Closed Bug 181934 Opened 22 years ago Closed 22 years ago

unable to access documentElement from signed script

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: waterson, Assigned: security-bugs)

References

Details

Attachments

(4 files)

test case, not in a JAR file (works)
364 bytes, text/html
Details
Signed JAR file containing bug.html
2.22 KB, application/octet-stream
Details
self-signing cert used to sign app
1.12 KB, application/x-x509-ca-cert
Details
proposed fix
659 bytes, patch
Details | Diff | Splinter Review
The following script works fine when run from an unsigned script, but fails with an exception ("Permission denied to get property XMLDocument.documentElement") when run from a signed script: function doit() { var requestBody = document.implementation.createDocument("", "data", null); requestBody.documentElement.appendChild(document.createTextNode("blah")); } I've dug into it a little bit, and it appears that nsScriptSecurityManager::CheckJSFunctionCallerAccess is receiving JSVAL_NULL as the value of "vp", and is not able to handle this case. fun_getProperty (jsfun.c:932) will explicitly send JSVAL_NULL in some cases which I can't pretend to understand. Test case anon.
This is the base test case, when run outside of a signed JAR file, ought to work just fine (i.e., no exception on JS console).
Either save the above JAR file locally, or use this URL to run bug.html from b.m.o: jar:http://bugzilla.mozilla.org/attachment.cgi?id=107415&action=view!/bug.html When you press the button, you'll see the following on the JS console: "Error: uncaught exception: Permission denied to get property XMLDocument.documentElement", which is silly.
If you want, you can install this self-signed cert, but it ought to be irrelevant to the problem at hand.
Possibly related to bug 119529?
Attached patch proposed fixSplinter Review
The other call to rt->checkObjectAccess, in jsexn.c, uses !JSVAL_IS_PRIMITIVE to ensure that *vp refers to an object. Can someone test this patch? I bet waterson no longer has a mozilla tree to update and build. Thanks, /be
brendan, your patch gets me past the assert-botch, and gets things working when I run the JAR'd test case from a "file:" URL. However, there appear to be further problems when running from an "http:" URL (e.g., clicking on the attachment link above). I'll file a separate bug on that.
Blocks: 182069
Filed bug 182069 as a follow-on.
Fix checked in. /be
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: