[FIX]xml object parsed from string from flash throws permission denied error when accessed

RESOLVED FIXED in mozilla1.9alpha1

Status

()

Core
XML
--
major
RESOLVED FIXED
12 years ago
11 years ago

People

(Reporter: Tarraccas, Assigned: bz)

Tracking

({fixed1.8.1, verified1.8.0.1})

Trunk
mozilla1.9alpha1
fixed1.8.1, verified1.8.0.1
Points:
---
Bug Flags:
blocking1.8.1 +
blocking1.8.0.1 +

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

An xml string (ie. "<xml>...</xml>") passed from a flash app via fscommand to
javascript can be parsed into an xml object but that object cannot be accessed.
Any attempt to read it throws the following error:
Error: [Exception... "'Permission denied to get property XMLDocument.firstChild'
when calling method: [FlashIObject::evaluate]"  nsresult: "0x8057001e
(NS_ERROR_XPC_JS_THREW_STRING)"  location: "<unknown>"  data: no]

Reproducible: Always

Steps to Reproduce:
1. Goto: http://www.burningmoth.com/projects/moztest/moztest.html
2. Click on the "Click Me" flash button.
3. There are three steps showing a progression of successful events. If the last
step does not appear, check the JS Console to view the error.

Actual Results:  
The error is thrown. Permissioned denied for xml object. The alert for step
three never appears.

Expected Results:  
One should have permissions to read from and write to the xml document created.

This was not an issue in Firefox 1.0.4. I tested it in Mozilla Seamonkey 1.7.5
and there are no problems. Script works as expected.

Comment 1

12 years ago
If Firefox 1.0.6 on WinXPSP2

Step 1, 2 execute and then 

Error: [Exception... "'Permission denied to get property XMLDocument.firstChild'
when calling method: [FlashIObject::evaluate]"  nsresult: "0x8057001e
(NS_ERROR_XPC_JS_THREW_STRING)"  location: "<unknown>"  data: no]

In DeerPark I get Step 1, then

Error: [Exception... "'Permission denied to call method
DOMParser.parseFromString' when calling method: [FlashIObject::evaluate]" 
nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)"  location: "<unknown>" 
data: no]
Assignee: nobody → dbradley
Status: UNCONFIRMED → NEW
Component: General → XPConnect
Ever confirmed: true
Product: Firefox → Core
QA Contact: general → pschwartau
Version: unspecified → 1.0 Branch

Comment 2

12 years ago
I have also encountered a similar error when clicking a link in a Flash in FF
that calls out via fscommand to a script that attempts to create a javascript
Image object. When setting the properties on the object the following error is
thrown and the script fails (example is of setting the id property):

Error: [Exception... "'Permission denied to set property HTMLImageElement.id'
when calling method: [FlashIObject::evaluate]"  nsresult: "0x8057001e
(NS_ERROR_XPC_JS_THREW_STRING)"  location: "<unknown>"  data: no]

Found on:
Windows XP SP2,Windows 2000 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.7.12) Gecko/20050915 Firefox/1.0.7
Not an XPConnect issue...

The object principal here is resource://gre/res/hiddenWindow.html (presumably because the script from the plugin that called us is running on the hidden window's safe JS context?).  But the subject principal here is http://www.burningmoth.com/projects/moztest/moztest.html (as expected).

So you get a security exception thrown, since those have different origins...

Note that we do get the right subject principal in ParseFromStream() in the DOMParser.  But we somehow end up with the wrong one in the end on the XMLDocument the DOMParser produces...
Assignee: dbradley → nobody
Component: XPConnect → Plug-ins
QA Contact: pschwartau → plugins
Actually, this is a DOMParser bug all the way....
Assignee: nobody → xml
Component: Plug-ins → XML
OS: Windows 2000 → All
QA Contact: plugins → ashshbhatt
Hardware: PC → All
Summary: xml object parsed from string from flash throws permission denied error when accessed → [FIX]xml object parsed from string from flash throws permission denied error when accessed
Target Milestone: --- → mozilla1.9alpha
Version: 1.0 Branch → Trunk
Created attachment 202338 [details] [diff] [review]
Patch

Ths issue is that the document only gets the principal off the channel owner if StartDocumentLoad resets.  In this case it does not...  We could probably make it reset if we moved the event listener addition to after StartDocumentLoad.  Let me know if you want me to do that instead, ok?
Assignee: xml → bzbarsky
Status: NEW → ASSIGNED
Attachment #202338 - Flags: superreview?(jst)
Attachment #202338 - Flags: review?(jst)
Comment on attachment 202338 [details] [diff] [review]
Patch

Sounds reasonable. r+sr=jst
Attachment #202338 - Flags: superreview?(jst)
Attachment #202338 - Flags: superreview+
Attachment #202338 - Flags: review?(jst)
Attachment #202338 - Flags: review+
Fixed.
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
*** Bug 320567 has been marked as a duplicate of this bug. ***
Comment on attachment 202338 [details] [diff] [review]
Patch

We should get this on the branch, it fixes a DOMParser/document.domain regression since 1.0.x and makes us more compatible with IE/Opera/Safari (see bug 320567).
Attachment #202338 - Flags: approval1.8.0.1?

Comment 10

12 years ago
Do we know what the change is in 1.0.6 that caused the issue?
(In reply to comment #10)
> Do we know what the change is in 1.0.6 that caused the issue?

I don't know, I can't even reproduce this issue in 1.0.6 (maybe needs a specific Flash version?). However, it turns out that bug 320567 is not a regression since 1.0.x (it was broken there too), so I'm fine with dropping this one for 1.8.0.1 after all.
Comment on attachment 202338 [details] [diff] [review]
Patch

not 1.8.0.1, but might be appropriate for 1.8.1 (Firefox 2).
Attachment #202338 - Flags: approval1.8.1+
Attachment #202338 - Flags: approval1.8.0.1?
Attachment #202338 - Flags: approval1.8.0.1-
Note that I'm not sure what the effect of exposing the hidden window security context here is.  That is, whether it can get us in trouble.
Comment on attachment 202338 [details] [diff] [review]
Patch

Fixes bug 320567 and others
Attachment #202338 - Flags: approval1.8.0.1- → approval1.8.0.1?
Fixed on 1.8 branch (just realized this got plussed for there).  Not landed on 1.8.0.1 yet.
Keywords: fixed1.8.1
Comment on attachment 202338 [details] [diff] [review]
Patch

a=dveditz for drivers

Boris clarified comment 13 in mail: "_without_ that patch we end up with objects floating around in the hands of untrusted script that have the hidden window security context, as far as I can see.  _With_ the patch, the XMLDocument handed back from DOMParser has the right principal (that of the calling web page)."

We do believe the hidden window has been de-fanged as a potential source of privilege escalation, but it's never completely safe when things have the wrong principal.
Attachment #202338 - Flags: approval1.8.0.1? → approval1.8.0.1+
Flags: blocking1.8.1+
Flags: blocking1.8.0.1+
Fixed on 1.8.0.x as well.
Keywords: fixed1.8.0.1
verified fixed on the branch using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1. I followed the steps in the reporter's steps to reproduce and everything works fine.
Keywords: fixed1.8.0.1 → verified1.8.0.1
You need to log in before you can comment on or make changes to this bug.