Closed Bug 156452 Opened 23 years ago Closed 23 years ago

Accessing cross-domain document structure via TreeWalker

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0.1

People

(Reporter: bbaetz, Assigned: sicking)

References

Details

(Whiteboard: [ADT1 RTM] [ETA 08/02] security)

Attachments

(5 files, 21 obsolete files)

testcase
961 bytes, text/html
Details
testcase for some of the exploits fixed
654 bytes, text/html
Details
another testcase
581 bytes, text/html
Details
demo that reads text from a form field using appendChild and dom 0
763 bytes, text/html
Details
patch for branch, including fix for bug 159348
62.34 KB, patch
sicking
: review+
sicking
: superreview+
jesup
: approval+
Details | Diff | Splinter Review
Its possible to use the tree walker to get at the document structure of a document in another domain. I'll attach a testcase (based on sicking's original tests). I don't think its possible to see data/attributes from the nodes without finding a separate bug somehow - I get permission denied errors whenever I try to access anything on the nodes themselves, apart from .toString. I haven't tried anything fancy, though. Is it legal to call document.createTreeWalker(someOtherDocument, ...) in the first place?
Attached file testcase
This is basically sicking's original testcase, modified. To use, wait until the contents of the <iframe> have loaded, then click |begin|. Then traverse the DOM tree using the other buttons. Can anyone manage to get useful information out of this?
Hmm, I can't see how this would be directly exploitable, but we should block it in any case. This could be fixed the same way bug 147754 was fixed.
How can the user get hold of the node to initialize the treewalker to in the first place? I.e. shouldn't it fail already at the |document.getElementById('f').contentDocument|?
No, accessing .contentDocument should be allowed since there are properties on the document in the iframe that anyone should be able to set (like .contentDocument.location = "http://...").
Attached patch patch to fix (obsolete) — Splinter Review
This patch performs same-origin tests whenever we create a treewalker of set the contentnode in a treewalker. Those two should be the only methods of setting the node that the walker walks
Comment on attachment 90934 [details] [diff] [review] patch to fix Perfect. The |if (doc1 == doc2)| fast return path is a good thing, and your use of nsScriptSecurityManager looks fine. r=mstoltz.
Attachment #90934 - Flags: review+
Comment on attachment 90934 [details] [diff] [review] patch to fix ... + nsresult rv = nsContentUtils::CheckSameOrigin(this, aRoot); + NS_ENSURE_SUCCESS(rv, rv); Don't use NS_ENSURE_SUCCESS() in places where you know the call can fail for valid reasons, like in this case. if (NS_FAILED(rv)) { return NS_OK; } in stead, but on separate lines... sr=jst if you change that.
Attachment #90934 - Flags: superreview+
What other DOM stuff uses this akward syntax? I know that at least one other function, document.getAnonymousNodes, uses it.
Attached patch fixes jsts comment (obsolete) — Splinter Review
Attachment #90934 - Attachment is obsolete: true
Comment on attachment 91079 [details] [diff] [review] fixes jsts comment carrying over r/sr
Attachment #91079 - Flags: superreview+
Attachment #91079 - Flags: review+
Hmm, what if script from domain X gets access to a document from domain Y and is able to reach an element in the document from domain Y, could it then do document.body.appendChild() to steal the node from the other document? There's also document.importNode(), and maybe others...
We might want new bugs for those issues if they're real issues... Seems like all properties of document objects that expose elements are protected, but who knows if there are other ways to reach an element in a window to which you're not reall supposed to have access to... Belts and suspenders, we need some of that here it seems...
Sorry for the incoherent comment earlier. What I meant was, "what other DOM functions are accessed using document.functionName but don't necessarily operate on the document itself?" A better question is, "what other DOM functions can take a document as a parameter and might need a security check on that parameter?". After looking at the traversal spec and the testcase and scratching my head for a few minutes: Eek! I didn't know Document inherited from Node. That blows away my assumption that a script can get access to another document's document object but not its nodes. That means we have a lot of functions to consider and/or add security checks to.
taking...
Assignee: anthonyd → sicking
adding keywords, important security bug. nsbeta1+'ed with heikkis blessing
Keywords: adt1.0.1, mozilla1.0.1, nsbeta1+
Whiteboard: [ADT1 RTM]
Comment on attachment 91079 [details] [diff] [review] fixes jsts comment a=chofmann for the 1.1b trunk... lets see how if goes there and then look at getting on the branch.
Attachment #91079 - Flags: approval+
Whiteboard: [ADT1 RTM] → [ADT1 RTM] [eta=7-17]
Comment on attachment 91079 [details] [diff] [review] fixes jsts comment checked in on trunk
Reducing to adt2 per adt.
Whiteboard: [ADT1 RTM] [eta=7-17] → [ADT2 RTM] [eta=7-17]
gerardok or bsharma - can you take over as the QA contact and verify the bug fix with the attached testcase on the trunk builds (after July 15)? Also, will need verification once the fix is in the branch. Thanks.
Blocks: 143047
Whiteboard: [ADT2 RTM] [eta=7-17] → [ADT2 RTM] [eta 07/17]
Attached patch Plug more holes... (obsolete) — Splinter Review
Attached patch combined and refined (obsolete) — Splinter Review
Attachment #91442 - Attachment is obsolete: true
Attachment #91479 - Attachment is obsolete: true
Comment on attachment 91485 [details] [diff] [review] combined and refined r=jst for the parts I didn't write myself.
Attachment #91485 - Flags: review+
Comment on attachment 91485 [details] [diff] [review] combined and refined > aNode1->GetOwnerDocument(getter_AddRefs(domDoc1)); > doc1 = do_QueryInterface(domDoc1); > if (!doc1) { >- return NS_ERROR_FAILURE; >+ // aNode1 is not part of a document, let any caller access it. >+ return NS_OK; > } I would be happier with: aNode1->GetOwnerDocument(getter_AddRefs(domDoc1)); if (!domDoc1) { // aNode1 is not part of a document, let any caller access it. return NS_OK; } doc1 = do_QueryInteface(domDoc1); NS_ASSERTION(doc1, "We have an nsIDOMDocument that's not QIable to nsIDocument"); or something along those lines. That way a QI failure won't suddenly open up access to stuff. Same thing for doc2, of course, and same in nsContentUtils::CanCallerAccess > + if(NS_FAILED(rv)) { Space after the "if", please? You have this in a few places. > nsDocument::AddBinding(nsIDOMElement* aContent, const nsAString& aURL) How about fixing nsDocument::RemoveBinding too? >+ if (old_doc != mDocument) { >+ if(!nsContentUtils::CanCallerAccess(aNewChild)) { This strikes me as a good place to use boolean operators instead of nested ifs... ;) >+ if (old_doc != mDocument) { >+ if(!nsContentUtils::CanCallerAccess(aNewChild)) { Here too. >+MBool URIUtils::CanCallerAccess(nsIDOMNode *aNode) Same comments apply here as to nsContentUtils::CanCallerAccess >+#else #else /* TX_EXE */ > #endif #endif /* TX_EXE */ Makes things more readable, imo.
Attached patch fixes bzs comments (obsolete) — Splinter Review
Attachment #91485 - Attachment is obsolete: true
Comment on attachment 91491 [details] [diff] [review] fixes bzs comments sr=bzbarsky
Attachment #91491 - Flags: superreview+
also changed the transformiix stuff to if (!URIUtils::CanCallerAccess(aSourceDOM) || !URIUtils::CanCallerAccess(aStyleDOM) || !URIUtils::CanCallerAccess(aOutputDoc)) return NS_ERROR_DOM_SECURITY_ERR;
This patch increased new window time on tinderbox by around 20%-25% on the mid-speed tinderboxes and by 47% on the fastest tinderbox (comet). (The slow ones haven't cycled yet.) That seems a bit excessive. Any thoughts on how to fix it?
Also, please correct the indentation in txURIUtils (4 spaces instead of 2) and share CanCallerAccess (for example exposing it through the security manager) instead of implementing it twice.
Ugh, that sucks... I'll have a look and see why we end up hitting this new security check so often, updating my tree now...
Attached patch Fix the performance issues (obsolete) — Splinter Review
Looks like the performance hit was due to the security checks in nsXULCommandDispatcher::AddCommandDispatcher() and nsXULDocument::AddBroadcastListenerFor(), so I changed those to use the faster version of the security check which is more or less a nop in the common case (every case during startup), and I also optimized the checks in nsGenericElement a bit more. Also, I added a cache for the security manager pointer to nsContentUtils to avoid hitting the component manager for every security check.
Attached patch diff -w of the above (obsolete) — Splinter Review
CanCallerAccess(nsIDOMNode *) does IMO *not* belong in caps. Had it been more than a trivial ammount of code we could share it, but given how little code it is I don't think it's worth it.
+ if (!doc2) { + // aNode is neither a nsIContent nor an nsIDocument, something + // weird is going on... + + NS_ERROR("aNode is neither an nsIContent nor an nsIDocument!"); + + return NS_ERROR_UNEXPECTED; Why not do the same as for aNode1 and say that this is a faked node? I.e. return NS_ERROR_DOM_SECURITY_ERR. Same in nsContentUtils::CanCallerAccess Shouldn't you release the security-manager somewhere? though i can't find any place where sXPConnect is release either... I'll try to come up with some code to speed up the XSLT stuff
other then that r=sicking
I decided to return NS_ERROR_UNEXPECTED in stead of NS_ERROR_DOM_SECURITY_ERR since we don't know for a fact that the case where that code would be triggerd is a security error, it might be, but it could be for some other reason as well. And yes, the cached security manager needs to be released in nsContentUtils::Shutdown() (where sXPConnect is released too btw). Consider that change made...
Comment on attachment 91527 [details] [diff] [review] Fix the performance issues ok, r=sicking
Attachment #91527 - Flags: review+
Comment on attachment 91527 [details] [diff] [review] Fix the performance issues It may be a good idea to move the |if (!sSecurityManager)| checks up to before we do all that document-getting. Doesn't affect us, but may affect some embedding apps. other than that, sr=bzbarsky (assuming that change to Shutdown(), of course).
Attachment #91527 - Flags: superreview+
No, I intentionally put the if (!sSecurityManager) check far down in the method so that we don't bother doing that check in the fast path (i.e. get the document pointers and compare, and return early in the common case). It only matters for embedders who choose to not have a security manager, which would be a really bad decision IMO.
Comment on attachment 91597 [details] [diff] [review] XSLT/XPath changes sr=jst
Attachment #91597 - Flags: superreview+
Comment on attachment 91597 [details] [diff] [review] XSLT/XPath changes >Index: extensions/transformiix/build/XSLTProcessorModule.cpp >=================================================================== >RCS file: /cvsroot/mozilla/extensions/transformiix/build/XSLTProcessorModule.cpp,v >retrieving revision 1.21 >diff -u -r1.21 XSLTProcessorModule.cpp >--- extensions/transformiix/build/XSLTProcessorModule.cpp 15 May 2002 18:53:45 -0000 1.21 >+++ extensions/transformiix/build/XSLTProcessorModule.cpp 17 Jul 2002 04:27:03 -0000 >@@ -192,7 +195,17 @@ > return NS_ERROR_OUT_OF_MEMORY; > if (!txHTMLAtoms::init()) > return NS_ERROR_OUT_OF_MEMORY; >+ >+ rv = nsServiceManager::GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, >+ nsIScriptSecurityManager::GetIID(), >+ (nsISupports **)&sSecurityManager); >+ if (NS_FAILED(rv)) { >+ sSecurityManager = nsnull; >+ return rv; >+ } >+ Please use CallGetService. r=peterv.
Attachment #91597 - Flags: review+
Whiteboard: [ADT2 RTM] [eta 07/17] → [ADT2 RTM] [eta 07/18]
Attached patch combines 91527 and 91597 (obsolete) — Splinter Review
combines 91527 and 91597 and makes a small change to ::CheckSameOrigin as discussed on irc
Attachment #91527 - Attachment is obsolete: true
Attachment #91528 - Attachment is obsolete: true
Attachment #91597 - Attachment is obsolete: true
arg, forgot to do petervs change, The new code is rv = CallGetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &sSecurityManager);
apparently i had forgot to save in a few more places, this should be the real deal
Attachment #91748 - Attachment is obsolete: true
Comment on attachment 91753 [details] [diff] [review] *this* is really what i ment to attach >+ /* >+ * Checks if two nodes comes from the same origin. aTrustedNode is Make that two '*' chars on the first line so doxygen picks it up? "whether", not "if". >+ * considered 'safe' in that a user can operate on it and that it isn't >+ * isn't a js-object that implements nsIDOMNode. Take out one "isn't". >+ * Never call this function with the first node provided by script, it >+ * must always be known to be a 'real' node! Could we add a debug-only assertion that aTrustedNode is either an nsIDocument or nsIContent? Just to catch people who don't read comments? More importantly, please add NS_PRECONDITION(aTrustedNode, "There must be a trusted node"), since you dereference it unconditionally when it's not an nsIDocument. You never release sScriptSecurityManager in nsContentUtils::Shutdown() >Index: content/base/src/nsDOMAttributeMap.cpp Replace the code you removed from here with "// XXX" comments to readd it once GetOwnerDocument gets fixed on Attr nodes. File a bug to that effect, make it depend on the relevant Attr node bug. >+extern nsIScriptSecurityManager *sSecurityManager; This may make more sense as gSecurityManager, since it's not static.... But whatever the module convention is. ;) sr=bzbarsky with those changes
Attachment #91753 - Flags: superreview+
Comment on attachment 91753 [details] [diff] [review] *this* is really what i ment to attach r=jst
Attachment #91753 - Flags: review+
Attached patch fixes bzs comments (obsolete) — Splinter Review
this also fixes nsXULElement::GetOwnerDocument which is needed to not regress some xul stuff, got r=jst over irc for that
Attachment #91753 - Attachment is obsolete: true
Comment on attachment 91757 [details] [diff] [review] fixes bzs comments bringing forward r=jst
Attachment #91757 - Flags: review+
Comment on attachment 91757 [details] [diff] [review] fixes bzs comments sr=bzbarsky if you fix the nsContentUtils.h comment to fix that in nsContentUtils.cpp
Attachment #91757 - Flags: superreview+
Apologies if I'm confused about the destination of this patch; however, if this latest patch is intended for the branch, it is incomplete. It needs the Composer fix in editor.js (bug 157851; patch 91702) unless that issue has been addressed in some other way.
brade: The patch from that bug should not be needed any more. However it's still a good thing that it landed on trunk since the new code is faster, cleaner and smaller.
Status: NEW → ASSIGNED
the checkin for this caused bug 158202, should be fixed soon
XUL prototypes are also causing us trouble, we havn't yet ran into a regression from this, but there is a possibility for it. We're looking into how to fix this
QA Contact: lchiang → bsharma
Attached file another testcase
clicking "dump string contents" will dump the string contents of the url in the iframe. I even whitespace-normalised it so that it would be easier to read :) With the patch we throw a security exception. In attachment 91903 [details] pressing "clone contents" will clone all contents of the iframe into the main document. Again, the patch makes us throw a security exception instead.
Blocks: 158340
crash bug 158340 is being blamed on this
Raising priority to ADT1 based on jst's comments in email
Whiteboard: [ADT2 RTM] [eta 07/18] → [ADT1 RTM] [eta 07/18]
this is blamed for the outstanding smoketest blocker: bug 158167 (not a crash)
Blocks: 158167, 158202
Severity: normal → major
OS: Linux → All
Hardware: PC → All
Whiteboard: [ADT1 RTM] [eta 07/18] → [ADT2 RTM] [eta 07/18]
Whiteboard: [ADT2 RTM] [eta 07/18] → [ADT1 RTM] [eta 07/18]
Removing adt1.0.1, as this has been said to cause smoketest blocker bug 158167. It seems that this has caused a couple of regressions each time it has landed on the trunk. what steps can we take to make sure taking this fix this late date does run the risk of breaking something else?
Keywords: adt1.0.1
Whiteboard: [ADT1 RTM] [eta 07/18] → [ADT1 RTM] [eta 07/23]
Target Milestone: --- → mozilla1.0.1
Attached patch fix XUL problem (obsolete) — Splinter Review
This fixes a know XUL problem. I'm not sure if this problem actually has regressed anything in mozilla (I havn't heard of anyone reporting a problem that could be traced back to this) but better stay on the safe side...
Attached patch fix XUL problem version 2 (obsolete) — Splinter Review
addressed comments from jst
Attachment #92260 - Attachment is obsolete: true
Comment on attachment 92292 [details] [diff] [review] fix XUL problem version 2 sr=jst
Attachment #92292 - Flags: superreview+
Comment on attachment 92292 [details] [diff] [review] fix XUL problem version 2 >+ /* Two stars on this first line, please (doxygen syntax). >+ * Sets the url of the nodeinfo manager. This should only be called when >+ * this nodeinfomanager isn't connected to an nsIDocument. Pick a spelling of "nodeinfo manager" and stick with it? ;) >+ * Get hold of each nodes document or uri >+ */ "node's", not "nodes" >+ // In theory this should never happen. But since theory and reality is >+ // different for XUL elements we'll try to get the URI from the "are different" >+ nsCOMPtr<nsINodeInfoManager> nimgr; >+ ni->GetNodeInfoManager(*getter_AddRefs(nimgr)); >+ nimgr->GetDocumentURL(getter_AddRefs(trustedUri)); Can getting nimgr fail or give null here? >+ nsCOMPtr<nsINodeInfoManager> nimgr; >+ ni->GetNodeInfoManager(*getter_AddRefs(nimgr)); >+ nimgr->GetDocumentURL(getter_AddRefs(unTrustedUri)); Same here. >+ if (!trustedUri) { >+ trustedDoc->GetDocumentURL(getter_AddRefs(trustedUri)); Why is trustedDoc not null here? What if the nodeinfo manager just gave us a null URI? >+ if (!unTrustedUri) { >+ unTrustedDoc->GetDocumentURL(getter_AddRefs(unTrustedUri)); Same here. >@@ -552,7 +552,6 @@ > } > } > >- NS_IF_RELEASE(mDocumentURL); > NS_IF_RELEASE(mPrincipal); > mDocumentLoadGroup = nsnull; > >@@ -631,6 +630,8 @@ > if (mNodeInfoManager) { > mNodeInfoManager->DropDocumentReference(); > } >+ >+ NS_IF_RELEASE(mDocumentURL); > } Add a comment explaining why this change was needed. > nsNodeInfoManager::DropDocumentReference() > { >+ if (mDocument) { Is this ever actually called when mDocument is null? (Not that I mind the null-check, but if an assertion would do then we should do that instead.) >+NS_IMETHODIMP >+nsNodeInfoManager::GetDocumentURL(nsIURI** aURL) >+{ >+ NS_ENSURE_ARG_POINTER(aURL); Please assert that !mDocument || !mDocumentURL. It would be even better if we could assert that (mDocument || mDocumentURL) && (!mDocument || !mDocumentURL).... (but I doubt we can do that). Please clear mDocumentURL in Init() as we discussed.
An nsINodeInfo will never give back a null node info manager, and it will never fail to give you a node info manager (unless someone uses a node info that was never initialized, but we don't need to protect against code that broken).
Attached patch Fix bzs comments (obsolete) — Splinter Review
Attachment #92292 - Attachment is obsolete: true
Comment on attachment 92316 [details] [diff] [review] Fix bzs comments bring forward jsts sr
Attachment #92316 - Flags: superreview+
Comment on attachment 92316 [details] [diff] [review] Fix bzs comments r=bzbarsky and all that.
Attachment #92316 - Flags: review+
Attached patch patch for branch (obsolete) — Splinter Review
This is a patch for branch which is a and is a merge of all patches that has landed in relation to this. Including the patches in bug 158202 and bug 158167
Attachment #91079 - Attachment is obsolete: true
Attachment #91491 - Attachment is obsolete: true
Attachment #91507 - Attachment is obsolete: true
Attachment #91757 - Attachment is obsolete: true
Comment on attachment 92316 [details] [diff] [review] Fix bzs comments a=asa (on behalf of drivers) for checkin to 1.1
Attachment #92316 - Flags: approval+
Comment on attachment 92372 [details] [diff] [review] patch for branch r=bzbarsky
Attachment #92372 - Flags: review+
Another regression found: bug 158766. Jst is working on it.
The testcase Jesse just posted in comment 75 reads the contents of a form on a page from another host using only the core DOM function appendChild. This is very serious and directly exploitable, so it's a stop-ship.
Whiteboard: [ADT1 RTM] [eta 07/23] → [ADT1 RTM] [ETA 07/25]
Attached patch Fix the DOM inspector regression (obsolete) — Splinter Review
This fixes the last known regression caused by this whole security fix. This change makes sure that the correct JS context is pushed onto the JS stack when we're focusing and blurring elements from native code. This change does that by creating a new little JS context "pusher" class that uses existing and well tested code to do the pushing and popping of the JS context when event handlers are called. So the bulk of this change is to move exisiting code into a new class and make the code that used the moved code use the new class, and then also use the new class in the code that deals with focus and blur.
Comment on attachment 92515 [details] [diff] [review] Fix the DOM inspector regression r=sicking
Attachment #92515 - Flags: review+
Comment on attachment 92515 [details] [diff] [review] Fix the DOM inspector regression sr=bzbarsky
Attachment #92515 - Flags: superreview+
Comment on attachment 92316 [details] [diff] [review] Fix bzs comments checked in earlier today
Attachment #92316 - Attachment is obsolete: true
Comment on attachment 92372 [details] [diff] [review] patch for branch a=chofmann for 1.0.1. add the fixed1.0.1 keyword after checking into the branch
Attachment #92372 - Flags: approval+
Comment on attachment 92515 [details] [diff] [review] Fix the DOM inspector regression a=chofmann for branch and trunk.
Attachment #92515 - Flags: approval+
Keywords: mozilla1.0.1mozilla1.0.1+
DOM inspector regression fixed on the trunk.
Attached patch Complete diff for the branch. (obsolete) — Splinter Review
This is a diff against the branch, this includes all the above changes, including all regression fixes.
Keywords: adt1.0.1
Bindu, can you verify this on the trunk?
changing the branch landing eta to 7/29 since we'll be letting this bake on the trunk for a few more days.
Whiteboard: [ADT1 RTM] [ETA 07/25] → [ADT1 RTM] [ETA 07/29]
jst mentioned that there was another regression related to this checkin. therefore, i am removing adt1.0.1 nomination until the new regression is addressed. pls renominate when you think the new patch is ready for the branch. thanks!
Keywords: adt1.0.1
Depends on: 159348
The new regression is bug 159348. A patch exists (by sicking and mstoltz), but it's not attached to a bug yet, coming soon.
... and the saga continues, one of my fixes for one of the regressions here caused yet one more regression. Bug 159468 is the newest bug in this sad story (fix attached)... :-(
Depends on: 159468
Attachment #92542 - Attachment is obsolete: true
Whiteboard: [ADT1 RTM] [ETA 07/29] → [ADT1 RTM] [ETA 08/01]
bsharma: Bindu, looks like the patch for the remaining regression has been checked into the trunk. Can you pls run DOM tests, and check around for any possible regressions that might be caused by this fix. If there are none, pls verify this bug as fixed. thanks! sicking: Jonas, now that the last regression has been patched, can you resolve this bug as fixed, and run a diff for 1.0 branch through the review and approval gauntlet, so that we are ready to check this one in tonight? thanks!
Keywords: adt1.0.1, approval
Verified on 2002-07-31-trunk build in Win 2000. Ran following tests and they all give an exception. 1. Test case in comment #1 2. Test case in comment #57 and #58 3. Test case in comment #75. 4. Tests in bug 90757
Adding Siva to the list. He has some DOM tests that he can run.
Attachment #92515 - Attachment is obsolete: true
marking this one fixed on request from adt and that it actually is fixed on the trunk
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Attachment #92372 - Attachment is obsolete: true
Attachment #92973 - Attachment is obsolete: true
Attachment #92977 - Attachment is obsolete: true
can the new patch go as is, or will we need to get new reviews?
Comment on attachment 93512 [details] [diff] [review] patch for branch, including fix for bug 159348 This has got r=bz and sr=jst
Attachment #93512 - Flags: superreview+
Attachment #93512 - Flags: review+
adt1.0.1+ (on ADT's behalf) apporval for checkin to the 1.0 branch, pending drivers' approval. pls check this in asap, then replace "mozilla1.0.1+" with "fixed1.0.1". thanks! Siva and Bindu: Let's finish the test on the trunk tomorrow, and then focus our efforts on the branch. Once you have run all your tests on the branch, feel this is fixed, and that no new regressions were caused by this fix, then pls replace "mozilla1.0.1+" with "fixed1.0.1". thanks!
Keywords: adt1.0.1adt1.0.1+
I'm confused. Who is supposed to change mozilla1.0.1+ to fixed1.0.1? Me or Siva/Bindu?
doh! sorry my bad. apologies all around. jonas, you are *of course* suppose to replace "mozilla1.0.1+" with "fixed1.0.1". once qa verifies the fix on the 1.0 branch, they will replace "fixed1.0.1", with "verified1.0.1". again, my apologies.
Comment on attachment 93512 [details] [diff] [review] patch for branch, including fix for bug 159348 re-approval for branch; change mozilla1.0.1+ to fixed1.0.1 when checked in. Please watch Txul, Ts, and Tp after this is checked in for regressions on branch.
Attachment #93512 - Flags: approval+
Whiteboard: [ADT1 RTM] [ETA 08/01] → [ADT1 RTM] [ETA 08/02]
verfied on trunk.
Status: RESOLVED → VERIFIED
Verified on 2002-08-01-branch on Win 2000. 1. Test case in Comment #1: Dialog bix appears with the Object names when clicked on several buttons. 2. Test case in Comment #57: The another Google is opened in the lower frame when clicked on the Clone contents button. But what I typed in the search box is not displayed. 3. Test case in Comment #58: When clicked on "dump string content" button, the contents of Google window are opened in the lower frame. 4. Test case in Comment #75: Typed search string in the Google window, when clicked on the button, an alert is appeared with the test string from Google window in it. 4. Tests in bug 90757, all the testse are passed.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
bsharma: what branch-build did you test this with? This was checked in on the branch just an hour ago.
bindu, it is to be verified on branch only after fixed1.0.1 is added to the keyword list. I think they are still waiting for the drivers approval to move the patch on to branch. I am marking this bug Resolved/verified fixed again.
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
marking verified, needs to verify on branch after mozilla1.0.1 is removed and fixed1.0.1 is added.
Status: RESOLVED → VERIFIED
checked in and cycled green
Keywords: mozilla1.0.1+fixed1.0.1
verified on branch 08-02-06-1.0. adding keyword verified1.0.1
Keywords: fixed1.0.1verified1.0.1
Group: security?
Group: security?
Group: security
Whiteboard: [ADT1 RTM] [ETA 08/02] → [ADT1 RTM] [ETA 08/02] security
Component: DOM: Traversal-Range → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: