Closed
Bug 210240
Opened 21 years ago
Closed 17 years ago
alert() in onblur triggers onblur with XULDocument target
Categories
(Core :: Security, defect, P4)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jruderman, Assigned: emaijala+moz)
References
Details
(Whiteboard: [sg:investigate])
Attachments
(2 files, 2 obsolete files)
Steps to reproduce: 1. Go to 2. Paste this code into the top frame: <body> <script> window.onblur = function(e) { if(("" + e.target).indexOf("XUL")!=-1) alert("!!! " + e.target) else alert("" + e.target); } </script> 3. Click on the bottom frame. 4. Click on the top frame. Result: two alerts appear, the second showing that the script got a reference to a XULDocument. This XULDocument seems to be part of the browser. Expected: only one alert should appear. This is probably the cause of bug 112294, "calling an alert box from window.onblur triggers the event multiple times". Tested in Firebird 05/22 and Firebird 06/21 on Windows XP.
Reporter | ||
Comment 1•21 years ago
|
||
Reporter | ||
Comment 2•21 years ago
|
||
cc bryner so he can see this bug
Reporter | ||
Comment 3•20 years ago
|
||
Still happens in Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041021 Firefox/1.0. I have to click the inner frame and then the outer frame in the testcase.
Comment 4•20 years ago
|
||
Is this a vulnerability requiring the confidential flag? CAPS seems to protect getting or setting any of the XULDocument properties I poked at. Definitely a bug though, and might suggest places where chrome objects are similarly leaked.
Whiteboard: [sg:fix]
Comment 5•19 years ago
|
||
Deer park: -On mac got three alerts -- html document, null, html document. -On winXP got the original two alerts: html document, xul document.
Whiteboard: [sg:fix] → [sg:investigate]
Updated•19 years ago
|
Flags: testcase+
Comment 6•18 years ago
|
||
The testcase is crashing now after the first alert in current trunk builds, I filed bug 339470 for that.
Updated•18 years ago
|
Assignee: security-bugs → dveditz
QA Contact: carosendahl → toolkit
Updated•17 years ago
|
Flags: in-testsuite+ → in-testsuite?
Reporter | ||
Comment 7•17 years ago
|
||
I can't reproduce on Mac, but this needs to be retested on Windows before it can be marked as WFM.
Comment 8•17 years ago
|
||
I crash with a 2007-03-01 build, but with a 2007-03-02 build, I don't crash anymore and I don't see the XULDocument alerting anymore. So I guess this was indeed fixed on windows somehow. Not sure if it was fixed by the patch from bug 339470. But in current windows trunk builds, no alert fires at all, I filed bug 392148 for that.
Should this be a blocker? Sounds scary. Smaug or Ere, do you have any ideas here?
Flags: blocking1.9?
Comment 10•17 years ago
|
||
Ere, please see above comment.
Assignee | ||
Comment 11•17 years ago
|
||
Sounds similar to the other symptom in bug 392148. Maybe it should be actually moved here. Here it is: If you make the blur event fire by clicking another window you enter an endless loop of popups. It's not a mouse trailer issue as I originally thought but something going seriously wrong. With the test case from bug 392148 I also get this assertion: ###!!! ASSERTION: Attempt to decrement focus controller's suppression when no suppression active!
Assignee | ||
Comment 12•17 years ago
|
||
Could someone mark bug 392148 security sensitive?
Assignee: dveditz → emaijala
Flags: blocking1.9? → blocking1.9+
Ere, would you be able to have a stab at this one? Or would Smaug be a better candidate? It sounds scary, so it would be great to have fixed.
Assignee | ||
Comment 14•17 years ago
|
||
I'll take a look, but Smaug might have more insight on this.
Assignee | ||
Comment 15•17 years ago
|
||
The attached testcase also shows the other problem where the alerts just duplicate if they're triggered by focusing another app.
Assignee | ||
Comment 17•17 years ago
|
||
Here's a call stack leading to the erroneous focus unsuppression. As far as I can tell it seems the following happens: 1. Focusing another window fires the first blur event. 2. The blur event creates the alert dialog. 3. When the alert dialog is loaded and gets focus, second blur is fired for the old content, which is already processing the first blur. Not sure about the above either, so don't take it as granted. I'll do some more digging, but Smaug, feel free to help here too as I'm not sure I can get much further in any reasonable amount of time.
Comment 18•17 years ago
|
||
I'll look at this too, hopefully within the next few days.
Comment 19•17 years ago
|
||
On Linux/trunk I never get alert with "XULDocument". The target of the event is either the window or the document of iframe. To get the alerts I need to, for example, first focus iframe and then the main document and then open a new window and focus that.
Assignee | ||
Comment 20•17 years ago
|
||
This patch, modeled along the way the same is done for GOTFOCUS and LOSTFOCUS in nsEventStateManager::SendFocusBlur, prevents the eternal alert loop when switching to another app. Doesn't fix non-firing of events or the focus suppression alert.
Assignee | ||
Comment 21•17 years ago
|
||
The code path causing the assertion: 1. Processing of DEACTIVATE begins 2. It causes another window to ACTIVATE 3. When ACTIVATE is done, nsEventStateManager::PreHandleEvent unsuppresses until not suppressed 4. When deactivate is processed, it unsuppresses unconditionally causing the assertion Shall we make DEACTIVATE unsuppression conditional too?
If there are ways to actually exploit this we need to up the priority, please let us know if so. (we'll take your word for it, no testcases needed). Ere, that said, is this patch ready for review?
Priority: -- → P4
Assignee | ||
Comment 23•17 years ago
|
||
I'll add some code to fix the assertion and post a new patch.
Assignee | ||
Comment 24•17 years ago
|
||
This patch contains the same loop-breaker as the previous one and removes the assertion from focus controller. I first thought I'd make the unsuppression conditional in event state manager, but there were other cases that could have triggered it too (such as SendFocusBlur using a nsFocusSuppressor and causing activation) so I just removed the assertion.
Attachment #283915 -
Attachment is obsolete: true
Attachment #287853 -
Flags: review?
Comment 25•17 years ago
|
||
Comment on attachment 287853 [details] [diff] [review] Patch to fix the loop and remove the assertion I think you wanted someone to review this.
Attachment #287853 -
Flags: review? → review?(Olli.Pettay)
Assignee | ||
Comment 26•17 years ago
|
||
Comment on attachment 287853 [details] [diff] [review] Patch to fix the loop and remove the assertion Uh.. that's what I tried, but I always miss the message about multiple matches...
Assignee | ||
Comment 27•17 years ago
|
||
There seems to be an additional problem that causes a modal dialog loop without a dialog if the alert is caused by closing the last window. The previous patch is still valid, but this problem needs to be addressed too.
Comment 28•17 years ago
|
||
As I said in comment 19, I don't see XULDocument as target. Does that happen somehow on Windows? The patch fixes possible loop, but I don't know how to reproduce that on linux using the testcase. (I tried having several ff windows or ff+some other app, etc.) The patch as such makes sense (expect mFirstDocumentBlurEvent should be renamed), but is it really for this bug? This bug is about "alert() in onblur triggers onblur with XULDocument target ", and that is something scary. Having a loop/DoS isn't nearly as bad.
Assignee | ||
Comment 29•17 years ago
|
||
I originally thought the loop and the XULDocument as target might have something in common, that's why it's here. I can split it and the other DoS stuff into a new bug if you think that's better. I can't reproduce the XUL target either, so there must have been something else too affecting this. This was indeed confirmed by Martijn in comment #8. Such as mess..
Comment 30•17 years ago
|
||
New bug with a testcase and a patch would be great. I could review that patch. This could be marked WFM, I think, unless someone finds the bug that fixed this. When fixing bug 392148 it is perhaps better to make sure that this one doesn't regress.
Assignee | ||
Updated•17 years ago
|
Attachment #287853 -
Attachment is obsolete: true
Attachment #287853 -
Flags: review?(Olli.Pettay)
Assignee | ||
Comment 31•17 years ago
|
||
There's actually bug 112294. I'll continue there. Marking this WFM.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
It would be great if we got a testcase for this checked in. This is especially true since it's a potential security problem that we don't really know how it got fixed and so might regress.
Updated•15 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•