Closed Bug 205287 Opened 22 years ago Closed 8 years ago

browser does not redraw when getting quote from 21st.com

Categories

(Core :: Security, defect)

x86
All
defect
Not set
critical

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: david.s.f, Assigned: dveditz)

References

()

Details

(Keywords: hang)

Attachments

(2 files)

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021203 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021203 Tried to get a quote from 21st century. Starting from www.21st.com, enter a zip from CA, such as 94111, which works ok. Answer no to everything on the second page. The third page is where things get interesting. The year dropdown box seems to be using some exotic javascript, when I select a year, the browser will not redraw. Only remedy was kill -9. strace showed it was blocking on recv(). Reproducible: Always Steps to Reproduce: 1. Starting from www.21st.com, enter a zip from CA, such as 94111 2. Answer no to everything on the second page 3. Select a year from the dropdown box on 3rd page Actual Results: Browser deadlocked. Expected Results: Probably run some javascript and changed some other pulldowns.
For me with linux trunk 20030510, the dropdown took about 10 seconds, but then returned control. 1.2 is a really old build. please try 1.4b or current trunk
Confirming with Mozilla trunk 2003051214 on WinNT. OS: Linux ---> All. Mozilla seems to hang forever on this. Note: my CPU is at 0% when this happens, with plenty of RAM left, so this makes it look like a deadlock issue (Moz is waiting for a thread to be unlocked, or some other response that never occurs). The site does a lot of processing in the background when the user selects the year. For example, it has to come up with all the car models for that year. This function seems to be central. It can be found in the file https://ww2.i21.com/_ScriptLibrary/RS.HTM : //***************************************************************** 233 // function _MSRS_startRequest(url,method,args,cb,ecb,context) 234 // 235 // This is key function for initiating a request for data. 236 // The url to the ASP file is required. The callback, 237 // error_callback, and user context parameters are optional. 238 //***************************************************************** 239 function _MSRS_startRequest(url,method,args,cb,ecb,context) 240 { 241 var request = new RSCallObject(cb,ecb,context); 242 if (this.rsapplet == null) 243 { 244 if (typeof(document.RSAspProxyApplet) == 'object') 245 this.rsapplet = document.RSAspProxyApplet; 246 else if (typeof(document.thisForm) == 'object' && typeof(document.thisForm.RSAspProxyApplet) == 'object') 247 this.rsapplet = document.thisForm.RSAspProxyApplet; 248 else 249 { 250 errmsg = 'ERROR:\nCannot locate proxy which supports Remote Scripting.\nWas RSEnableRemoteScripting method invoked?'; 251 request.status = MSRS_FAIL; 252 request.message = errmsg; 253 alert(errmsg); 254 } 255 } 256 257 if (request.status != MSRS_FAIL) 258 { 259 url = this.buildURL(url,method,args); 260 url_context = window.location.href; 261 this.rsapplet.startRequest(request.id,url_context,url,this.REQUEST_MODE_COMPLETE ); 262 if (typeof(cb) == 'function') 263 { 264 if (this.pollCount++ == 0) 265 this.setRequestPoll(); 266 } 267 else 268 { // wait synchronously for response 269 request.wait(); 270 } 271 } 272 return request; 273 } Notice the use of an applet. This is written by the file as document.write('<' + 'APPLET name=RSAspProxyApplet codebase=' + codebase + ' code=RSProxy.class height=0 width=0></applet>'); Here is some of the documentation: // ************************************************************************<br> // Microsoft Script Library<br> // Visual InterDev 6.0 Remote Scripting utilities for client<br> // Copyright 1998 Microsoft Corporation. All Rights Reserved.<br> // <b>Do not modify in design view. Switch to source view.</b><br> // ************************************************************************<br> // <script></script> //***************************************************************** // The Remote Scripting utilities for the client consist of // three public methods and the RSCallObject definition. // The public methods are RSEnableRemoteScripting, RSExecute // and RSGetASPObject. The RSCallObject is returned from any // remote scripting call and provides status and return value. //***************************************************************** //***************************************************************** // function RSEnableRemoteScripting() // This function enables the remote scripting proxy. //***************************************************************** function RSEnableRemoteScripting(codebase) { MSRS = new _MSRS_Object(); if (typeof(codebase) == 'undefined') { // assume applet is in _ScriptLibrary directory off the webroot var secondSlash, path; codebase = ''; if ((secondSlash = (path = window.location.pathname).indexOf('/',1)) != -1) codebase = path.substring(0,secondSlash); codebase += '/_ScriptLibrary'; } document.write('<' + 'APPLET name=RSAspProxyApplet codebase=' + codebase + ' code=RSProxy.class height=0 width=0></applet>'); }
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: hang
OS: Linux → All
I believe this is some sort of OJI or Security issue. The line above looks suspicious: 268 { // wait synchronously for response 269 request.wait(); 270 } I opened Mozilla's Java Console to look, setting trace level =5. Here's what we see after loading the page with the "Year" dropdown: Registered modality listener Referencing classloader: sun.plugin.ClassLoaderInfo@2db19d, refcount=1 Loading applet ... Initializing applet ... Starting applet ... Connecting https://ww2.i21.com/_ScriptLibrary/RSProxy.class with no proxy Connecting https://ww2.i21.com/_ScriptLibrary/RSProxy.class with cookie "dM=ID=80195374564.236.139.249Mon May 12 14:16:09 PDT 2003; lang=en; CP=null*; ASPSESSIONIDQGGQRQTC=GMKKHMMABGEJEIJBHPNBMIPG" Loading Root CA certificates from C:\PROGRA~1\Java\J2RE14~1.1\lib\security\cacerts Loaded Root CA certificates from C:\PROGRA~1\Java\J2RE14~1.1\lib\security\cacerts Loading Https Root CA certificates from C:\PROGRA~1\Java\J2RE14~1.1\lib\security\jssecacerts Https Root CA certificates file not found: Loaded Https Root CA certificates from C:\PROGRA~1\Java\J2RE14~1.1\lib\security\jssecacerts Loading JPI Https certificates from C:\WINNT\Profiles\pschwartau\.java\jpihttpscerts141 Loaded JPI Https certificates from C:\WINNT\Profiles\pschwartau\.java\jpihttpscerts141 Loading certificates from JPI session certificate store Loaded certificates from JPI session certificate store Loading https://ww2.i21.com/_ScriptLibrary/RSProxy.class from cache When we select a year, the hang begins, and in the Java Console we can see why. The following two lines appear over and over: JavaScript: calling Java system code JavaScript: default security policy = https://ww2.i21.com JavaScript: calling Java system code JavaScript: default security policy = https://ww2.i21.com JavaScript: calling Java system code JavaScript: default security policy = https://ww2.i21.com JavaScript: calling Java system code JavaScript: default security policy = https://ww2.i21.com JavaScript: calling Java system code JavaScript: default security policy = https://ww2.i21.com JavaScript: calling Java system code JavaScript: default security policy = https://ww2.i21.com JavaScript: calling Java system code JavaScript: default security policy = https://ww2.i21.com Reassigning to Security:General for further triage; cc'ing Joshua. Note: I am using Java plug-in 1.4.1 on WinNT.
Assignee: rogerl → mstoltz
Component: JavaScript Engine → Security: General
QA Contact: pschwartau → carosendahl
Andrew: what Java plug-in are you using with Mozilla on Linux?
Attached file log from java console
I'm using Sun JRE 1.4.1_02 this is what I get in the java console. it looks about the same except that it just doesn't continue forever.
I can't reproduce this bug when I use JRE1.4.2-beta-b19 and Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030422 on Win2k. Yes, there are a lot of JavaScript: calling Java system code JavaScript: default security policy = https://ww2.i21.com print in Java Console window, but this is reasonable because it relate to liveconnect.
Here's a clue: Andrew's Java Console log shows this extra line, which I don't see: JavaScript: caller and callee have same origin Notice it appears very early in Andrew's log: Loading applet ... Initializing applet ... Starting applet ... Quiting applet ... Finding information ... Releasing classloader: sun.plugin.ClassLoaderInfo@b3f9b8, refcount=1 Done ... JavaScript: calling Java system code JavaScript: default security policy = https://ww2.i21.com JavaScript: calling Java system code JavaScript: default security policy = https://ww2.i21.com JavaScript: caller and callee have same origin <<<----------------------- HERE JavaScript: default security policy = https://ww2.i21.com Connecting https://ww2.i21.com/include/sscript.asp?_method=getMakes&_mtype=execute&pcount=1&p0=1995 with no proxy JavaScript: caller and callee have same origin JavaScript: default security policy = https://ww2.i21.com Connecting https://ww2.i21.com/include/sscript.asp?_method=getMakes&_mtype=execute&pcount=1&p0=1995 with cookie "dM=ID=717111765165.247.155.245Tue May 13 17:01:33 PDT 2003; ASPSESSIONIDQGGQRQTC=NMPKHMMAPNJDMNLLABIMILOG; CP=null*; lang=en" Loading Root CA certificates from /usr/java/j2re1.4.1_02/lib/security/cacerts Loaded Root CA certificates from /usr/java/j2re1.4.1_02/lib/security/cacerts Loading Https Root CA certificates from /usr/java/j2re1.4.1_02/lib/security/jssecacerts Https Root CA certificates file not found: Loaded Https Root CA certificates from /usr/java/j2re1.4.1_02/lib/security/jssecacerts Loading JPI Https certificates from /home/andrew/.java/jpihttpscerts141_02 Loaded JPI Https certificates from /home/andrew/.java/jpihttpscerts141_02 Loading certificates from JPI session certificate store Loaded certificates from JPI session certificate store Whereas my log began like this: Registered modality listener Referencing classloader: sun.plugin.ClassLoaderInfo@2db19d, refcount=1 Loading applet ... Initializing applet ... Starting applet ... Connecting https://ww2.i21.com/_ScriptLibrary/RSProxy.class with no proxy Connecting https://ww2.i21.com/_ScriptLibrary/RSProxy.class with cookie "dM=ID=80195374564.236.139.249Mon May 12 14:16:09 PDT 2003; lang=en; CP=null*; ASPSESSIONIDQGGQRQTC=GMKKHMMABGEJEIJBHPNBMIPG" Loading Root CA certificates from C:\PROGRA~1\Java\J2RE14~1.1\lib\security\cacerts Loaded Root CA certificates from C:\PROGRA~1\Java\J2RE14~1.1\lib\security\cacerts Loading Https Root CA certificates from C:\PROGRA~1\Java\J2RE14~1.1\lib\security\jssecacerts Https Root CA certificates file not found: Loaded Https Root CA certificates from C:\PROGRA~1\Java\J2RE14~1.1\lib\security\jssecacerts Loading JPI Https certificates from C:\WINNT\Profiles\pschwartau\.java\jpihttpscerts141 Loaded JPI Https certificates from C:\WINNT\Profiles\pschwartau\.java\jpihttpscerts141 Loading certificates from JPI session certificate store Loaded certificates from JPI session certificate store Loading https://ww2.i21.com/_ScriptLibrary/RSProxy.class from cache In Andrew's log, when it comes time for the site to get the makes of the cars, we see a successful request to the applet to do it: https://ww2.i21.com/include/sscript.asp?_method=getMakes etc. etc. I don't see that in my log, only the security checks. I can prove this convincingly by bringing up the Mozilla JavaScript Debugger and setting breakpoints at lines 244, 261 in the key function above (see Comment #2). Just by interrupting the code there, waiting, and letting it continue, I can make the site work. That shows once again that some sort of timing issue is involved. And - it allows me to get a complete log from the Java Console, which I will attach below to compare to Andrew's. You will see that in my "interrupted" log, the same-origin statement finally does occur in the Java Console: very far down in the log, after I interrupted the code flow. And after that, the call to the getMakes() method of the applet is made - and everything works.
Take a look at the Java log in Comment #8, and search for "same origin". It occurs very, very far down in the log. A couple lines after it appears, we see a call to the getMakes() method of the applet, and things are fine. I think the only reason it works here is the momentary interrupt I'm doing in the JavaScript Debugger, which somehow allows the same-origin check to succeed. Without the interrupt, my Java does not succeed in verifying same-origin, and keeps trying to do so - hence the hang (?)
Here's what I'm talking about in my log: . . (hundreds of lines down, near the bottom) . . JavaScript: calling Java system code JavaScript: default security policy = https://ww2.i21.com JavaScript: caller and callee have same origin <<<----------------- FINALLY !!! JavaScript: default security policy = https://ww2.i21.com Connecting https://ww2.i21.com/include/sscript.asp?_method=getMakes etc. etc. Whereas in Andrew's log, this occurred right near the top -
I'm not seeing this problem - perhaps http://www.21st.com changed?
Assignee: security-bugs → dveditz
QA Contact: carosendahl → toolkit
[stupid enter key] Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20061119 SeaMonkey/1.5a
*** Bug 198943 has been marked as a duplicate of this bug. ***
Tony, do you see this?
(In reply to comment #14) > Tony, do you see this? 1. LC_TIME=en_GB seamonkey -no-remote -P testing (to avoid crashing my main instance even if I get the bug) 2. http://www.21st.com/ 3. Enter 94111 and click "Get a Quote". 4. (How did you hear about us?) Referral from a friend [ Continue ] 5. (First Name) No (M.I.) N (accepts only one character) (Second Name) No (Residence address) No (Unit #) No (City) No (State) (leave as set) CA (Zip code) (leave as set) 94111 [ ] Mailing address different from residence address (I reviewed the privacy policy) (*) No (Note: I'm doing what comment #0 said to do, am I not?) [ Continue ] Expected results: I didn't expect anything. Actual results: Next page is the same but with a big red message: Please correct the following information to continue with your request. * We are sorry, by answering 'No' to the Information Disclosure question, we are unable to provide you with an online quote. Please call our toll-free number 1-800-314-9947 or click the "Have us call you" link to speak to a licensed representative. Thank you. Conclusion: I don't know because unable to apply the "Steps to Reproduce" in comment #0. Reporter (David S.F.) (or Wayne), please provide explicit (and up-to-date) steps, which can be applied without logging in to the site.
P.S. The first page says getting a quote takes "5.0 minutes on average". Reporter, did you let the third page run for at least 10 minutes before deciding that the browser was hung?
(In reply to Tony Mechelynck [:tonymec] from comment #16) > P.S. The first page says getting a quote takes "5.0 minutes on average". > Reporter, did you let the third page run for at least 10 minutes before > deciding that the browser was hung? email to Reporter bounces. Maybe Phil is still around?
Flags: needinfo?(pschwartau)
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
Flags: needinfo?(pschwartau)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: