Closed Bug 151933 Opened 23 years ago Closed 23 years ago

xml:base should not allow setting chrome URLs

Categories

(Core :: XML, defect, P1)

Product:
Core
Component:
XML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0.1

People

(Reporter: hjtoi-bugzilla, Assigned: hjtoi-bugzilla)

References

Details

(Whiteboard: [ADT2 RTM][fixed on trunk 6/24, branch 6/26])

Attachments

(2 files, 2 obsolete files)

Fix 3
3.12 KB, patch
harishd
: review+
jst
: superreview+
jud
: approval+
Details | Diff | Splinter Review
Simple test case
689 bytes, text/xml
Details
It seems HTML base tag will not let you set chrome URLs, but xml:base does. Quick test did not show this to cause security issues (for example link to chrome did still not work, nor did a script on a page get chrome privileges), but this should be fixed nevertheless in case there are other issues that I have not tested.
keyword foo. Nominating, priority 2.
Keywords: mozilla1.0.1, nsbeta1
Whiteboard: [ADT2 RTM]
Keywords: nsbeta1nsbeta1+
Priority: -- → P1
Target Milestone: --- → mozilla1.0.1
Attached patch Proposed fix (obsolete) — Splinter Review
This adds a security check at the end of GetXMLBaseURI(), similar to nsDocument::SetBaseURL(nsIURI* aURL). Because XML Base is calculated on demand and not cached, the side effect is that we'll get security warnings every time someone tries to acces baseURI property with illegal value. There is an old bug open that would fix XML Base so that it's value is cached correctly (it is not trivial, DOM changes can change XML Base value).
Comment on attachment 88582 [details] [diff] [review] Proposed fix Don't we want to pass back the parent element's base URI and not the document's URI if the security manager denies access to the current element's base URI?
Comment on attachment 88582 [details] [diff] [review] Proposed fix Yeah, I thought of that at home, I'll make a new patch.
Attachment #88582 - Attachment is obsolete: true
Attachment #88582 - Flags: needs-work+
Attached patch Fix 2 (obsolete) — Splinter Review
Now, if security check fails, we start from the parent of the last content element we tried, and recursively call GetXMLBaseURI(). If there was no parent, just get the document base.
Comment on attachment 88676 [details] [diff] [review] Fix 2 sr=jst
Attachment #88676 - Flags: superreview+
Attached patch Fix 3Splinter Review
Oops, need the _base_ URI if there is one, and only if that is null get the document URI as baseURI.
Attachment #88676 - Attachment is obsolete: true
Comment on attachment 88712 [details] [diff] [review] Fix 3 sr=jst
Attachment #88712 - Flags: superreview+
Status: NEW → ASSIGNED
Comment on attachment 88712 [details] [diff] [review] Fix 3 r=harishd
Attachment #88712 - Flags: review+
Fixed on trunk.
Keywords: adt1.0.1
Whiteboard: [ADT2 RTM] → [ADT2 RTM][fixed on trunk 6/24]
Sent email for ADT & drivers approval.
Heikki, can you make the bugs Resolved/fixed Chris, can you verify the fix on the trunk. Thx.
resolving as fixed per Comment #10 From Heikki Toivonen.
Blocks: 143047
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Whiteboard: [ADT2 RTM][fixed on trunk 6/24] → [ADT2 RTM][fixed on trunk 6/24] [ETA 06/27]
can someone verify this?
Attached file Simple test case
Verified in the 2002-06-26-08 Win ME and OS X trunk builds.
Status: RESOLVED → VERIFIED
Attachment #88712 - Flags: approval+
please checkin to the 1.0.1 branch. once there, remove the "mozilla1.0.1+" keyword and add the "fixed1.0.1" keyword.
Keywords: mozilla1.0.1mozilla1.0.1+
adt1.0.1+ (on ADT's behalf) approval for checkin on the 1.0 branch. please checkin asap, then replace the "mozilla1.0.1+" keyword and with the "fixed1.0.1".
Keywords: adt1.0.1adt1.0.1+
Fixed on the branch too.
Keywords: mozilla1.0.1+fixed1.0.1
Whiteboard: [ADT2 RTM][fixed on trunk 6/24] [ETA 06/27] → [ADT2 RTM][fixed on trunk 6/24, branch 6/26]
Verified with Windows June 27th (2002-06-27-08 branch) and OS X July 1 (2002-07-01-08 branch).
Keywords: verified1.0.1
Group: security?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: