Closed
Bug 257523
Opened 20 years ago
Closed 20 years ago
Text fields give scripts access to the user's clipboard
Categories
(Core :: DOM: Events, defect)
Core
DOM: Events
Tracking
()
VERIFIED
FIXED
People
(Reporter: jwkbugzilla, Assigned: jwkbugzilla)
Details
(Keywords: fixed-aviary1.0, fixed1.7, regression, Whiteboard: [sg:fix] fixed1.7.3)
Attachments
(5 files)
448 bytes,
text/html
|
Details | |
463 bytes,
text/html
|
Details | |
1.15 KB,
patch
|
jst
:
review+
dveditz
:
superreview+
chofmann
:
approval-aviary+
chofmann
:
approval1.7.5+
|
Details | Diff | Splinter Review |
2.08 KB,
patch
|
Details | Diff | Splinter Review | |
2.30 KB,
patch
|
jst
:
review+
dveditz
:
superreview+
mkaply
:
approval-aviary+
mkaply
:
approval1.7.5+
|
Details | Diff | Splinter Review |
Text fields accept script-generated events. You cannot send Ctrl-C - this is a
menu shortcut, so untrusted events will be rejected. But you can send Ctrl-Ins,
which is implemented in the text field itself. This way you can put every text
you want into the user's clipboard. And you can send Shift-Ins to insert
whatever you have in your clipboard into the text field.
I've tested this on Windows but it should work as well at least with KDE, it has
same shortcuts.
Assignee | ||
Comment 1•20 years ago
|
||
Assignee | ||
Comment 2•20 years ago
|
||
Assignee | ||
Comment 3•20 years ago
|
||
These shortcuts are defined in
content/xbl/builtin/(win|unix)/platformHTMLBindings.xml. XBL only rejects
non-trusted events for chrome content but these text fields are not chrome...
Updated•20 years ago
|
Assignee: nobody → jst
Component: Layout: Form Controls → DOM: Events
Whiteboard: [sg:fix]
Comment 4•20 years ago
|
||
Severity critical, because I keep copy&pasting passwords, assume others do as well.
Reproduced both read and write on Mozilla 1.7.x branch on Linux. Only works when
I copied using the explicit "CLIPBOARD" (via menu, shortcut etc.), not the
"PRIMARY" clipboard (just select).
<http://freedesktop.org/Standards/clipboards-spec/clipboards.txt>
Severity: major → critical
Flags: blocking1.8a4?
Flags: blocking1.7.x?
Flags: blocking-aviary1.0mac?
Flags: blocking-aviary1.0PR?
Flags: blocking-aviary1.0?
OS: Windows XP → All
Hardware: PC → All
Assignee | ||
Comment 5•20 years ago
|
||
This prevents commands from being triggered by non-trusted events, even if the
widget itself isn't trusted.
Assignee | ||
Updated•20 years ago
|
Attachment #157608 -
Flags: review?(jst)
Comment 6•20 years ago
|
||
Comment on attachment 157608 [details] [diff] [review]
Proposed patch
Seems reasonable to me. r=jst
Attachment #157608 -
Flags: review?(jst) → review+
Comment 7•20 years ago
|
||
Comment on attachment 157608 [details] [diff] [review]
Proposed patch
> // See if our event receiver is a content node (and not us).
> PRBool isXULKey = (mType & NS_HANDLER_TYPE_XUL);
>
>- //XUL handlers shouldn't be triggered by non-trusted events.
>- if (isXULKey) {
>+ //XUL handlers and commands shouldn't be triggered by non-trusted events.
>+ if (isXULKey || (mType & NS_HANDLER_TYPE_XBL_COMMAND)) {
Since there's another (mType & NS_HANDLER_TYPE_XBL_COMMAND) a few lines down
you could define isXBLCommand like isXULKey above for readability. Or not --
your call.
sr=dveditz
Attachment #157608 -
Flags: superreview+
Attachment #157608 -
Flags: approval1.7.x?
Attachment #157608 -
Flags: approval-aviary?
Comment 8•20 years ago
|
||
Is there anything that could be legitimately relying on the old behavior? I was
thinking of some sort of QA test harness poking in events, but I guess a chrome
app could create trusted events for that.
Comment 9•20 years ago
|
||
Comment on attachment 157608 [details] [diff] [review]
Proposed patch
a=chofmann for the branches
Attachment #157608 -
Flags: approval1.7.x?
Attachment #157608 -
Flags: approval1.7.x+
Attachment #157608 -
Flags: approval-aviary?
Attachment #157608 -
Flags: approval-aviary+
Updated•20 years ago
|
Flags: blocking1.7.x?
Flags: blocking1.7.x+
Flags: blocking-aviary1.0PR?
Flags: blocking-aviary1.0PR+
Comment 10•20 years ago
|
||
we run as chrome and i actually have keyhandling off. supporting midas is going
to be so much fun.
Comment 11•20 years ago
|
||
Comment 12•20 years ago
|
||
Fixed on aviary and 1.7 branches, and on the trunk. Marking FIXED.
Status: NEW → RESOLVED
Closed: 20 years ago
Keywords: fixed-aviary1.0,
fixed1.7.x
Resolution: --- → FIXED
Comment 13•20 years ago
|
||
Fix checked into the 1.7.2 branch also
Whiteboard: [sg:fix] → [sg:fix] fixed1.7.2+
Updated•20 years ago
|
Flags: blocking-aviary1.0mac?
Flags: blocking-aviary1.0?
Comment 14•20 years ago
|
||
Verified with the two testcases on Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.7.3) Gecko/20040910
Updated•20 years ago
|
Group: security
Whiteboard: [sg:fix] fixed1.7.2+ → [sg:fix] fixed1.7.3
Updated•20 years ago
|
Flags: blocking1.8a4?
Comment 15•20 years ago
|
||
The test cases still work (i.e. the bug still exists) for me in Linux with the
GTK2/XFT nightly builds of both Mozilla and Firefox; however, it does seems
fixed with the GTK1 builds.
Comment 16•20 years ago
|
||
Reopening, as this is still not fixed on linux.
Assignee | ||
Comment 17•20 years ago
|
||
Just a guess - is this because of bug 257405?
Assignee | ||
Comment 18•20 years ago
|
||
Looking at the patch - this seems to be the case. DOMEventToNativeKeyEvent()
should return PR_FALSE for non-trusted events.
Assignee | ||
Comment 19•20 years ago
|
||
This fixes the regression caused by bug 257405. AFAICT this is the only place
where we need a check.
Assignee | ||
Updated•20 years ago
|
Attachment #160498 -
Flags: superreview?(dveditz)
Attachment #160498 -
Flags: review?(jst)
Updated•20 years ago
|
Keywords: regression
Comment 20•20 years ago
|
||
Comment on attachment 160498 [details] [diff] [review]
Patch for the regression
Thanks for the quick fix, Wladimir!
r=jst
Attachment #160498 -
Flags: review?(jst) → review+
Comment 21•20 years ago
|
||
Comment on attachment 160498 [details] [diff] [review]
Patch for the regression
sr=dveditz
bug 257523 landed on the branches, so we'll want this regression fix there as
well.
Attachment #160498 -
Flags: superreview?(dveditz)
Attachment #160498 -
Flags: superreview+
Attachment #160498 -
Flags: approval1.7.x?
Attachment #160498 -
Flags: approval-aviary?
Comment 22•20 years ago
|
||
Comment on attachment 160498 [details] [diff] [review]
Patch for the regression
a=mkaply for both
Attachment #160498 -
Flags: approval1.7.x?
Attachment #160498 -
Flags: approval1.7.x+
Attachment #160498 -
Flags: approval-aviary?
Attachment #160498 -
Flags: approval-aviary+
Comment 23•20 years ago
|
||
Fixed on trunk, aviary and 1.7 branches. Thanks for the patch, Wladimir!
Status: REOPENED → RESOLVED
Closed: 20 years ago → 20 years ago
Keywords: fixed-aviary1.0,
fixed1.7
Resolution: --- → FIXED
Comment 25•20 years ago
|
||
verified with Mac 1.75 2004-12-16-09
Assignee | ||
Updated•18 years ago
|
Assignee: jst → trev
Comment 26•17 years ago
|
||
I only see Ctrl-Ins and Shift-Ins mentioned.
Are we taking care of "Shift-Del" which is equivalent to ctrl-x
Also if we can get a test case, it will be great help.
Assignee | ||
Comment 27•17 years ago
|
||
The fix here is general and takes care of all keys handled by XBL bindings.
You need to log in
before you can comment on or make changes to this bug.
Description
•