Closed Bug 214721 Opened 21 years ago Closed 21 years ago

long xpi filename can push "Cancel" button off screen

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect)

Product:
Core Graveyard
Component:
Installer: XPInstall Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: sspitzer)

Details

(4 keywords)

Attachments

(3 files, 2 obsolete files)

screenshot 1: looks like Install is the only button
51.54 KB, image/png
Details
screenshot 2: only part of Install button is visible
51.40 KB, image/png
Details
updated patch
4.52 KB, patch
mkaply
: approval1.4.2+
asa
: approval1.5+
Details | Diff | Splinter Review 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030730 Mozilla
Firebird/0.6.1

An XPI with a very long filename pushes the Cancel button off the screen, making
it look like Install is the only button [screenshot 1].  A slightly longer
filename pushes enough of the Install button off of the screen that you can't
tell what the button says [screenshot 2].

This is a security hole.  I would expect to have a high success rate with this
attack, even though the "close window" button in the titlebar is still available.
Whiteboard: security
ssu, do you have cycles to work on this?
Flags: blocking1.5?
blake or ben, can you look at this. it doesn't look very difficult.
Flags: blocking1.5? → blocking1.5+
bad things can still happen if you make this dialog too narrow.

also, this uses window and not dialog (it must be one of the old, old dialogs)

let me look into that.
Attached patch patch (obsolete) — Splinter Review 

        Attachment #130697 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached patch
          
          
        updated patchSplinter Review
      

    


  

        Attachment #130701 -
        Attachment is obsolete: true

    
    

    
  
taking
Assignee: ssu → sspitzer

    
    

    
  
fixed, thanks to ben for the review.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 130702 [details] [diff] [review]
updated patch

a=asa (on behalf of drivers) for checkin to Mozilla 1.5

        Attachment #130702 -
        Flags: approval1.5+

    
    

    
  
the current UI for dialog is:

<name> <cert name> <full url>

you can still run into some less than desirable appearance issues if any of
those are overly long (but at least the buttons will be on screen).

I'm sure the UI could be improved, and I'll log a bug to track that.


    
    

    
  
spun off the UI issue to bug #218030

    
    

    
  
drivers, do we want this for 1.4?
Flags: blocking1.4.2?
Flags: blocking1.4.1?

    
  
Keywords: fixed1.5

    
  
Flags: blocking1.4.1?

    
    

    
  
fixed in 1.5, removing security flag
Group: security
Whiteboard: security → [sg:fix]

    
  
Whiteboard: [sg:fix] → security [sg:fix]

    
    

    
  
Comment on attachment 130702 [details] [diff] [review]
updated patch

a=mkaply for 1.4.2

        Attachment #130702 -
        Flags: approval1.4.2+

    
  
Flags: blocking1.4.2? → blocking1.4.2+

    
  
Keywords: fixed1.4.2

    
    

    
  
verified XPI file names no longer push buttons out of view.

NPWINMCIMIDI.xpi get's crunched to NPWIN....xpi 
Status: RESOLVED → VERIFIED

    
  
Keywords: csec-spoof, 
          
            sec-high
Whiteboard: security [sg:fix]
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: