Proposed fix

Yeah, I thought of that at home, I'll make a new patch.
Attachment #88582 - Attachment is obsolete: true
Attachment #88582 - Flags: needs-work+
Attached patch Fix 2 (obsolete) — Splinter Review 
Now, if security check fails, we start from the parent of the last content
element we tried, and recursively call GetXMLBaseURI(). If there was no parent,
just get the document base.
Comment on attachment 88676 [details] [diff] [review]
Fix 2

sr=jst
Attachment #88676 - Flags: superreview+
Attached patch Fix 3Splinter Review 
Oops, need the _base_ URI if there is one, and only if that is null get the
document URI as baseURI.
Attachment #88676 - Attachment is obsolete: true
Comment on attachment 88712 [details] [diff] [review]
Fix 3

sr=jst
Attachment #88712 - Flags: superreview+
Status: NEW → ASSIGNED
Comment on attachment 88712 [details] [diff] [review]
Fix 3

r=harishd
Attachment #88712 - Flags: review+
Fixed on trunk.
Keywords: adt1.0.1
Whiteboard: [ADT2 RTM] → [ADT2 RTM][fixed on trunk 6/24]
Sent email for ADT & drivers approval.
Heikki, can you make the bugs Resolved/fixed

Chris, can you verify the fix on the trunk.  Thx.
resolving as fixed per Comment #10 From Heikki Toivonen.
Blocks: 143047
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Whiteboard: [ADT2 RTM][fixed on trunk 6/24] → [ADT2 RTM][fixed on trunk 6/24] [ETA 06/27]
can someone verify this?
Attached file Simple test case 

    
    

    
  
Verified in the 2002-06-26-08 Win ME and OS X trunk builds.
Status: RESOLVED → VERIFIED

    
  

        Attachment #88712 -
        Flags: approval+

    
    

    
  
please checkin to the 1.0.1 branch. once there, remove the "mozilla1.0.1+"
keyword and add the "fixed1.0.1" keyword.
Keywords: mozilla1.0.1mozilla1.0.1+

    
    

    
  
adt1.0.1+ (on ADT's behalf) approval for checkin on the 1.0 branch. please
checkin asap, then replace the "mozilla1.0.1+" keyword and with the "fixed1.0.1".
Keywords: adt1.0.1adt1.0.1+

    
    

    
  
Fixed on the branch too.
Keywords: mozilla1.0.1+fixed1.0.1
Whiteboard: [ADT2 RTM][fixed on trunk 6/24] [ETA 06/27] → [ADT2 RTM][fixed on trunk 6/24, branch 6/26]

    
    

    
  
Verified with Windows June 27th (2002-06-27-08 branch) and OS X July 1
(2002-07-01-08 branch). 

    
  
Keywords: verified1.0.1
Group: security?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: