If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

image map editor uses eval incorrectly

RESOLVED WONTFIX

Status

SeaMonkey
Composer
RESOLVED WONTFIX
15 years ago
3 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

(Blocks: 2 bugs, {helpwanted, sec-want})

Trunk
helpwanted, sec-want
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:want P4] UI for reaching this code is commented out, URL)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

15 years ago
cutCopy() contains code like this:
  clipboardItem[i] = 'Poly(\"'+coords+'\", \"'+href+'\", \"'+target+'\",
\"'+alt+'\", true)';

paste() contains code like this:
  eval(clipboard[i])

If an attribute includes a " character, this code will fail.  If an attribute
contains malicious code such as "+alert(Components.classes)+", copying and
pasting in the image map editor will execute the malicious code with chrome
privs.  I haven't actually tested this because the image map editor is disabled.

The image map editor could use code like this to avoid reparsing:

clipboard[i] = { func:Poly, params:[coords,href,target,alt,true] }

clipboard[i].func.apply(window, clipboard[i].params);
(Reporter)

Updated

15 years ago
Blocks: 84303, 88314
Whiteboard: security

Updated

15 years ago
Keywords: helpwanted
OS: Windows 2000 → All
Hardware: PC → All
Target Milestone: --- → Future

Comment 1

15 years ago
--> cmanske
Assignee: syd → cmanske
Keywords: nsbeta1+

Comment 2

15 years ago
removing nsbeta1+; seeking re-triage
image map editor is not currently part of the build
Keywords: nsbeta1+ → nsbeta1

Comment 3

15 years ago
Composer triage team: nsbeta1-
Keywords: nsbeta1 → nsbeta1-
This could be a serious security bug - please make sure this is fixed *before*
the feature is added to the build.
Whiteboard: security → [sg:fix]
Product: Browser → Seamonkey
Assignee: cmanske → cst
Status: NEW → ASSIGNED
Created attachment 170262 [details] [diff] [review]
patch
Created attachment 170292 [details] [diff] [review]
patch
Attachment #170262 - Attachment is obsolete: true
Comment on attachment 170292 [details] [diff] [review]
patch

Note that the patch does not make the situation with newlines at the end of the
file worse (biesi confirmed this).
Attachment #170292 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #170292 - Flags: review?(timeless)
Keywords: helpwanted
Whiteboard: [sg:fix] → [sg:fix] [cst: r?]
Target Milestone: Future → mozilla1.8beta

Updated

13 years ago
Attachment #170292 - Flags: review?(timeless) → review+

Comment 8

13 years ago
Comment on attachment 170292 [details] [diff] [review]
patch

There's no point serializing an element to a string that we're not going to
evaluate. Might as well just put clones of the element in the clipboard and
append them when you paste.
Attachment #170292 - Flags: superreview?(neil.parkwaycc.co.uk) → superreview-
Whiteboard: [sg:fix] [cst: r?] → [sg:fix] [cst: ]
Whiteboard: [sg:fix] [cst: ] → [sg:fix]
Target Milestone: mozilla1.8beta1 → mozilla1.8beta2

Updated

13 years ago
Target Milestone: mozilla1.8beta2 → ---
Keywords: helpwanted
Target Milestone: --- → Future
Status: ASSIGNED → NEW
(Reporter)

Updated

12 years ago
Whiteboard: [sg:fix] → [sg:want P4] UI for reaching this code is commented out
Assignee: cst → composer
QA Contact: sujay
Assignee: composer → nobody
QA Contact: composer
Target Milestone: Future → ---

Comment 9

8 years ago
MASS-CHANGE:
This bug report is registered in the SeaMonkey product, but has been without a comment since the inception of the SeaMonkey project. This means that it was logged against the old Mozilla suite and we cannot determine that it's still valid for the current SeaMonkey suite. Because of this, we are setting it to an UNCONFIRMED state.

If you can confirm that this report still applies to current SeaMonkey 2.x nightly builds, please set it back to the NEW state along with a comment on how you reproduced it on what Build ID, or if it's an enhancement request, why it's still worth implementing and in what way.
If you can confirm that the report doesn't apply to current SeaMonkey 2.x nightly builds, please set it to the appropriate RESOLVED state (WORKSFORME, INVALID, WONTFIX, or similar).
If no action happens within the next few months, we move this bug report to an EXPIRED state.

Query tag for this change: mass-UNCONFIRM-20090614
Status: NEW → UNCONFIRMED
(Reporter)

Comment 10

8 years ago
Do not expire security bugs.
Status: UNCONFIRMED → NEW
Keywords: sec-want

Comment 11

5 years ago
This code does not exist in the tree any more. Removed in Bug 717240
=>INVALID/WONTFIX.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.