Closed
Bug 185945
Opened 22 years ago
Closed 3 years ago
recursive document.write prevents browser from shutting down completely
Categories
(Core :: DOM: Core & HTML, defect, P5)
Tracking
()
RESOLVED
INACTIVE
People
(Reporter: tpbarber, Unassigned)
References
Details
Attachments
(1 file)
|
116 bytes,
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2) Gecko/20021126 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2) Gecko/20021126 Scripts like this one run indefinitely, locking up mozilla and leaving a phantom process on XP: <html><script> d=document; j=0; x='<br><scr'+'ipt>d.write(x);alert(j++);</scr'+'ipt>'; d.write(x); </script></html> Reproducible: Always Steps to Reproduce: Try this script, with or without alert. Similar effects can be created by abusing eval or setTimeout. <html><script> d=document; j=0; x='<br><scr'+'ipt>d.write(x);alert(j++);</scr'+'ipt>'; d.write(x); </script></html> Actual Results: Browser lockup. Phantom process running after browser closed. Likely buffer overflow. Expected Results: Ideally Mozilla would "kill the children" at some level. It looks like IE ignores dynamically generated scripts at the 4th generation. Note that similar rescrictions are needed to prevent mischief with eval and setTimeout.
|
||
Comment 1•22 years ago
|
||
Not a JS Engine issue; JS Engine contains no browser objects such as |document| nor HTML nodes such as <script>. This could be assigned either to DOM or to Security:General. Sending to DOM for further triage. Note this is the DOM equivalent of the Layout bug 136580, "Catch recursive content much sooner" Perhaps there is already a DOM bug on file for this issue, but I couldn't find it -
Assignee: rogerl → jst
Status: UNCONFIRMED → NEW
Component: JavaScript Engine → DOM Level 0
Ever confirmed: true
QA Contact: pschwartau → desale
|
||
Updated•22 years ago
|
Summary: Scripts that write scripts can cause buffer overflow. → recursive document.write prevents browser from shutting down completely
|
||
Comment 2•22 years ago
|
||
I can't reproduce this on CVS build on Linux. The scripts stops on j=997 and Mozilla is functioning as expected and can be closed fine. Only 1.2 or windows issue?
|
||
Comment 3•22 years ago
|
||
I've seen this before - it causes an infinite recursion, but I've seen no evidence that it's an exploitable buffer overrun.
|
|
||
Comment 4•22 years ago
|
||
Is there any explanation why this does not work on Linux?
|
||
Comment 6•21 years ago
|
||
*** Bug 214198 has been marked as a duplicate of this bug. ***
|
||
Comment 7•17 years ago
|
||
fixed by bug 197052 ?
|
||
Comment 8•16 years ago
|
||
(In reply to comment #7) > Created an attachment (id=285864) [details] > testcase > > fixed by bug 197052 ? needs verification - reporter is gone
|
||
Updated•15 years ago
|
Assignee: general → nobody
QA Contact: desale → general
|
||
Comment 9•6 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046 Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5. If you have questions, please contact :mdaly.
Priority: -- → P5
|
||
Updated•3 years ago
|
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INACTIVE
You need to log in
before you can comment on or make changes to this bug.
Description
•