Closed Bug 1595399 Opened 5 years ago Closed 4 years ago

Spam many alerts without the 'Prevent this page from creating additional dialogs' checkbox

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla73
Tracking Flags:
Tracking Status
firefox-esr68 73+ verified
firefox71 --- wontfix
firefox72 --- wontfix
firefox73 --- verified
firefox74 --- verified

People

(Reporter: nathan, Assigned: farre)

References

(
URL
)

Details

(Keywords: csectype-dos, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main73-][adv-esr68.5-])

Attachments

(1 file)

Bug 1595399 - Prevent EndDragSession from being called recursively. r=smaug!
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr68+
Details | Review

It is possible to execute JavaScript code in the Firefox browser which causes an infinite loop of alerts that cannot be dismissed.
It removes the 'Prevent this page from creating additional dialogs' checkbox which would otherwise prevent this sort of thing.

The bug is working in the latest version of FireFox Developer Edition 71.0b8 (64-bit).
(I'm running MacOS 10.13.5 if that helps!)

By using the 'ondragend' inline event handler, an infinite loop of alerts can be created.
eg. <p id="test" draggable="true" ondragend="alert('Infinite alerts')">Please drag me!</p>

As soon as the user drags the element, an alert will be created. However, as soon as they dismiss it a new alert will be created.
The ondragend event seems to be re-triggered indefinitely, and bypassing the normal 'Prevent this page from creating addition dialogs' option.

Flags: sec-bounty?

When I try the testcase, I can close the tab fine while the alerts are up, using the [x] on the tab or a shortcut. Do you see something else?

Flags: needinfo?(nathan)
Summary: Infinite alert bug → Spam many alerts without the 'Prevent this page from creating additional dialogs' checkbox

Yes, it is possible to close the tab.
It is simply the missing 'Prevent this page from creating additional dialogs'.

Flags: needinfo?(nathan)

Something is wonky in DOM land here. We queue up on the order of several 100 prompts in DOM code, and every time we check if the last time we closed a dialog was recent the time is still null. It seems like there's either some kind of re-entrancy (which might be its own bug?), and/or we should be setting mLastDialogQuitTime again as soon as we commit to displaying a prompt (ie after reading this value, perhaps as a base we should set the "last quit time" to the "current open time", as it were, to avoid issues where we re-enter and haven't yet set the last quit time.

On a debug build, I also hit an assertion in the window watcher:

Assertion failure: XRE_IsParentProcess(), at path/to/m-c/toolkit/components/windowwatcher/nsWindowWatcher.cpp:702
#01: nsWindowWatcher::OpenWindow(mozIDOMWindowProxy*, char const*, char const*, char const*, nsISupports*, mozIDOMWindowProxy**)[NightlyDebug.app/Contents/MacOS/XUL +0x590ddfc]

presumably from the window.open call that is also in the testcase linked at the URL. That seems... not good. Andreas, can you take a look?

Group: firefox-core-security → dom-core-security
Status: UNCONFIRMED → NEW
Type: task → defect
Component: Security → DOM: Core & HTML
Ever confirmed: true
Flags: needinfo?(afarre)
Product: Firefox → Core

A page can block itself, but it's not harming the browser in any other way. Does this need to be hidden as a security bug? It's clearly broken though!

Keywords: csectype-dos
Keywords: sec-low

I tried this through mozregression and I've found a couple of things. First I landed at:

https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8de293399b5af8933eefeb4deea308c9f4707622&tochange=402db246b36ea3db0b784e7db75e68d63bddfb07

but this only tells us that dragging empty data is now supported, so I changed it to an <img>. Then I found that this has always been the case as far back as middle of 2017, where it instead of infinity-alerting actually crashed.

I'll continue digging some more tomorrow.

Assignee: nobody → afarre

So I've found and solved it. The problem was that entering modal state tries to end a currently active drag session. If ending a drag session triggers entering modal state we get a recursively triggering ondragend. Added a bool to check, not sure if that's the best. Will ask :smaug for review.

Flags: needinfo?(afarre)

nsGlobalWindowOuter::EnterModalState will try to end the current drag
session, so we need to keep track if we're entering modal state from
an event firing from ending the drag session.

Priority: -- → P2

https://hg.mozilla.org/integration/autoland/rev/ec2d5fef8d14d262525c7eecd7ec8d124bbd40c6
https://hg.mozilla.org/mozilla-central/rev/ec2d5fef8d14

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox73: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla73

Does this need uplift or can it ride the trains to 73?

status-firefox71: affectedwontfix
status-firefox72: affectedfix-optional
status-firefox-esr68: --- → fix-optional

Unfortunately this bug does not meet the security bug bounty criteria.

Flags: sec-bounty? → sec-bounty-

(In reply to Julien Cristau [:jcristau] from comment #9)

Does this need uplift or can it ride the trains to 73?

:farre, can you make a call here about uplifting this to beta?

Flags: needinfo?(afarre)
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage]

This issue was reproduced on Firefox Release v72.0 and the fix was verified on Beta v73.0b2 and Nightly v74.0a1 on Windows 10 and Ubuntu 18.

Status: RESOLVED → VERIFIED
status-firefox73: fixedverified
status-firefox74: --- → verified
Flags: qe-verify+
OS: Unspecified → All
Hardware: Unspecified → Desktop
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main73-]

Comment on attachment 9110193 [details]
Bug 1595399 - Prevent EndDragSession from being called recursively. r=smaug!

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Drag and drop is broken
  • User impact if declined: Drag and drop is broken
  • Fix Landed on Version: 73
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Change is small and is similar to the solution for ending a drag.
  • String or UUID changes made by this patch: None
Flags: needinfo?(afarre)
Attachment #9110193 - Flags: approval-mozilla-esr68?

Comment on attachment 9110193 [details]
Bug 1595399 - Prevent EndDragSession from being called recursively. r=smaug!

Fixes a case where drag and drop can be pretty broken. Approved for 68.5esr.

Attachment #9110193 - Flags: approval-mozilla-esr68? → approval-mozilla-esr68+

I do now know how this fix should be verified because, in ESR68, this example paragraph that reproduces the issue is not draggable at all like it is in the 3 other channels so this issue cannot be reproduced, nor verified on ESR channel.

How should this be addressed further?

Flags: needinfo?(afarre)
Whiteboard: [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main73-] → [reporter-external] [client-bounty-form] [verif?][post-critsmash-triage][adv-main73-][adv-esr68.5-]

So anything that is draggable should be able to reproduce this. So if you switch to an dragging an <img> it should repro. Tell me if it is not so and I will try to find another way.

Flags: needinfo?(afarre) → needinfo?(daniel.bodea)

I have modified the HTML test page to make an image draggable and with an alert on drag.
This issue is also verified in ESR v68.5.0esr. Thank you.

status-firefox-esr68: fixedverified
Flags: needinfo?(daniel.bodea)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: