This doesn't work in the Deer Park alpha, but 1.0.4 still vulnerable. Worth checking out what changed on the trunk. The setWallpaper.xul code all looks the same, and the linenumber for the exception I see from browser.js doesn't make a lot of sense (middle of the toggleSidebar() method? no nsIURI.host in sight). Error: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIURI.host]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: chrome://browser/content/browser.js :: anonymous :: line 3704" data: no]
Oh right, conditional processing of chrome files... in the source it's really line 3918, in initMiscItems() -- makes a lot more sense. Same code exists on the 1.0 branch, though, and the exception doesn't fire there. this.onImage must be true or the set as wallpaper menu item wouldn't be made visible. The exception fires as the trunk is creating the context menu, before you click on the Set as wallpaper item.
So, the exception that was getting thrown here isn't getting thrown now that the bug causing it was fixed, so I can reproduce on trunk as well.
I'm sure there's a better fix for this, but I can't think of it at 3 AM. Even if we just take this for branch and use something new on trunk for 1.8b3, that's ok by me.
will this work in all cases? what about wyciwyg (ok, that may not be an issue here) or jar? maybe this should use the scriptsecuritymanager?
Why are we filtering out data: here, exactly? The issue here is that opening he channel to save the image executes script, no? That's not a problem with data:.
Created attachment 186566 [details] [diff] [review] defence in depth basically, in this case we should be ensuring (beyond security considerations) that all broken images don't get here. So this patch disables the context menu item if the image hasn't loaded, and throws another check in setWallpaper.xul to ensure that if there's another caller floating around in extension-land that we're still safe. Tested the hell out of this, and its ready to go without breaking legit uses afaict.
Comment on attachment 186595 [details] [diff] [review] defence in depth (alternate patch) r=dveditz
Comment on attachment 186595 [details] [diff] [review] defence in depth (alternate patch) lets get this checked in. a=jay
If someone can land this in time for nightly builds, I don't have my private key installed here (need to get this thing running and building tomorrow now that I'm in NoCal).
Landed on branch, waiting on trunk approval.
Please land on the trunk
v.fixed on aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050706 Firefox/1.0.5 using the mikx testcase. The "Set As Wallpaper" menu item is now disabled.
Security advisories published