long xpi filename can push "Cancel" button off screen

VERIFIED FIXED

Status

--
major
VERIFIED FIXED
15 years ago
3 years ago

People

(Reporter: jruderman, Assigned: sspitzer)

Tracking

(4 keywords)

Trunk
x86
Windows XP
csectype-spoof, fixed1.4.2, fixed1.5, sec-high
Bug Flags:
blocking1.4.2 +
blocking1.5 +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments, 2 obsolete attachments)

(Reporter)

Description

15 years ago
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030730 Mozilla
Firebird/0.6.1

An XPI with a very long filename pushes the Cancel button off the screen, making
it look like Install is the only button [screenshot 1].  A slightly longer
filename pushes enough of the Install button off of the screen that you can't
tell what the button says [screenshot 2].

This is a security hole.  I would expect to have a high success rate with this
attack, even though the "close window" button in the titlebar is still available.
(Reporter)

Updated

15 years ago
Whiteboard: security
(Reporter)

Comment 1

15 years ago
Created attachment 129005 [details]
screenshot 1: looks like Install is the only button
(Reporter)

Comment 2

15 years ago
Created attachment 129006 [details]
screenshot 2: only part of Install button is visible

Comment 3

15 years ago
ssu, do you have cycles to work on this?

Updated

15 years ago
Flags: blocking1.5?

Comment 4

15 years ago
blake or ben, can you look at this. it doesn't look very difficult.
Flags: blocking1.5? → blocking1.5+
bad things can still happen if you make this dialog too narrow.

also, this uses window and not dialog (it must be one of the old, old dialogs)

let me look into that.
Created attachment 130701 [details] [diff] [review]
patch
Attachment #130697 - Attachment is obsolete: true
Created attachment 130702 [details] [diff] [review]
updated patch
Attachment #130701 - Attachment is obsolete: true
taking
Assignee: ssu → sspitzer
fixed, thanks to ben for the review.
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED

Comment 13

15 years ago
Comment on attachment 130702 [details] [diff] [review]
updated patch

a=asa (on behalf of drivers) for checkin to Mozilla 1.5
Attachment #130702 - Flags: approval1.5+
the current UI for dialog is:

<name> <cert name> <full url>

you can still run into some less than desirable appearance issues if any of
those are overly long (but at least the buttons will be on screen).

I'm sure the UI could be improved, and I'll log a bug to track that.
spun off the UI issue to bug #218030

Comment 16

15 years ago
drivers, do we want this for 1.4?
Flags: blocking1.4.2?
Flags: blocking1.4.1?

Updated

15 years ago
Keywords: fixed1.5

Updated

15 years ago
Flags: blocking1.4.1?
fixed in 1.5, removing security flag
Group: security
Whiteboard: security → [sg:fix]
(Reporter)

Updated

15 years ago
Whiteboard: [sg:fix] → security [sg:fix]
Comment on attachment 130702 [details] [diff] [review]
updated patch

a=mkaply for 1.4.2
Attachment #130702 - Flags: approval1.4.2+
Flags: blocking1.4.2? → blocking1.4.2+
Keywords: fixed1.4.2
verified XPI file names no longer push buttons out of view.

NPWINMCIMIDI.xpi get's crunched to NPWIN....xpi 
Status: RESOLVED → VERIFIED
(Reporter)

Updated

5 years ago
Keywords: csec-spoof, sec-high
Whiteboard: security [sg:fix]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.