Closed Bug 214721 Opened 21 years ago Closed 21 years ago

long xpi filename can push "Cancel" button off screen

Categories

(Core Graveyard :: Installer: XPInstall Engine, defect)

x86
Windows XP
defect
Not set
major

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: jruderman, Assigned: sspitzer)

Details

(4 keywords)

Attachments

(3 files, 2 obsolete files)

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030730 Mozilla Firebird/0.6.1 An XPI with a very long filename pushes the Cancel button off the screen, making it look like Install is the only button [screenshot 1]. A slightly longer filename pushes enough of the Install button off of the screen that you can't tell what the button says [screenshot 2]. This is a security hole. I would expect to have a high success rate with this attack, even though the "close window" button in the titlebar is still available.
Whiteboard: security
ssu, do you have cycles to work on this?
Flags: blocking1.5?
blake or ben, can you look at this. it doesn't look very difficult.
Flags: blocking1.5? → blocking1.5+
bad things can still happen if you make this dialog too narrow. also, this uses window and not dialog (it must be one of the old, old dialogs) let me look into that.
Attached patch patch (obsolete) — Splinter Review
Attachment #130697 - Attachment is obsolete: true
Attached patch updated patchSplinter Review
Attachment #130701 - Attachment is obsolete: true
taking
Assignee: ssu → sspitzer
fixed, thanks to ben for the review.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Comment on attachment 130702 [details] [diff] [review] updated patch a=asa (on behalf of drivers) for checkin to Mozilla 1.5
Attachment #130702 - Flags: approval1.5+
the current UI for dialog is: <name> <cert name> <full url> you can still run into some less than desirable appearance issues if any of those are overly long (but at least the buttons will be on screen). I'm sure the UI could be improved, and I'll log a bug to track that.
spun off the UI issue to bug #218030
drivers, do we want this for 1.4?
Flags: blocking1.4.2?
Flags: blocking1.4.1?
Keywords: fixed1.5
Flags: blocking1.4.1?
fixed in 1.5, removing security flag
Group: security
Whiteboard: security → [sg:fix]
Whiteboard: [sg:fix] → security [sg:fix]
Comment on attachment 130702 [details] [diff] [review] updated patch a=mkaply for 1.4.2
Attachment #130702 - Flags: approval1.4.2+
Flags: blocking1.4.2? → blocking1.4.2+
Keywords: fixed1.4.2
verified XPI file names no longer push buttons out of view. NPWINMCIMIDI.xpi get's crunched to NPWIN....xpi
Status: RESOLVED → VERIFIED
Keywords: csec-spoof, sec-high
Whiteboard: security [sg:fix]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: