Open Bug 264999 Opened 17 years ago Updated 1 year ago
atoms do not handle embedded NUL characters
While debugging bug 264956, bz and I found that atoms do not handle embedded NUL characters. This was an issue because we were given "input\0AAA" so the parser was creating a userdefined node, but when we later created an atom out of it, it came back as "input", so we ended up trying to QI as an input element and crashing. The fix to bug 264956 prevents this now, but as NULs can also come through attributes, and these also get turned into atoms, this is still a problem.
To be precise, our mutation event code atomizes attribute _values_. Which can well contain nulls.
xul elements atomizes all attribute values smaller then a certain size. All other elements should as well, though I don't think I actually flicked the switch on that.
I don't believe null characters are ever valid characters in XML data, but maybe they can in HTML... But I don't think there's anything preventing them from coming in through the DOM...
Assignee: dougt → nobody
QA Contact: xpcom
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2008-5510
The patch that Mats wrote, fixing Atom, was never applied (as far as I know). We went with a different, narrower fix in the CSS parser for bug 228856.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
You need to log in before you can comment on or make changes to this bug.