Closed
Bug 205287
Opened 22 years ago
Closed 8 years ago
browser does not redraw when getting quote from 21st.com
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: david.s.f, Assigned: dveditz)
References
()
Details
(Keywords: hang)
Attachments
(2 files)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021203
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021203
Tried to get a quote from 21st century. Starting from www.21st.com, enter a zip
from CA, such as 94111, which works ok. Answer no to everything on the second page.
The third page is where things get interesting. The year dropdown box seems to
be using some exotic javascript, when I select a year, the browser will not
redraw. Only remedy was kill -9. strace showed it was blocking on recv().
Reproducible: Always
Steps to Reproduce:
1. Starting from www.21st.com, enter a zip from CA, such as 94111
2. Answer no to everything on the second page
3. Select a year from the dropdown box on 3rd page
Actual Results:
Browser deadlocked.
Expected Results:
Probably run some javascript and changed some other pulldowns.
Comment 1•22 years ago
|
||
For me with linux trunk 20030510, the dropdown took about 10 seconds, but then
returned control.
1.2 is a really old build. please try 1.4b or current trunk
Comment 2•22 years ago
|
||
Confirming with Mozilla trunk 2003051214 on WinNT.
OS: Linux ---> All.
Mozilla seems to hang forever on this. Note: my CPU is at 0% when
this happens, with plenty of RAM left, so this makes it look like
a deadlock issue (Moz is waiting for a thread to be unlocked, or
some other response that never occurs).
The site does a lot of processing in the background when the user
selects the year. For example, it has to come up with all the car
models for that year. This function seems to be central. It can
be found in the file https://ww2.i21.com/_ScriptLibrary/RS.HTM :
//*****************************************************************
233 // function _MSRS_startRequest(url,method,args,cb,ecb,context)
234 //
235 // This is key function for initiating a request for data.
236 // The url to the ASP file is required. The callback,
237 // error_callback, and user context parameters are optional.
238 //*****************************************************************
239 function _MSRS_startRequest(url,method,args,cb,ecb,context)
240 {
241 var request = new RSCallObject(cb,ecb,context);
242 if (this.rsapplet == null)
243 {
244 if (typeof(document.RSAspProxyApplet) == 'object')
245 this.rsapplet = document.RSAspProxyApplet;
246 else if (typeof(document.thisForm) == 'object' &&
typeof(document.thisForm.RSAspProxyApplet) == 'object')
247 this.rsapplet = document.thisForm.RSAspProxyApplet;
248 else
249 {
250 errmsg = 'ERROR:\nCannot locate proxy which supports
Remote Scripting.\nWas RSEnableRemoteScripting method invoked?';
251 request.status = MSRS_FAIL;
252 request.message = errmsg;
253 alert(errmsg);
254 }
255 }
256
257 if (request.status != MSRS_FAIL)
258 {
259 url = this.buildURL(url,method,args);
260 url_context = window.location.href;
261
this.rsapplet.startRequest(request.id,url_context,url,this.REQUEST_MODE_COMPLETE
);
262 if (typeof(cb) == 'function')
263 {
264 if (this.pollCount++ == 0)
265 this.setRequestPoll();
266 }
267 else
268 { // wait synchronously for response
269 request.wait();
270 }
271 }
272 return request;
273 }
Notice the use of an applet. This is written by the file as
document.write('<' + 'APPLET name=RSAspProxyApplet codebase=' + codebase +
' code=RSProxy.class height=0 width=0></applet>');
Here is some of the documentation:
// ************************************************************************<br>
// Microsoft Script Library<br>
// Visual InterDev 6.0 Remote Scripting utilities for client<br>
// Copyright 1998 Microsoft Corporation. All Rights Reserved.<br>
// <b>Do not modify in design view. Switch to source view.</b><br>
// ************************************************************************<br>
// <script></script>
//*****************************************************************
// The Remote Scripting utilities for the client consist of
// three public methods and the RSCallObject definition.
// The public methods are RSEnableRemoteScripting, RSExecute
// and RSGetASPObject. The RSCallObject is returned from any
// remote scripting call and provides status and return value.
//*****************************************************************
//*****************************************************************
// function RSEnableRemoteScripting()
// This function enables the remote scripting proxy.
//*****************************************************************
function RSEnableRemoteScripting(codebase)
{
MSRS = new _MSRS_Object();
if (typeof(codebase) == 'undefined')
{ // assume applet is in _ScriptLibrary directory off the webroot
var secondSlash, path;
codebase = '';
if ((secondSlash = (path = window.location.pathname).indexOf('/',1)) != -1)
codebase = path.substring(0,secondSlash);
codebase += '/_ScriptLibrary';
}
document.write('<' + 'APPLET name=RSAspProxyApplet codebase=' + codebase +
' code=RSProxy.class height=0 width=0></applet>');
}
Comment 3•22 years ago
|
||
I believe this is some sort of OJI or Security issue.
The line above looks suspicious:
268 { // wait synchronously for response
269 request.wait();
270 }
I opened Mozilla's Java Console to look, setting trace level =5.
Here's what we see after loading the page with the "Year" dropdown:
Registered modality listener
Referencing classloader: sun.plugin.ClassLoaderInfo@2db19d, refcount=1
Loading applet ...
Initializing applet ...
Starting applet ...
Connecting https://ww2.i21.com/_ScriptLibrary/RSProxy.class with no proxy
Connecting https://ww2.i21.com/_ScriptLibrary/RSProxy.class with cookie
"dM=ID=80195374564.236.139.249Mon May 12 14:16:09 PDT 2003; lang=en; CP=null*;
ASPSESSIONIDQGGQRQTC=GMKKHMMABGEJEIJBHPNBMIPG"
Loading Root CA certificates from
C:\PROGRA~1\Java\J2RE14~1.1\lib\security\cacerts
Loaded Root CA certificates from
C:\PROGRA~1\Java\J2RE14~1.1\lib\security\cacerts
Loading Https Root CA certificates from
C:\PROGRA~1\Java\J2RE14~1.1\lib\security\jssecacerts
Https Root CA certificates file not found:
Loaded Https Root CA certificates from
C:\PROGRA~1\Java\J2RE14~1.1\lib\security\jssecacerts
Loading JPI Https certificates from
C:\WINNT\Profiles\pschwartau\.java\jpihttpscerts141
Loaded JPI Https certificates from
C:\WINNT\Profiles\pschwartau\.java\jpihttpscerts141
Loading certificates from JPI session certificate store
Loaded certificates from JPI session certificate store
Loading https://ww2.i21.com/_ScriptLibrary/RSProxy.class from cache
When we select a year, the hang begins, and in the Java Console
we can see why. The following two lines appear over and over:
JavaScript: calling Java system code
JavaScript: default security policy = https://ww2.i21.com
JavaScript: calling Java system code
JavaScript: default security policy = https://ww2.i21.com
JavaScript: calling Java system code
JavaScript: default security policy = https://ww2.i21.com
JavaScript: calling Java system code
JavaScript: default security policy = https://ww2.i21.com
JavaScript: calling Java system code
JavaScript: default security policy = https://ww2.i21.com
JavaScript: calling Java system code
JavaScript: default security policy = https://ww2.i21.com
JavaScript: calling Java system code
JavaScript: default security policy = https://ww2.i21.com
Reassigning to Security:General for further triage; cc'ing Joshua.
Note: I am using Java plug-in 1.4.1 on WinNT.
Assignee: rogerl → mstoltz
Component: JavaScript Engine → Security: General
QA Contact: pschwartau → carosendahl
Comment 4•22 years ago
|
||
Andrew: what Java plug-in are you using with Mozilla on Linux?
Comment 5•22 years ago
|
||
I'm using Sun JRE 1.4.1_02
this is what I get in the java console. it looks about the same except that it
just doesn't continue forever.
Comment 6•22 years ago
|
||
I can't reproduce this bug when I use JRE1.4.2-beta-b19 and Mozilla/5.0
(Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030422 on Win2k.
Yes, there are a lot of
JavaScript: calling Java system code
JavaScript: default security policy = https://ww2.i21.com
print in Java Console window, but this is reasonable because it relate to
liveconnect.
Comment 7•22 years ago
|
||
Here's a clue: Andrew's Java Console log shows this extra line,
which I don't see:
JavaScript: caller and callee have same origin
Notice it appears very early in Andrew's log:
Loading applet ...
Initializing applet ...
Starting applet ...
Quiting applet ...
Finding information ...
Releasing classloader: sun.plugin.ClassLoaderInfo@b3f9b8, refcount=1
Done ...
JavaScript: calling Java system code
JavaScript: default security policy = https://ww2.i21.com
JavaScript: calling Java system code
JavaScript: default security policy = https://ww2.i21.com
JavaScript: caller and callee have same origin <<<----------------------- HERE
JavaScript: default security policy = https://ww2.i21.com
Connecting
https://ww2.i21.com/include/sscript.asp?_method=getMakes&_mtype=execute&pcount=1&p0=1995
with no proxy
JavaScript: caller and callee have same origin
JavaScript: default security policy = https://ww2.i21.com
Connecting
https://ww2.i21.com/include/sscript.asp?_method=getMakes&_mtype=execute&pcount=1&p0=1995
with cookie "dM=ID=717111765165.247.155.245Tue May 13 17:01:33 PDT 2003;
ASPSESSIONIDQGGQRQTC=NMPKHMMAPNJDMNLLABIMILOG; CP=null*; lang=en"
Loading Root CA certificates from /usr/java/j2re1.4.1_02/lib/security/cacerts
Loaded Root CA certificates from /usr/java/j2re1.4.1_02/lib/security/cacerts
Loading Https Root CA certificates from
/usr/java/j2re1.4.1_02/lib/security/jssecacerts
Https Root CA certificates file not found:
Loaded Https Root CA certificates from
/usr/java/j2re1.4.1_02/lib/security/jssecacerts
Loading JPI Https certificates from /home/andrew/.java/jpihttpscerts141_02
Loaded JPI Https certificates from /home/andrew/.java/jpihttpscerts141_02
Loading certificates from JPI session certificate store
Loaded certificates from JPI session certificate store
Whereas my log began like this:
Registered modality listener
Referencing classloader: sun.plugin.ClassLoaderInfo@2db19d, refcount=1
Loading applet ...
Initializing applet ...
Starting applet ...
Connecting https://ww2.i21.com/_ScriptLibrary/RSProxy.class with no proxy
Connecting https://ww2.i21.com/_ScriptLibrary/RSProxy.class with cookie
"dM=ID=80195374564.236.139.249Mon May 12 14:16:09 PDT 2003; lang=en; CP=null*;
ASPSESSIONIDQGGQRQTC=GMKKHMMABGEJEIJBHPNBMIPG"
Loading Root CA certificates from
C:\PROGRA~1\Java\J2RE14~1.1\lib\security\cacerts
Loaded Root CA certificates from
C:\PROGRA~1\Java\J2RE14~1.1\lib\security\cacerts
Loading Https Root CA certificates from
C:\PROGRA~1\Java\J2RE14~1.1\lib\security\jssecacerts
Https Root CA certificates file not found:
Loaded Https Root CA certificates from
C:\PROGRA~1\Java\J2RE14~1.1\lib\security\jssecacerts
Loading JPI Https certificates from
C:\WINNT\Profiles\pschwartau\.java\jpihttpscerts141
Loaded JPI Https certificates from
C:\WINNT\Profiles\pschwartau\.java\jpihttpscerts141
Loading certificates from JPI session certificate store
Loaded certificates from JPI session certificate store
Loading https://ww2.i21.com/_ScriptLibrary/RSProxy.class from cache
In Andrew's log, when it comes time for the site to get the makes
of the cars, we see a successful request to the applet to do it:
https://ww2.i21.com/include/sscript.asp?_method=getMakes etc. etc.
I don't see that in my log, only the security checks. I can prove
this convincingly by bringing up the Mozilla JavaScript Debugger
and setting breakpoints at lines 244, 261 in the key function above
(see Comment #2). Just by interrupting the code there, waiting,
and letting it continue, I can make the site work.
That shows once again that some sort of timing issue is involved.
And - it allows me to get a complete log from the Java Console,
which I will attach below to compare to Andrew's.
You will see that in my "interrupted" log, the same-origin statement
finally does occur in the Java Console: very far down in the log,
after I interrupted the code flow. And after that, the call to the
getMakes() method of the applet is made - and everything works.
Comment 8•22 years ago
|
||
Comment 9•22 years ago
|
||
Take a look at the Java log in Comment #8, and search for "same origin".
It occurs very, very far down in the log. A couple lines after it appears,
we see a call to the getMakes() method of the applet, and things are fine.
I think the only reason it works here is the momentary interrupt I'm doing
in the JavaScript Debugger, which somehow allows the same-origin check
to succeed. Without the interrupt, my Java does not succeed in verifying
same-origin, and keeps trying to do so - hence the hang (?)
Comment 10•22 years ago
|
||
Here's what I'm talking about in my log:
.
.
(hundreds of lines down, near the bottom)
.
.
JavaScript: calling Java system code
JavaScript: default security policy = https://ww2.i21.com
JavaScript: caller and callee have same origin <<<----------------- FINALLY !!!
JavaScript: default security policy = https://ww2.i21.com
Connecting https://ww2.i21.com/include/sscript.asp?_method=getMakes etc. etc.
Whereas in Andrew's log, this occurred right near the top -
Comment 11•18 years ago
|
||
I'm not seeing this problem - perhaps http://www.21st.com changed?
Assignee: security-bugs → dveditz
QA Contact: carosendahl → toolkit
Comment 12•18 years ago
|
||
[stupid enter key]
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061119 SeaMonkey/1.5a
Comment 13•18 years ago
|
||
*** Bug 198943 has been marked as a duplicate of this bug. ***
Comment 14•16 years ago
|
||
Tony, do you see this?
Comment 15•16 years ago
|
||
(In reply to comment #14)
> Tony, do you see this?
1. LC_TIME=en_GB seamonkey -no-remote -P testing
(to avoid crashing my main instance even if I get the bug)
2. http://www.21st.com/
3. Enter 94111 and click "Get a Quote".
4. (How did you hear about us?) Referral from a friend [ Continue ]
5. (First Name) No
(M.I.) N (accepts only one character)
(Second Name) No
(Residence address) No
(Unit #) No
(City) No
(State) (leave as set) CA
(Zip code) (leave as set) 94111
[ ] Mailing address different from residence address
(I reviewed the privacy policy) (*) No
(Note: I'm doing what comment #0 said to do, am I not?)
[ Continue ]
Expected results:
I didn't expect anything.
Actual results:
Next page is the same but with a big red message:
Please correct the following information to continue with your request.
* We are sorry, by answering 'No' to the Information Disclosure question, we are unable to provide you with an online quote. Please call our toll-free number 1-800-314-9947 or click the "Have us call you" link to speak to a licensed representative. Thank you.
Conclusion: I don't know because unable to apply the "Steps to Reproduce" in comment #0. Reporter (David S.F.) (or Wayne), please provide explicit (and up-to-date) steps, which can be applied without logging in to the site.
Comment 16•16 years ago
|
||
P.S. The first page says getting a quote takes "5.0 minutes on average". Reporter, did you let the third page run for at least 10 minutes before deciding that the browser was hung?
Comment 17•10 years ago
|
||
(In reply to Tony Mechelynck [:tonymec] from comment #16)
> P.S. The first page says getting a quote takes "5.0 minutes on average".
> Reporter, did you let the third page run for at least 10 minutes before
> deciding that the browser was hung?
email to Reporter bounces.
Maybe Phil is still around?
Flags: needinfo?(pschwartau)
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
Updated•8 years ago
|
Flags: needinfo?(pschwartau)
You need to log in
before you can comment on or make changes to this bug.
Description
•