no protection against recursive plugin loading via EMBED/OBJECT tag

RESOLVED FIXED

Status

()

Core
Plug-ins
P3
normal
RESOLVED FIXED
14 years ago
5 years ago

People

(Reporter: Miquel "Fire" Burns, Assigned: johns)

Tracking

(Blocks: 1 bug)

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130

On this one page at http://www.geocities.com/jeffreychanff8/, a new window with
the page pops open every time the page is opened (which results the browser just
reopening the page in a new window over and voer again until you can click the
close button befoer the page loads up on a new window) because of a possible bug
with the embed tag. The tag reads like this:
<embed SRC="http://www.geocities.com/jeffreychanff8/" AUTOSTART=TRUE HIDDEN=TRUE>
I'm not sure how Mozilla is supposed to handle code like this, but something
like this will make it possible to bypass the setting for javascript's
unrequested window option.

Reproducible: Always

Steps to Reproduce:
1. Open page in Mozilla.
Actual Results:  
A new window will open with the page, in this case the same which results in
what appears to be malicious javascript.

Comment 1

14 years ago
as annoying as this is, this is not a security bug
Assignee: harishd → peterlubczynski
Group: security
Component: Parser → Plug-ins
QA Contact: dsirnapalli → shrir

Comment 2

14 years ago
Um...here's the problem:

This URL feeds an HTML document with text/html:
http://www.geocities.com/jeffreychanff8/

Then has an EMBED tag like:
<EMBED src=http://www.geocities.com/jeffreychanff8/

..which takes us for a loop...

This is partly blocked by handling relative urls that hand back text/html in bug
157554.
Status: UNCONFIRMED → NEW
Depends on: 157554
Ever confirmed: true
Priority: -- → P3
Summary: Web page in EMBED tag creates a new window. → no protection against recursive plugin loading via EMBED/OBJECT tag
Target Milestone: --- → Future

Comment 3

14 years ago
*** Bug 199631 has been marked as a duplicate of this bug. ***

Comment 4

14 years ago
Created attachment 118861 [details]
testcase

From my comment of dupe bug 199631:

It has to do with an embed.  The lines in question seem to be 

<embed SRC="http://www.upholdfreedom.com/" AUTOSTART=TRUE HIDDEN=TRUE>
<noembed><bgsound SRC="http://www.upholdfreedom.com/"></noembed>
</embed>

Where it recursively calls itself.  If you go to the URL with javascript off it

gives you a "Plug-in Not Loaded" window:

Information on this page requires a plugin for:
			    text/html
Navigator can retrieve... blah blah blah...

The testcase pops up a new window going to google (so you won't crash your
browser doing testing).  It is just one line:

<embed SRC="http://www.google.com" AUTOSTART=TRUE HIDDEN=TRUE></embed>

Updated

14 years ago
Blocks: 176958
QA Contact: shrir → plugins
(Assignee)

Comment 5

5 years ago
I believe this has long since been fixed, documents are only allowed in <objects> now, which check against recursive loads.

Keeping this open to ensure bug 745030 doesn't regress, and to add tests.
Assignee: peterlubczynski-bugs → jschoenick
Status: NEW → ASSIGNED
Depends on: 745030
No longer depends on: 157554
OS: Windows XP → All
Hardware: x86 → All
Target Milestone: Future → ---
(Assignee)

Updated

5 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.