heap-buffer-overflow widget/windows/nsWindow.cpp:8197 in nsWindow::PickerOpen(void) in headless mode
Categories
(Core :: Widget: Win32, defect)
Tracking
()
People
(Reporter: m.cooolie, Assigned: rkraesig)
Details
(Keywords: csectype-bounds, reporter-external, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main121+][adv-esr115.6+])
Attachments
(4 files, 1 obsolete file)
202 bytes,
text/html
|
Details | |
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr115+
tjr
:
sec-approval+
|
Details | Review |
10.05 KB,
application/x-javascript
|
Details | |
236 bytes,
text/plain
|
Details |
#Reproduce
OS:win X64
121.0a1 (2023-11-06) (64-bit)
- python -m http.server 1337
- python -m ffpuppet firefox --headless -p prefs.js -d -u http://localhost:1337/poc.html
#Analysis
Not yet
#ASAN
==36900==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x12959aa2c548 at pc 0x7ffdb43a10c9 bp 0x00b1a35fc010 sp 0x00b1a35fc058
READ of size 4 at 0x12959aa2c548 thread T0
#0 0x7ffdb43a10c8 in nsWindow::PickerOpen(void) /builds/worker/checkouts/gecko/widget/windows/nsWindow.cpp:8197
#1 0x7ffdb41fe18d in AutoWidgetPickerState::PickerState /builds/worker/checkouts/gecko/widget/windows/nsFilePicker.cpp:68
#2 0x7ffdb41fe18d in AutoWidgetPickerState::AutoWidgetPickerState /builds/worker/checkouts/gecko/widget/windows/nsFilePicker.cpp:59
#3 0x7ffdb41fe18d in nsFilePicker::ShowFilePicker(class nsTString<char16_t> const &) /builds/worker/checkouts/gecko/widget/windows/nsFilePicker.cpp:490
#4 0x7ffdb420128c in nsFilePicker::ShowW(enum nsIFilePicker::ResultCode *) /builds/worker/checkouts/gecko/widget/windows/nsFilePicker.cpp:566
#5 0x7ffdb40d368b in nsBaseFilePicker::AsyncShowFilePicker::Run(void) /builds/worker/checkouts/gecko/widget/nsBaseFilePicker.cpp:86
#6 0x7ffdaa3057ce in mozilla::RunnableTask::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:549
#7 0x7ffdaa2e7675 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:876
#8 0x7ffdaa2e2dc5 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:699
#9 0x7ffdaa2e3a14 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:485
#10 0x7ffdaa309111 in mozilla::TaskController::TaskController::<lambda_5>::operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:211
#11 0x7ffdaa309111 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:211:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548
#12 0x7ffdaa339bc5 in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198
#13 0x7ffdaa34aa8a in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480
#14 0x7ffdaba43477 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
#15 0x7ffdab960483 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370
#16 0x7ffdab960483 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363
#17 0x7ffdab96024a in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345
#18 0x7ffdb40b3a1c in nsBaseAppShell::Run(void) /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148
#19 0x7ffdb42f6487 in nsAppShell::Run(void) /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:824
#20 0x7ffdb894682b in nsAppStartup::Run(void) /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:296
#21 0x7ffdb8c90586 in XREMain::XRE_mainRun(void) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5680
#22 0x7ffdb8c95b17 in XREMain::XRE_main(int, char **const, struct mozilla::BootstrapConfig const &) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5889
#23 0x7ffdb8c96c3f in XRE_main(int, char **const, struct mozilla::BootstrapConfig const &) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5945
#24 0x7ff74be320d8 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:227
#25 0x7ff74be320d8 in NS_internal_main(int, char **, char **) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:445
#26 0x7ff74be314d8 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:151
#27 0x7ff74bf14207 in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:90
#28 0x7ff74bf14207 in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
#29 0x7ffe18107343 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017343)
#30 0x7ffe192e26b0 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800526b0)
0x12959aa2c548 is located 56 bytes before 608-byte region [0x12959aa2c580,0x12959aa2c7e0)
allocated by thread T0 here:
#0 0x7ffdc70150e4 in calloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:114
#1 0x7ffdaa17a054 in PLDHashTable::MakeEntryHandle(void const *, struct std::nothrow_t const &) /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:630
#2 0x7ffdaa17b080 in PLDHashTable::MakeEntryHandle(void const *) /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:674
#3 0x7ffdad9047bc in PLDHashTable::WithEntryHandle<class `protected: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::WithEntryHandle<class `public: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::PutEntry(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &)'::`1'::<lambda_1>>(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &, class `public: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::PutEntry(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &)'::`1'::<lambda_1> &&)'::`1'::<lambda_1>>(void const *, class `protected: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::WithEntryHandle<class `public: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::PutEntry(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &)'::`1'::<lambda_1>>(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &, class `public: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::PutEntry(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &)'::`1'::<lambda_1> &&)'::`1'::<lambda_1> &&) /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.h:605
#4 0x7ffdad8c7437 in nsTHashtable<mozilla::IdentifierMapEntry>::WithEntryHandle /builds/worker/checkouts/gecko/xpcom/ds/nsTHashtable.h:434
#5 0x7ffdad8c7437 in nsTHashtable<mozilla::IdentifierMapEntry>::PutEntry /builds/worker/checkouts/gecko/xpcom/ds/nsTHashtable.h:306
#6 0x7ffdad8c7437 in mozilla::dom::ShadowRoot::AddToIdTable(class mozilla::dom::Element *, class nsAtom *) /builds/worker/checkouts/gecko/dom/base/ShadowRoot.cpp:553
#7 0x7ffdad736a6b in mozilla::dom::Element::AddToIdTable /builds/worker/checkouts/gecko/dom/base/Element.cpp:1136
#8 0x7ffdad736a6b in mozilla::dom::Element::BindToTree(struct mozilla::dom::BindContext &, class nsINode &) /builds/worker/checkouts/gecko/dom/base/Element.cpp:1921
#9 0x7ffdad5895fa in nsStyledElement::BindToTree(struct mozilla::dom::BindContext &, class nsINode &) /builds/worker/checkouts/gecko/dom/base/nsStyledElement.cpp:210
#10 0x7ffdb105236a in nsGenericHTMLElement::BindToTree(struct mozilla::dom::BindContext &, class nsINode &) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:466
#11 0x7ffdada4edaf in nsINode::InsertChildBefore(class nsIContent *, class nsIContent *, bool, class mozilla::ErrorResult &) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1613
#12 0x7ffdb4a35013 in nsINode::AppendChildTo /builds/worker/checkouts/gecko/dom/base/nsINode.h:967
#13 0x7ffdb4a35013 in mozilla::AccessibleCaret::CreateCaretElement::<lambda_1>::operator() /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:237
#14 0x7ffdb4a35013 in mozilla::AccessibleCaret::CreateCaretElement(void) const /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:240
#15 0x7ffdb4a31d44 in mozilla::AccessibleCaret::InjectCaretElement(class mozilla::dom::Document *) /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:199
#16 0x7ffdb4a3ba06 in mozilla::AccessibleCaret::AccessibleCaret /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:82
#17 0x7ffdb4a3ba06 in mozilla::MakeUnique<class mozilla::AccessibleCaret, class mozilla::PresShell *&>(class mozilla::PresShell *&) /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:605
#18 0x7ffdb4a37baa in mozilla::AccessibleCaretManager::AccessibleCaretManager /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:86
#19 0x7ffdb4a37baa in mozilla::MakeUnique /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:605
#20 0x7ffdb4a37baa in mozilla::AccessibleCaretEventHub::Init(void) /builds/worker/checkouts/gecko/layout/base/AccessibleCaretEventHub.cpp:365
#21 0x7ffdb4a7d9fa in mozilla::PresShell::Init(class nsPresContext *, class nsViewManager *) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:907
#22 0x7ffdad68ca47 in mozilla::dom::Document::CreatePresShell(class nsPresContext *, class nsViewManager *) /builds/worker/checkouts/gecko/dom/base/Document.cpp:6948
#23 0x7ffdb4bb1924 in nsDocumentViewer::InitPresentationStuff(bool) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:702
#24 0x7ffdb4bb1279 in nsDocumentViewer::InitInternal(class nsIWidget *, class nsISupports *, class mozilla::dom::WindowGlobalChild *, struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &, bool, bool, bool) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:909
#25 0x7ffdb4bb08bf in nsDocumentViewer::Init(class nsIWidget *, struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &, class mozilla::dom::WindowGlobalChild *) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:675
#26 0x7ffdb7d25722 in nsDocShell::SetupNewViewer(class nsIContentViewer *, class mozilla::dom::WindowGlobalChild *) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:8129
#27 0x7ffdb7d23f5c in nsDocShell::Embed(class nsIContentViewer *, class mozilla::dom::WindowGlobalChild *, bool, bool, class nsIRequest *, class nsIURI *) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5603
#28 0x7ffdb7d32fa2 in nsDocShell::CreateAboutBlankContentViewer(class nsIPrincipal *, class nsIPrincipal *, class nsIContentSecurityPolicy *, class nsIURI *, bool, class mozilla::Maybe<enum nsILoadInfo::CrossOriginEmbedderPolicy> const &, bool, bool, class mozilla::dom::WindowGlobalChild *) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6685
#29 0x7ffdb7e8065f in nsAppShellService::JustCreateTopWindow(class nsIAppWindow *, class nsIURI *, unsigned int, int, int, bool, class mozilla::AppWindow **) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:716
#30 0x7ffdb7e812a4 in nsAppShellService::CreateTopLevelWindow(class nsIAppWindow *, class nsIURI *, unsigned int, int, int, class nsIAppWindow **) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:179
#31 0x7ffdb8949c5d in nsAppStartup::CreateChromeWindow(class nsIWebBrowserChrome *, unsigned int, class nsIOpenWindowInfo *, bool *, class nsIWebBrowserChrome **) /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:757
#32 0x7ffdb8b00951 in nsWindowWatcher::CreateChromeWindow(class nsIWebBrowserChrome *, unsigned int, class nsIOpenWindowInfo *, class nsIWebBrowserChrome **) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:437
#33 0x7ffdb8afc3ca in nsWindowWatcher::OpenWindowInternal(class mozIDOMWindowProxy *, class nsTSubstring<char> const &, class nsTSubstring<char> const &, class nsTSubstring<char> const &, bool, bool, bool, class nsIArray *, bool, bool, bool, enum nsPIWindowWatcher::PrintKind, class nsDocShellLoadState *, class mozilla::dom::BrowsingContext **) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:1045
#34 0x7ffdb8af7e36 in nsWindowWatcher::OpenWindow(class mozIDOMWindowProxy *, class nsTSubstring<char> const &, class nsTSubstring<char> const &, class nsTSubstring<char> const &, class nsISupports *, class mozIDOMWindowProxy **) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:293
#35 0x7ffdbc685471 in XPTC__InvokebyIndex (E:\firefox_asan\target\firefox\xul.dll+0x193015471)
SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/checkouts/gecko/widget/windows/nsWindow.cpp:8197 in nsWindow::PickerOpen(void)
Shadow bytes around the buggy address:
0x12959aa2c280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x12959aa2c300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x12959aa2c380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x12959aa2c400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x12959aa2c480: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
=>0x12959aa2c500: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
0x12959aa2c580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x12959aa2c600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x12959aa2c680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x12959aa2c700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x12959aa2c780: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==36900==ABORTING
Updated•11 months ago
|
Assignee | ||
Comment 1•11 months ago
|
||
Well, that's not good. It looks like a file-picker is being opened for a window after the window has been destroyed. That shouldn't be possible -- the nsFilePicker
should have a RefPtr to the nsWindow. The POC is too simplistic to be some destruction-order thing...
... ah, it's running in headless mode. In that case, there's no nsWindow
above the nsIWidget
and it's instead pointing off into someone else's internals. The relevant static_cast<>
is here — although it's been around since at least 2011, so I assume I've exposed it outside its old context somehow.
Assignee | ||
Comment 2•11 months ago
|
||
We don't necessarily even have access to a user-accessible desktop in
headless mode. Opening a file dialog isn't going to work out.
In practice, file-dialog invocations will typically be intercepted by
Puppeteer before they ever get here (see MockFilePicker.sys.mjs), but
that's configuration-dependent. Explicitly check whether we're in
headless mode before proceeding.
Assignee | ||
Comment 3•11 months ago
|
||
Adding #win-reviewers members to CC for review purposes.
For security-triage purposes:
- I believe this bug can only occur in headless mode. If so, it can't be triggered by an ordinary user... unless there's some way to trick
--backgroundtask
into loading dynamic web-provided content. (Maybe as an element of a privilege-escalation chain?) - I don't see any reason this couldn't happen before bug 1837079, but under the circumstances I'm very reluctant to say it could.
Assignee | ||
Comment 4•11 months ago
|
||
Comment on attachment 9363081 [details]
Bug 1864118 - deny attempts to open a Windows file picker in headless mode r?#win-reviewers
Security Approval Request
- How easily could an exploit be constructed based on the patch?: I don't think this can be exploited remotely. At least one additional exploit would be needed to do so, and I think that exploit would be sec-critical all on its own.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: Trivial. The patch should apply cleanly.
- How likely is this patch to cause regressions; how much testing does it need?: Virtually no chance of user-visible regressions. Small chance of regressions in automated testing.
- Is Android affected?: Yes
Assignee | ||
Comment 5•11 months ago
|
||
(In reply to Ray Kraesig [:rkraesig] from comment #3)
- I don't see any reason this couldn't happen before bug 1837079, but under the circumstances I'm very reluctant to say it could.
I'm less reluctant to say it could, now, though I haven't managed to repro locally.
At any rate, if they're unaffected but the attached patch is uplifted anyway, there should be no deleterious effects.
Updated•11 months ago
|
Comment 6•11 months ago
|
||
calling this sec-moderate because of headless mode. Normal users won't be using that, but this could still theoretically be used as a targeted booby-trap for some kind of automated browser/ web-scanner.
Comment 7•11 months ago
|
||
This does not reproduce on m-c or esr without a custom prefs.js file.
Comment 8•10 months ago
|
||
Comment on attachment 9363081 [details]
Bug 1864118 - deny attempts to open a Windows file picker in headless mode r?#win-reviewers
Approved to land and uplift
Assignee | ||
Comment 10•10 months ago
|
||
Comment on attachment 9363081 [details]
Bug 1864118 - deny attempts to open a Windows file picker in headless mode r?#win-reviewers
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-moderate, approved
- User impact if declined: None to ordinary users; but see bug 1864118 comment 6 (:dveditz)
- Fix Landed on Version: 122
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): not risky; simple, non-intrusive check
Comment 11•10 months ago
|
||
Comment 12•10 months ago
|
||
The patch landed in nightly and beta is affected.
:rkraesig, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox121
towontfix
.
For more information, please visit BugBot documentation.
Updated•10 months ago
|
Assignee | ||
Comment 13•10 months ago
|
||
Comment on attachment 9363081 [details]
Bug 1864118 - deny attempts to open a Windows file picker in headless mode r?#win-reviewers
Beta/Release Uplift Approval Request
- User impact if declined: None to ordinary users; but see bug 1864118 comment 6 (:dveditz)
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: described in comment 0, with
poc.html
andprefs.js
provided as attachments to the bug - List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): not risky; simple, non-intrusive check
- String changes made/needed: N/A
- Is Android affected?: No
Assignee | ||
Updated•10 months ago
|
Assignee | ||
Comment 14•10 months ago
|
||
(In reply to BugBot [:suhaib / :marco/ :calixte] from comment #12)
:rkraesig, is this bug important enough to require an uplift?
I have no strong opinion on the matter, and will leave it to the discretion of the relevant release manager(s).
Comment 15•10 months ago
|
||
Comment on attachment 9363081 [details]
Bug 1864118 - deny attempts to open a Windows file picker in headless mode r?#win-reviewers
Approved for 121.0b5.
Updated•10 months ago
|
Comment 16•10 months ago
|
||
uplift |
Updated•10 months ago
|
Comment 17•10 months ago
|
||
Comment on attachment 9363081 [details]
Bug 1864118 - deny attempts to open a Windows file picker in headless mode r?#win-reviewers
Approved for 115.6esr.
Comment 18•10 months ago
|
||
uplift |
Updated•10 months ago
|
Updated•10 months ago
|
Comment 19•10 months ago
|
||
We weren’t able to reproduce this error. Nothing happens after Launching Firefox and Running Firefox messages. We tried with all the Windows 2012 x64 asan builds 121.0a1 (2023-11-06) from treeherder. Is there maybe some details that we missed or could some interaction be at fault? Thank you!
Assignee | ||
Comment 20•10 months ago
|
||
Well, that's odd. I get similar behavior with the Python HTTP server, but it works fine (i.e., correctly reproduces the bug) if you skip that and access the file directly:
ffpuppet.exe "C:/Users/Ray Kraesig/Downloads/target-asan-2023-11-06/firefox/firefox.exe" --headless -p 1864118-prefs.js -d -u 1864118-poc.html
I was able to reproduce consistently (n=5) with this build.
Comment 21•10 months ago
|
||
(In reply to Ray Kraesig [:rkraesig] from comment #20)
Well, that's odd. I get similar behavior with the Python HTTP server, but it works fine (i.e., correctly reproduces the bug) if you skip that and access the file directly:
ffpuppet.exe "C:/Users/Ray Kraesig/Downloads/target-asan-2023-11-06/firefox/firefox.exe" --headless -p 1864118-prefs.js -d -u 1864118-poc.html
I was able to reproduce consistently (n=5) with this build.
Thank you for this additional information.
I've reproduced the error with Fx 121.0a1 (2023-11-06) on Windows 10 (but only after I've uninstalled the antivirus).
Verified fixed with Fx 122.0a1 (2023-12-04) and Fx 121.0b7 on Windows 10.
Updated•10 months ago
|
Updated•10 months ago
|
Comment 22•10 months ago
|
||
Comment 23•10 months ago
|
||
Comment 24•10 months ago
|
||
Verified fixed with Fx 115.6esr on Windows 10.
Updated•10 months ago
|
Comment 25•5 months ago
|
||
Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter
Updated•4 months ago
|
Description
•