Closed
Bug 296704
Opened 20 years ago
Closed 20 years ago
trusted event reinitialization allows data-theft
Categories
(Core :: DOM: Events, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: sync2d, Assigned: jst)
References
Details
(Keywords: fixed-aviary1.0.5, fixed1.7.9, Whiteboard: [sg:fix])
Attachments
(5 files, 2 obsolete files)
2.58 KB,
text/html
|
Details | |
37.32 KB,
patch
|
Details | Diff | Splinter Review | |
27.29 KB,
patch
|
dveditz
:
review+
bryner
:
superreview+
dveditz
:
approval-aviary1.0.5+
dveditz
:
approval1.7.9+
dveditz
:
approval1.8b3+
|
Details | Diff | Splinter Review |
37.35 KB,
patch
|
Details | Diff | Splinter Review | |
9.17 KB,
patch
|
dveditz
:
review+
dveditz
:
superreview+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Build Identifier: Mozilla has the special "trusted" flag on event objects, and uses it to deny untrusted events to do some special operations. So untrusted events raised by web pages cannot do clipboard copy, paste, etc... However, malicious page can hijack trusted events by reinitializing such events using DOM initEvent() family in the event handlers, and can perform limited subset of the privileged operations. Reproducible: Always Steps to Reproduce: 1. open the testcase. 2. press "alt-a" key. Actual Results: trusted events can be reinitialized by initEvent() family. Expected Results: initEvent() family during dispatching-phase must be ignored. So, trusted events cannot be hijacked by web pages. http://www.w3.org/TR/DOM-Level-2-Events/events.html#Events-Event-initEvent According to DOM Level2 Events Spec, initEvent() family called during event dispatching-phase must be ignored.
testcase: clipboard text and local file can be stealed. works on firefox 1.0.4 and firefox trunk 2005060423. Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b2) Gecko/20050604 Firefox/1.0+
Updated•20 years ago
|
Assignee: events → jst
Blocks: sbb?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.8b3+
Flags: blocking1.7.9+
Flags: blocking-aviary1.0.5+
Whiteboard: [sg:fix]
Assignee | ||
Comment 2•20 years ago
|
||
Fix coming up.
Assignee | ||
Comment 3•20 years ago
|
||
There may be a more efficient way to do this, with less code even. But I'm not sure where that would be to catch all cases, so for now this is probably the safest approach. Alternatively I guess we could move the code that marks events as being dispatched already into nsEventListenerManager::HandleEvent() as I *think* that all event handler invocations *always* go through there. And if no handler is ever called, there's no *real* reason to mark the event since no untrusted code could ever get a reference to the event (unless it was created by script, in which case it'll be properly marked trustes/untrusted anyways). Thoughts?
Attachment #185875 -
Flags: superreview?(dveditz)
Attachment #185875 -
Flags: review?(bzbarsky)
Comment 4•20 years ago
|
||
I don't see why you shouldn't be able to dispatch an event twice. If the event is already being dispatched, then dispatching it again should raise DISPATCH_REQUEST_ERR. Once an event has been passed to the dispatchEvent method, then calling initEventXXX() on it should do nothing. Once a trusted event has finished being dispatched, its trusted flag should be reset, so that if it is redispatched, it doesn't do any damage. Beyond that I see no reason to stop redispatching or reinitialising.
Comment 5•20 years ago
|
||
Comment on attachment 185875 [details] [diff] [review] Prevent events from ever being initialized or dispatched more than once. It's going to take me a day or two to get to this.... If I don't by the 19th, though, then I won't be able to until July.
Comment 6•20 years ago
|
||
If bz can't get to this soon, can anyone else jump in here and get this fixed for 1.0.5/1.7.9?
Comment 7•20 years ago
|
||
Comment on attachment 185875 [details] [diff] [review] Prevent events from ever being initialized or dispatched more than once. >-#define NS_PRIV_EVENT_UNTRUSTED_PERMITTED 0x0800 >+#define NS_EVENT_FLAG_DISPATCH_STARTED 0x0800 >+#define NS_PRIV_EVENT_UNTRUSTED_PERMITTED 0x1000 bump the untrusted define to 0x8000 so we don't move it around each time we add a new flag. (Potentially breaks existing add-ons otherwise binary compatible with unchanged interfaces.) sr=dveditz
Attachment #185875 -
Flags: superreview?(dveditz) → superreview+
Updated•20 years ago
|
Whiteboard: [sg:fix] → [sg:fix] need r=, a=, landing
Attachment #185875 -
Flags: review?(bzbarsky) → review?(bugmail)
Assignee | ||
Comment 8•20 years ago
|
||
To be on the safe side, this makes is so that re-dispatching an event still works as long as the event isn't in the process of being dispatched already. This also makes sure that if an event is re-dispatched and the event is trusted, it makes sure the caller is also trusted. If not, it unsets the trusted bit when re-initializing the event. This code piggy-backs on the NS_EVENT_FLAG_STOP_DISPATCH_IMMEDIATELY bit to know that an event has already been dispatched, the bit gets set when we leave the DOM event loop, and it's checked when dispatching an event. diff -w coming up.
Assignee | ||
Comment 9•20 years ago
|
||
This should fix this bug while letting people reuse events in a safe way.
Attachment #186960 -
Flags: superreview?(bryner)
Attachment #186960 -
Flags: review?(dveditz)
Assignee | ||
Comment 10•20 years ago
|
||
*** Bug 292943 has been marked as a duplicate of this bug. ***
Updated•20 years ago
|
Attachment #186960 -
Flags: superreview?(bryner) → superreview+
Assignee | ||
Updated•20 years ago
|
Attachment #185875 -
Attachment is obsolete: true
Attachment #185875 -
Flags: superreview+
Attachment #185875 -
Flags: review?(bugmail)
Comment 11•20 years ago
|
||
Comment on attachment 186960 [details] [diff] [review] diff -w of the above for review. r=dveditz a=dveditz for branches and trunk
Attachment #186960 -
Flags: review?(dveditz)
Attachment #186960 -
Flags: review+
Attachment #186960 -
Flags: approval1.8b3+
Attachment #186960 -
Flags: approval1.7.9+
Attachment #186960 -
Flags: approval-aviary1.0.5+
Updated•20 years ago
|
Whiteboard: [sg:fix] need r=, a=, landing → [sg:fix] need landing
Assignee | ||
Comment 12•20 years ago
|
||
Assignee | ||
Comment 13•20 years ago
|
||
Fixed on trunk and aviary branches. There are some differences between 1.7 and aviary branches that make this hard to apply there, need to figure that out before landing on the 1.7 branch.
Comment 14•20 years ago
|
||
dveditz and jst need to discuss any discreprencies with their checkins on the 1.7 branch to get this patch checked in there.
Comment 15•20 years ago
|
||
Comment on attachment 186981 [details] [diff] [review] Aviary and mozilla1.7 branch version of the above Per 1.0.5 meeting, needs check-in by dveditz.
Attachment #186981 -
Attachment description: Aviary version of the above. → Aviary version of the above. [needs check-in]
Updated•20 years ago
|
Whiteboard: [sg:fix] need landing → [sg:fix] needs landing by dveditz
Comment 16•20 years ago
|
||
Checked into mozilla 1.7 branch for jst
Keywords: fixed1.7.9
Whiteboard: [sg:fix] needs landing by dveditz → [sg:fix]
Updated•20 years ago
|
Attachment #186981 -
Attachment description: Aviary version of the above. [needs check-in] → Aviary and mozilla1.7 branch version of the above
Comment 17•20 years ago
|
||
Don't early returns on various errors in HandleDOMEvent methods mean we won't remove the "dispatching" flag from some events?
Assignee | ||
Comment 18•20 years ago
|
||
Attachment #188994 -
Flags: superreview?(dveditz)
Attachment #188994 -
Flags: review?(dveditz)
Assignee | ||
Comment 19•20 years ago
|
||
This unsets the NS_EVENT_FLAG_STOP_DISPATCH_IMMEDIATELY bit when re-initializing events to make them dispatchable again. Dveditz found this part was missing.
Attachment #188994 -
Attachment is obsolete: true
Attachment #188995 -
Flags: superreview?(dveditz)
Attachment #188995 -
Flags: review?(dveditz)
Assignee | ||
Updated•20 years ago
|
Attachment #188994 -
Flags: superreview?(dveditz)
Attachment #188994 -
Flags: review?(dveditz)
Comment 20•20 years ago
|
||
Comment on attachment 188995 [details] [diff] [review] Missed one part of the missing code. r/sr=dveditz
Attachment #188995 -
Flags: superreview?(dveditz)
Attachment #188995 -
Flags: superreview+
Attachment #188995 -
Flags: review?(dveditz)
Attachment #188995 -
Flags: review+
Assignee | ||
Comment 21•20 years ago
|
||
Missing changes landed on the aviary *and* 1.7 branches now.
Comment 22•20 years ago
|
||
v.fixed on Aviary with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5 using attached testcase. Alt-A no longer compromises your clipboard.
Comment 23•20 years ago
|
||
Adding distributors
Updated•19 years ago
|
Flags: testcase+
Updated•18 years ago
|
Flags: in-testsuite+ → in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•