Closed Bug 214198 Opened 21 years ago Closed 21 years ago

Mozilla does not detect and ignore malicious recursive document.write <script>

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED DUPLICATE of bug 185945

People

(Reporter: ptchristendom, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5a) Gecko/20030718
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5a) Gecko/20030718

Paste this script into a text file and view it in mozilla (as html).  Mozilla
will give me an hourglass, and be sluggish.  After I finally hit stop, things
work almost OK except that when I type in the URL bar, the LETTERS COME OUT
BACKWARDS, e.g., "moc.elgoog.www".  (the arrow keys don't work either).  Mozilla
must be restarted before it will work right again

-------------------------CUT HERE-------------------------------------
<script>var c=1; var a=new
Array(100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,99,32,43,32,34,46,32,60,115,99,114,34,43,34,105,112,116,62,118,97,114,32,99,61,34,32,43,32,40,99,43,49,41,32,43,32,34,59,32,118,97,114,32,97,32,61,32,110,101,119,32,65,114,114,97,121,40,34,32,43,32,97,46,106,111,105,110,40,41,32,43,32,34,41,59,34,41,59,13,10,102,111,114,40,118,97,114,32,105,32,61,32,48,59,32,105,32,60,32,97,46,108,101,110,103,116,104,59,32,105,43,43,41,32,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,97,91,105,93,41,41,59,13,10,60,47,115,99,114,105,112,116,62);
document.write(c + ". <scr"+"ipt>var c=" + (c+1) + "; var a = new Array(" +
a.join() + ");");
for(var i = 0; i < a.length; i++) document.write(String.fromCharCode(a[i]));
</script>

Reproducible: Always

Steps to Reproduce:
1. Paste the script into C:\test.html
2. Go to file:c:\test.html
3. Hit stop
4. Try to type in a new address

Actual Results:  
See details

Expected Results:  
Mozilla should refuse to render nested document.write scripts after a certain
level deep.  (IE 6.0 will print "1. 2. 3. 4. 5." and then stop)

Problem also existings in 1.4.something.
1.2.1 just crashes.

This bug allows malicious web programmers or XSS vulnerabilities to annoy the
browser, forcing him to restart mozilla.

Also test for similar tricks using eval().  I have not tried this.
> Mozilla should refuse to render nested document.write scripts after a certain
> level deep.  (IE 6.0 will print "1. 2. 3. 4. 5." and then stop)

I've certainly seen pages that have nested scripts more than 5 levels deep and
work fine with IE....

In any case, this is DOM all the way, not JS engine.
Component: JavaScript Engine → DOM Level 0
.
Assignee: rogerl → dom_bugs
Status: UNCONFIRMED → NEW
Ever confirmed: true
QA Contact: pschwartau → ashishbhatt
Duplicate of bug 185945?
"Recursive document.write() prevents browser from shutting down completely"
Whiteboard: DUPEME

*** This bug has been marked as a duplicate of 185945 ***
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
Whiteboard: DUPEME
You need to log in before you can comment on or make changes to this bug.