Closed Bug 1673164 Opened 5 years ago Closed 5 years ago

received invites show just a blank page. And perma comm/calendar/test/unit/test_ltninvitationutils.js | xpcshell return code: 0 (also comm/calendar/test/browser/invitations/browser_imipBarEmail.js)

Categories

(Core :: DOM: Security, defect, P1)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
84 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- fixed
firefox82 --- unaffected
firefox83 --- fixed
firefox84 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: hsivonen)

References

(Regression)

Details

(Keywords: intermittent-failure, regression)

Attachments

(1 file)

Bug 1673164 - Avoid creating an inert doc when the context is already inert.
47 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
pascalc
: approval-mozilla-esr78+
Details | Review

Filed by: mkmelin+mozilla [at] iki.fi
Parsed log: https://treeherder.mozilla.org/logviewer.html#?job_id=319597138&repo=comm-central
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/Ve3GCgwoQOa_2JvSHYmWvQ/runs/0/artifacts/public/logs/live_backing.log

[task 2020-10-23T23:03:06.987Z] 23:03:06     INFO -  xpcshell-icaljs.ini:comm/calendar/test/unit/test_ltninvitationutils.js | Starting createInvitationOverlay_test
[task 2020-10-23T23:03:06.987Z] 23:03:06     INFO -  (xpcshell/head.js) | test createInvitationOverlay_test pending (2)
[task 2020-10-23T23:03:06.988Z] 23:03:06     INFO -  PID 23054 | [23054, Main Thread] WARNING: EnsureInit: No screen: file /builds/worker/checkouts/gecko/widget/gtk/nsLookAndFeel.cpp:1036
[task 2020-10-23T23:03:06.988Z] 23:03:06     INFO -  PID 23054 | [23054, Main Thread] WARNING: EnsureInit: No screen: file /builds/worker/checkouts/gecko/widget/gtk/nsLookAndFeel.cpp:1036
[task 2020-10-23T23:03:06.988Z] 23:03:06     INFO -  PID 23054 | [23054, Main Thread] WARNING: EnsureInit: No screen: file /builds/worker/checkouts/gecko/widget/gtk/nsLookAndFeel.cpp:1036
[task 2020-10-23T23:03:06.989Z] 23:03:06     INFO -  PID 23054 | [23054, Main Thread] WARNING: EnsureInit: No screen: file /builds/worker/checkouts/gecko/widget/gtk/nsLookAndFeel.cpp:1036
[task 2020-10-23T23:03:06.989Z] 23:03:06     INFO -  PID 23054 | [23054, Main Thread] WARNING: EnsureInit: No screen: file /builds/worker/checkouts/gecko/widget/gtk/nsLookAndFeel.cpp:1036
[task 2020-10-23T23:03:06.990Z] 23:03:06     INFO -  PID 23054 | [23054, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005 (NS_ERROR_FAILURE): file /builds/worker/checkouts/gecko/dom/base/ThirdPartyUtil.cpp:402
[task 2020-10-23T23:03:06.990Z] 23:03:06     INFO -  PID 23054 | [23054, Main Thread] WARNING: NS_ENSURE_TRUE(sgo || !hasHad) failed: file /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:5037
[task 2020-10-23T23:03:06.991Z] 23:03:06     INFO -  (xpcshell/head.js) | test run_next_test 1 finished (2)
[task 2020-10-23T23:03:06.991Z] 23:03:06     INFO -  Unexpected exception NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIParserUtils.parseFragment]
[task 2020-10-23T23:03:06.991Z] 23:03:06     INFO -  textToHtmlDocumentFragment@resource:///modules/calendar/utils/calViewUtils.jsm:394:36
[task 2020-10-23T23:03:06.992Z] 23:03:06     INFO -  field@resource:///modules/calendar/ltnInvitationUtils.jsm:92:38
[task 2020-10-23T23:03:06.992Z] 23:03:06     INFO -  createInvitationOverlay@resource:///modules/calendar/ltnInvitationUtils.jsm:106:10
[task 2020-10-23T23:03:06.992Z] 23:03:06     INFO -  createInvitationOverlay_test@/builds/worker/workspace/build/tests/xpcshell/tests/comm/calendar/test/unit/test_ltninvitationutils.js:419:30
[task 2020-10-23T23:03:06.993Z] 23:03:06     INFO -  _run_next_test/<@/builds/worker/workspace/build/tests/xpcshell/head.js:1630:22
[task 2020-10-23T23:03:06.993Z] 23:03:06     INFO -  _run_next_test@/builds/worker/workspace/build/tests/xpcshell/head.js:1630:38
[task 2020-10-23T23:03:06.993Z] 23:03:06     INFO -  run@/builds/worker/workspace/build/tests/xpcshell/head.js:777:9
[task 2020-10-23T23:03:06.993Z] 23:03:06     INFO -  _do_main@/builds/worker/workspace/build/tests/xpcshell/head.js:250:6
[task 2020-10-23T23:03:06.993Z] 23:03:06     INFO -  _execute_test@/builds/worker/workspace/build/tests/xpcshell/head.js:577:5
[task 2020-10-23T23:03:06.993Z] 23:03:06     INFO -  @-e:1:1
[task 2020-10-23T23:03:06.993Z] 23:03:06     INFO -  exiting test

Caused by something from https://hg.mozilla.org/mozilla-central/pushloghtml?changeset=1980f87855fc557e7ef6bb24b66c4d2df5606afa - bug 1666300 would be my first guess```

The parsing failure starts off from https://searchfox.org/comm-central/rev/ccdaa27822e254ca10d9c576c9a3723e141a05ae/calendar/test/unit/test_ltninvitationutils.js#419

Started by the https://hg.mozilla.org/mozilla-central/pushloghtml?changeset=1980f87855fc557e7ef6bb24b66c4d2df5606afa merge - bug 1666300 is the main suspect. Henri, I don't have access to that bug. Anything obvious we need to adapt to?

Flags: needinfo?(hsivonen)
Summary: perma comm/calendar/test/unit/test_ltninvitationutils.js | xpcshell return code: 0 → perma comm/calendar/test/unit/test_ltninvitationutils.js | xpcshell return code: 0 (also comm/calendar/test/browser/invitations/browser_imipBarEmail.js)
Keywords: regression
Regressed by: CVE-2020-26951
Has Regression Range: --- → yes

(In reply to Magnus Melin [:mkmelin] from comment #1)

Anything obvious we need to adapt to?

Not obvious to me from the test case, but the thing to look for is if you try to set innerHTML on a document that was in an iframe but the iframe has been destroyed by the time you try to set innerHTML.

Flags: needinfo?(hsivonen)

Tracked it down a bit.

/// Case A - works

var pu = Cc["@mozilla.org/parserutils;1"].createInstance(Ci.nsIParserUtils);
var flags = pu.SanitizerLogRemovals | pu.SanitizerDropForms | pu.SanitizerDropMedia;
var uri = Services.io.newURI("chrome://lightning/content/lightning-invitation.xhtml");
var context = document.createElement("div");
pu.parseFragment("some html", flags, false, uri, context);

/// Case B - fails. Only doc is different.

// parseFile is simply a sync XMLHttpRequest read: <https://searchfox.org/comm-central/rev/8d9e45511a64e83e3932983d036eca2a353a9261/calendar/base/modules/utils/calXMLUtils.jsm#144>
var doc = cal.xml.parseFile("chrome://lightning/content/lightning-invitation.xhtml");

var pu = Cc["@mozilla.org/parserutils;1"].createInstance(Ci.nsIParserUtils);
var flags = pu.SanitizerLogRemovals | pu.SanitizerDropForms | pu.SanitizerDropMedia;
var uri = Services.io.newURI("chrome://lightning/content/lightning-invitation.xhtml");
var context = doc.createElement("div");
pu.parseFragment("some html", flags, false, uri, context);

Case B doesn't work, will fail at !inert https://hg.mozilla.org/mozilla-central/rev/9143f95d5ab3#l2.27

So are we doing something wrong, or is it a bug?

Flags: needinfo?(hsivonen)

The problem caught by the test is that event invites in emails are broken.

Henri, any input? It's the parserUtils.parseFragment call that fails.
I don't know what an inert document is, or how this all fits into the bug fixed.

Can you check what makes CreateInertDocument return early?

I'm guessing this line:
https://searchfox.org/mozilla-central/rev/c409dd9235c133ab41eba635f906aa16e050c197/dom/base/nsContentUtils.cpp#5037

smaug, how essential is that early return?

Flags: needinfo?(hsivonen) → needinfo?(bugs)

That's indeed the spot that bails out.

Using a document which used to be connected to a global but isn't anymore is worrisome.
Does cal.xml.parseFile("chrome://lightning/content/lightning-invitation.xhtml"); somehow run in a context where the global js object has already died? Or does the global object perhaps die right after calling parseFile?

Null script handling object means that js wrappers for example may get created using somewhat random js global (whoever is the caller).
So one really should try to not use such documents in JS.

(in the old days not having scriptglobal lead to security issues)

Flags: needinfo?(bugs)

You may be on to something wrt global js object (though I don't know how to check).
If I inline the small parseFile function and use it directly there seems to be no problem.

Correction: inlining works in the console. In the real code it doesn't help

function parseFileX(uri) {
  var req = new XMLHttpRequest();
  req.open("GET", uri, false);
  req.overrideMimeType("text/xml");
  req.send(null);
  return req.responseXML;
}

var docURI = "chrome://lightning/content/lightning-invitation.xhtml";
var parseFile = cal.xml.parseFile; // works in the console if i set to parseFileX
var doc = parseFile(docURI);
var pu = Cc["@mozilla.org/parserutils;1"].createInstance(Ci.nsIParserUtils);
var flags = pu.SanitizerLogRemovals | pu.SanitizerDropForms | pu.SanitizerDropMedia;
var uri = Services.io.newURI(docURI);
var context = doc.createElement("div");
pu.parseFragment("some html", flags, false, uri, context);

I'm out of clues atm how that could be different, other than some slight timing being off perhaps.

In this case, parseFile returns a doc marked "loaded as data", so perhaps we should omit the throw-away "loaded as data" doc when the main one already has that bit set.

Does the attached patch fix things?

Flags: needinfo?(mkmelin+mozilla)

It fixes the problem above, but now the input is no longer sanitized like it used to, at least before this bug 1667113. Our test is checking that and therefore fails.

Flags: needinfo?(mkmelin+mozilla)

FYI This is a blocker for beta, and is now impacting our ability to deliver and test critical fixes for other issues, including sec-* fixes needed for release 78 that firefox have already shipped. I know you are working hard at this, but we do need a solution quickly.

Severity: normal → S1
status-thunderbird83: --- → affected
tracking-thunderbird83: --- → +
Priority: P5 → P1
Summary: perma comm/calendar/test/unit/test_ltninvitationutils.js | xpcshell return code: 0 (also comm/calendar/test/browser/invitations/browser_imipBarEmail.js) → received invites show just a blank page. And perma comm/calendar/test/unit/test_ltninvitationutils.js | xpcshell return code: 0 (also comm/calendar/test/browser/invitations/browser_imipBarEmail.js)
Version: unspecified → Thunderbird 83

I will need to sort out testing for the patch before requesting for review.

Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
Pushed by hsivonen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d51fba42ee25 Avoid creating an inert doc when the context is already inert. r=smaug

https://hg.mozilla.org/mozilla-central/rev/d51fba42ee25

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED

Comment on attachment 9184232 [details]
Bug 1673164 - Avoid creating an inert doc when the context is already inert.

[Approval Request Comment]
Regression caused by (bug #): Bug 1667113
User impact if declined: In Thunderbird, can't handle calendar invitations. In Firefox, the impact is unclear, but there's a chance of misbehavior if there's impacted chrome code with lacking test coverage.
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): Should be low risk.

[Approval Request Comment]
Regression caused by (bug #): Bug 1667113
User impact if declined: In Thunderbird, can't handle calendar invitations. In Firefox, the impact is unclear, but there's a chance of misbehavior if there's impacted chrome code with lacking test coverage.
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): Should be low risk.

Attachment #9184232 - Flags: approval-comm-esr78?
Attachment #9184232 - Flags: approval-comm-beta?

Not sure how to get an m-c patch on the m-c uplift radar when the bug is filed on the Thunderbird side. In any case, this should be uplifted to the same branches that bug 1667113 was uplifted to.

Moving to Core in order to be able to set m-c-relevant request flags.

status-thunderbird83: affected → ---
tracking-thunderbird83: + → ---
Component: General → DOM: Security
Flags: approval-comm-esr78?
Flags: approval-comm-beta?
Product: Calendar → Core
Version: Thunderbird 83 → unspecified

Comment on attachment 9184232 [details]
Bug 1673164 - Avoid creating an inert doc when the context is already inert.

Beta/Release Uplift Approval Request

  • User impact if declined: In Thunderbird, can't handle calendar invitations. In Firefox, the impact is unclear, but there's a chance of misbehavior if there's impacted chrome code with lacking test coverage.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This reverts to old flow when the context is already inert.
  • String changes made/needed: None

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: This fixes a regression from bug 1667113, so this should be uplifted to the same branches as bug 1667113.
  • User impact if declined: In Thunderbird, can't handle calendar invitations. In Firefox, the impact is unclear, but there's a chance of misbehavior if there's impacted chrome code with lacking test coverage.
  • Fix Landed on Version: 84
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This reverts to old flow when the context is already inert.
  • String or UUID changes made by this patch: None
Attachment #9184232 - Flags: approval-mozilla-esr78?
Attachment #9184232 - Flags: approval-mozilla-beta?

Comment on attachment 9184232 [details]
Bug 1673164 - Avoid creating an inert doc when the context is already inert.

Fix for a 83/84 regression, evaluated as low risk as we revert to our previous behaviour, approved for 83 beta 8, and esr78 thanks.

Attachment #9184232 - Flags: approval-mozilla-esr78?
Attachment #9184232 - Flags: approval-mozilla-esr78+
Attachment #9184232 - Flags: approval-mozilla-beta?
Attachment #9184232 - Flags: approval-mozilla-beta+
status-firefox82: --- → unaffected
status-firefox83: --- → affected
status-firefox84: --- → fixed
status-firefox-esr78: --- → affected
Target Milestone: --- → 84 Branch
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: