Last Comment Bug 301678 - [FIX]xml object parsed from string from flash throws permission denied error when accessed
: [FIX]xml object parsed from string from flash throws permission denied error ...
Status: RESOLVED FIXED
: fixed1.8.1, verified1.8.0.1
Product: Core
Classification: Components
Component: XML (show other bugs)
: Trunk
: All All
: -- major with 2 votes (vote)
: mozilla1.9alpha1
Assigned To: Boris Zbarsky [:bz] (Out June 25-July 6)
: Ashish Bhatt
Mentors:
http://www.burningmoth.com/projects/m...
: 320567 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-22 00:31 PDT by Tarraccas
Modified: 2006-03-12 18:43 PST (History)
12 users (show)
dveditz: blocking1.8.1+
dveditz: blocking1.8.0.1+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Patch (1.37 KB, patch)
2005-11-08 22:14 PST, Boris Zbarsky [:bz] (Out June 25-July 6)
jst: review+
jst: superreview+
dveditz: approval1.8.0.1+
dveditz: approval1.8.1+
Details | Diff | Review

Description Tarraccas 2005-07-22 00:31:45 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

An xml string (ie. "<xml>...</xml>") passed from a flash app via fscommand to
javascript can be parsed into an xml object but that object cannot be accessed.
Any attempt to read it throws the following error:
Error: [Exception... "'Permission denied to get property XMLDocument.firstChild'
when calling method: [FlashIObject::evaluate]"  nsresult: "0x8057001e
(NS_ERROR_XPC_JS_THREW_STRING)"  location: "<unknown>"  data: no]

Reproducible: Always

Steps to Reproduce:
1. Goto: http://www.burningmoth.com/projects/moztest/moztest.html
2. Click on the "Click Me" flash button.
3. There are three steps showing a progression of successful events. If the last
step does not appear, check the JS Console to view the error.

Actual Results:  
The error is thrown. Permissioned denied for xml object. The alert for step
three never appears.

Expected Results:  
One should have permissions to read from and write to the xml document created.

This was not an issue in Firefox 1.0.4. I tested it in Mozilla Seamonkey 1.7.5
and there are no problems. Script works as expected.
Comment 1 Bob Clary [:bc:] 2005-07-22 01:49:27 PDT
If Firefox 1.0.6 on WinXPSP2

Step 1, 2 execute and then 

Error: [Exception... "'Permission denied to get property XMLDocument.firstChild'
when calling method: [FlashIObject::evaluate]"  nsresult: "0x8057001e
(NS_ERROR_XPC_JS_THREW_STRING)"  location: "<unknown>"  data: no]

In DeerPark I get Step 1, then

Error: [Exception... "'Permission denied to call method
DOMParser.parseFromString' when calling method: [FlashIObject::evaluate]" 
nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)"  location: "<unknown>" 
data: no]
Comment 2 Danny Sehr 2005-10-20 04:25:36 PDT
I have also encountered a similar error when clicking a link in a Flash in FF
that calls out via fscommand to a script that attempts to create a javascript
Image object. When setting the properties on the object the following error is
thrown and the script fails (example is of setting the id property):

Error: [Exception... "'Permission denied to set property HTMLImageElement.id'
when calling method: [FlashIObject::evaluate]"  nsresult: "0x8057001e
(NS_ERROR_XPC_JS_THREW_STRING)"  location: "<unknown>"  data: no]

Found on:
Windows XP SP2,Windows 2000 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.7.12) Gecko/20050915 Firefox/1.0.7
Comment 3 Boris Zbarsky [:bz] (Out June 25-July 6) 2005-11-08 22:00:04 PST
Not an XPConnect issue...

The object principal here is resource://gre/res/hiddenWindow.html (presumably because the script from the plugin that called us is running on the hidden window's safe JS context?).  But the subject principal here is http://www.burningmoth.com/projects/moztest/moztest.html (as expected).

So you get a security exception thrown, since those have different origins...

Note that we do get the right subject principal in ParseFromStream() in the DOMParser.  But we somehow end up with the wrong one in the end on the XMLDocument the DOMParser produces...
Comment 4 Boris Zbarsky [:bz] (Out June 25-July 6) 2005-11-08 22:13:34 PST
Actually, this is a DOMParser bug all the way....
Comment 5 Boris Zbarsky [:bz] (Out June 25-July 6) 2005-11-08 22:14:54 PST
Created attachment 202338 [details] [diff] [review]
Patch

Ths issue is that the document only gets the principal off the channel owner if StartDocumentLoad resets.  In this case it does not...  We could probably make it reset if we moved the event listener addition to after StartDocumentLoad.  Let me know if you want me to do that instead, ok?
Comment 6 Johnny Stenback (:jst, jst@mozilla.com) 2005-11-15 16:09:53 PST
Comment on attachment 202338 [details] [diff] [review]
Patch

Sounds reasonable. r+sr=jst
Comment 7 Boris Zbarsky [:bz] (Out June 25-July 6) 2005-11-15 19:59:30 PST
Fixed.
Comment 8 Peter Van der Beken [:peterv] 2005-12-19 08:44:12 PST
*** Bug 320567 has been marked as a duplicate of this bug. ***
Comment 9 Peter Van der Beken [:peterv] 2005-12-19 08:50:05 PST
Comment on attachment 202338 [details] [diff] [review]
Patch

We should get this on the branch, it fixes a DOMParser/document.domain regression since 1.0.x and makes us more compatible with IE/Opera/Safari (see bug 320567).
Comment 10 Mike Schroepfer 2005-12-19 16:17:57 PST
Do we know what the change is in 1.0.6 that caused the issue?
Comment 11 Peter Van der Beken [:peterv] 2005-12-21 07:14:12 PST
(In reply to comment #10)
> Do we know what the change is in 1.0.6 that caused the issue?

I don't know, I can't even reproduce this issue in 1.0.6 (maybe needs a specific Flash version?). However, it turns out that bug 320567 is not a regression since 1.0.x (it was broken there too), so I'm fine with dropping this one for 1.8.0.1 after all.
Comment 12 Daniel Veditz [:dveditz] 2006-01-05 12:51:20 PST
Comment on attachment 202338 [details] [diff] [review]
Patch

not 1.8.0.1, but might be appropriate for 1.8.1 (Firefox 2).
Comment 13 Boris Zbarsky [:bz] (Out June 25-July 6) 2006-01-05 13:02:27 PST
Note that I'm not sure what the effect of exposing the hidden window security context here is.  That is, whether it can get us in trouble.
Comment 14 Daniel Veditz [:dveditz] 2006-01-09 09:57:32 PST
Comment on attachment 202338 [details] [diff] [review]
Patch

Fixes bug 320567 and others
Comment 15 Boris Zbarsky [:bz] (Out June 25-July 6) 2006-01-09 13:26:22 PST
Fixed on 1.8 branch (just realized this got plussed for there).  Not landed on 1.8.0.1 yet.
Comment 16 Daniel Veditz [:dveditz] 2006-01-10 16:53:22 PST
Comment on attachment 202338 [details] [diff] [review]
Patch

a=dveditz for drivers

Boris clarified comment 13 in mail: "_without_ that patch we end up with objects floating around in the hands of untrusted script that have the hidden window security context, as far as I can see.  _With_ the patch, the XMLDocument handed back from DOMParser has the right principal (that of the calling web page)."

We do believe the hidden window has been de-fanged as a potential source of privilege escalation, but it's never completely safe when things have the wrong principal.
Comment 17 Boris Zbarsky [:bz] (Out June 25-July 6) 2006-01-10 19:10:41 PST
Fixed on 1.8.0.x as well.
Comment 18 Marcia Knous [:marcia - use ni] 2006-01-11 14:13:46 PST
verified fixed on the branch using Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1. I followed the steps in the reporter's steps to reproduce and everything works fine.

Note You need to log in before you can comment on or make changes to this bug.