Closed
Bug 324630
Opened 19 years ago
Closed 19 years ago
chrome calling content getters (page info -> forms) - at least java trouble
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: guninski, Assigned: Gavin)
References
Details
(Keywords: fixed1.8.0.2, fixed1.8.1)
Attachments
(3 files)
chrome calling content getters (page info -> forms) - at least java trouble
selecting "page info" -> "forms" causes chrome to call content's js getters
on input.value.
this is exploitable for at least creating local files via java on linux.
testcases to follow.
|
Reporter | |
Comment 1•19 years ago
|
||
|
|
Reporter | |
Comment 2•19 years ago
|
||
|
|
Reporter | |
Comment 3•19 years ago
|
||
Comment on attachment 209569 [details]
creating local files
changed mime type
Attachment #209569 -
Attachment mime type: text/plain → text/html
|
|
Reporter | |
Comment 4•19 years ago
|
||
dveditz, can you repoduce?
|
|
Reporter | |
Comment 5•19 years ago
|
||
there seems memory corruption triggered by a side effect of this bug
(at least on linux)
seems X11/graphics related so eventually chrome may not be needed.
if someone else confirm the next attachment will file another bug.
chrome5.html:
Program received signal SIGSEGV, Segmentation fault.
(gdb) info stack
#0 0xffffe410 in ?? ()
#1 0xbfffa764 in ?? ()
#2 0xb74bcff4 in ?? () from /lib/tls/libc.so.6
#3 0xbfffa5c0 in ?? ()
#4 0xb7421296 in nanosleep () from /lib/tls/libc.so.6
#5 0xb742109c in sleep () from /lib/tls/libc.so.6
#6 0x080ab66e in ah_crap_handler (signum=11) at nsSigHandlers.cpp:131
#7 0x080abccb in nsProfileLock::FatalSignalHandler (signo=11)
at nsProfileLock.cpp:210
#8 <signal handler called>
#9 0x08282537 in ns_if_addref<nsIRegion*> (expr=0x66)
at nsISupportsUtils.h:114
#10 0x082824ab in nsDrawingSurfaceGTK::GetLastXftClip (this=0x97d5580,
aLastRegion=0x66)
at /opt/firefox-cvs/mozilla/gfx/src/gtk/nsDrawingSurfaceGTK.cpp:345
#11 0x08278860 in nsFontMetricsXft::PrepareToDraw (this=0x984ea30,
aContext=0x986e508, aSurface=0x97d5580, aDraw=0xbfffdc14,
aColor=@0xbfffab70)
at /opt/firefox-cvs/mozilla/gfx/src/gtk/nsFontMetricsXft.cpp:1514
#12 0x08276d36 in nsFontMetricsXft::DrawString (this=0x984ea30,
|
|
Reporter | |
Comment 6•19 years ago
|
||
|
|
Reporter | |
Comment 7•19 years ago
|
||
timeless: can you please confirm or deny any of the testcases in this bug
i'm still not around , but i suspect alert Components . classes would fail...
but yeah , i'd rather not let a website know when chrome is inspecting it...
|
|
Reporter | |
Comment 9•19 years ago
|
||
for the crash filed bug 325236.
don't claim that Components.classes works, but java seems nasty enough.
|
|
Reporter | |
Comment 10•19 years ago
|
||
the same effect may be achieved via xbl getter.
|
|
Reporter | |
Comment 11•19 years ago
|
||
this seems fixed by bug Bug 325236
|
||
Comment 12•19 years ago
|
||
Fixed by patch for bug 325236.
|
|
||
Updated•19 years ago
|
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
||
Updated•19 years ago
|
Keywords: fixed1.8.0.2
|
|
||
Updated•19 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•