Closed Bug 1611993 Opened 5 years ago Closed 5 years ago

nsImageBoxFrame runs script at unsafe times

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla74
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox72 --- wontfix
firefox73 --- wontfix
firefox74 --- fixed

People

(Reporter: bzbarsky, Assigned: bzbarsky)

Details

(Keywords: sec-other, Whiteboard: [post-critsmash-triage][adv-main74-])

Attachments

(1 file)

Bug 1611993. nsImageBoxFrame should not UpdateImage when it's not safe to run script.
47 bytes, text/x-phabricator-request
Details | Review

nsImageBoxFrame::UpdateImage calls nsContentUtils::LoadImage which ends up doing the newChannel; call, getting the protocol handler etc. The protocol handler in this case is PageIconProtocolHandler which is implemented in script, so we run that script while in an unsafe state (in the middle of an attribute mutation).

I wonder whether we can put the LoadImage call on a scriptrunner here.

Note: security impact is likely none.

Keywords: sec-other
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED

https://hg.mozilla.org/integration/autoland/rev/0d107025648ac4cdce13e2d527cc8b79f3ab9cf1
https://hg.mozilla.org/mozilla-central/rev/0d107025648a

Group: core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox74: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla74
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main74-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: