Last Comment Bug 195030 - no protection against recursive plugin loading via EMBED/OBJECT tag
: no protection against recursive plugin loading via EMBED/OBJECT tag
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: Plug-ins (show other bugs)
: Trunk
: All All
: P3 normal with 3 votes (vote)
: ---
Assigned To: John Schoenick [:johns]
:
: Benjamin Smedberg [:bsmedberg]
Mentors:
http://www.geocities.com/jeffreychanff8/
: 199631 (view as bug list)
Depends on: 745030
Blocks: popups
  Show dependency treegraph
 
Reported: 2003-02-25 20:55 PST by Miquel "Fire" Burns
Modified: 2012-08-07 17:28 PDT (History)
8 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
testcase (70 bytes, text/html)
2003-03-29 08:41 PST, Mike Goodspeed
no flags Details

Description Miquel "Fire" Burns 2003-02-25 20:55:03 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130

On this one page at http://www.geocities.com/jeffreychanff8/, a new window with
the page pops open every time the page is opened (which results the browser just
reopening the page in a new window over and voer again until you can click the
close button befoer the page loads up on a new window) because of a possible bug
with the embed tag. The tag reads like this:
<embed SRC="http://www.geocities.com/jeffreychanff8/" AUTOSTART=TRUE HIDDEN=TRUE>
I'm not sure how Mozilla is supposed to handle code like this, but something
like this will make it possible to bypass the setting for javascript's
unrequested window option.

Reproducible: Always

Steps to Reproduce:
1. Open page in Mozilla.
Actual Results:  
A new window will open with the page, in this case the same which results in
what appears to be malicious javascript.
Comment 1 timeless 2003-02-28 13:05:10 PST
as annoying as this is, this is not a security bug
Comment 2 Peter Lubczynski 2003-03-25 15:49:30 PST
Um...here's the problem:

This URL feeds an HTML document with text/html:
http://www.geocities.com/jeffreychanff8/

Then has an EMBED tag like:
<EMBED src=http://www.geocities.com/jeffreychanff8/

..which takes us for a loop...

This is partly blocked by handling relative urls that hand back text/html in bug
157554.
Comment 3 Alfonso Martinez 2003-03-29 04:18:00 PST
*** Bug 199631 has been marked as a duplicate of this bug. ***
Comment 4 Mike Goodspeed 2003-03-29 08:41:16 PST
Created attachment 118861 [details]
testcase

From my comment of dupe bug 199631:

It has to do with an embed.  The lines in question seem to be 

<embed SRC="http://www.upholdfreedom.com/" AUTOSTART=TRUE HIDDEN=TRUE>
<noembed><bgsound SRC="http://www.upholdfreedom.com/"></noembed>
</embed>

Where it recursively calls itself.  If you go to the URL with javascript off it

gives you a "Plug-in Not Loaded" window:

Information on this page requires a plugin for:
			    text/html
Navigator can retrieve... blah blah blah...

The testcase pops up a new window going to google (so you won't crash your
browser doing testing).  It is just one line:

<embed SRC="http://www.google.com" AUTOSTART=TRUE HIDDEN=TRUE></embed>
Comment 5 John Schoenick [:johns] 2012-05-11 15:37:30 PDT
I believe this has long since been fixed, documents are only allowed in <objects> now, which check against recursive loads.

Keeping this open to ensure bug 745030 doesn't regress, and to add tests.

Note You need to log in before you can comment on or make changes to this bug.