Closed Bug 195030 Opened 22 years ago Closed 13 years ago

no protection against recursive plugin loading via EMBED/OBJECT tag

Categories

(Core Graveyard :: Plug-ins, defect, P3)

Product:
Core Graveyard
Component:
Plug-ins
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: miquelfire, Assigned: johns)

References

(
URL
)

Details

Attachments

(1 file)

testcase
70 bytes, text/html
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130 On this one page at http://www.geocities.com/jeffreychanff8/, a new window with the page pops open every time the page is opened (which results the browser just reopening the page in a new window over and voer again until you can click the close button befoer the page loads up on a new window) because of a possible bug with the embed tag. The tag reads like this: <embed SRC="http://www.geocities.com/jeffreychanff8/" AUTOSTART=TRUE HIDDEN=TRUE> I'm not sure how Mozilla is supposed to handle code like this, but something like this will make it possible to bypass the setting for javascript's unrequested window option. Reproducible: Always Steps to Reproduce: 1. Open page in Mozilla. Actual Results: A new window will open with the page, in this case the same which results in what appears to be malicious javascript.
as annoying as this is, this is not a security bug
Assignee: harishd → peterlubczynski
Group: security
Component: Parser → Plug-ins
QA Contact: dsirnapalli → shrir
Um...here's the problem: This URL feeds an HTML document with text/html: http://www.geocities.com/jeffreychanff8/ Then has an EMBED tag like: <EMBED src=http://www.geocities.com/jeffreychanff8/ ..which takes us for a loop... This is partly blocked by handling relative urls that hand back text/html in bug 157554.
Status: UNCONFIRMED → NEW
Depends on: 157554
Ever confirmed: true
Priority: -- → P3
Summary: Web page in EMBED tag creates a new window. → no protection against recursive plugin loading via EMBED/OBJECT tag
Target Milestone: --- → Future
*** Bug 199631 has been marked as a duplicate of this bug. ***
Attached file testcase
From my comment of dupe bug 199631: It has to do with an embed. The lines in question seem to be <embed SRC="http://www.upholdfreedom.com/" AUTOSTART=TRUE HIDDEN=TRUE> <noembed><bgsound SRC="http://www.upholdfreedom.com/"></noembed> </embed> Where it recursively calls itself. If you go to the URL with javascript off it gives you a "Plug-in Not Loaded" window: Information on this page requires a plugin for: text/html Navigator can retrieve... blah blah blah... The testcase pops up a new window going to google (so you won't crash your browser doing testing). It is just one line: <embed SRC="http://www.google.com" AUTOSTART=TRUE HIDDEN=TRUE></embed>
Blocks: popups
QA Contact: shrir → plugins
I believe this has long since been fixed, documents are only allowed in <objects> now, which check against recursive loads. Keeping this open to ensure bug 745030 doesn't regress, and to add tests.
Assignee: peterlubczynski-bugs → jschoenick
Status: NEW → ASSIGNED
Depends on: 745030
No longer depends on: 157554
OS: Windows XP → All
Hardware: x86 → All
Target Milestone: Future → ---
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: