Closed
Bug 328697
Opened 18 years ago
Closed 18 years ago
[FIX]null deref crash when using a javascript: URI with a chrome XMLHTTPRequest [@ nsJSThunk::EvaluateScript]
Categories
(Core :: DOM: Core & HTML, defect, P2)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: Gavin, Assigned: bzbarsky)
References
()
Details
(4 keywords)
Crash Data
Attachments
(2 files)
9.04 KB,
text/plain
|
Details | |
1.24 KB,
patch
|
mrbkap
:
review+
jst
:
superreview+
jst
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.5+
|
Details | Diff | Splinter Review |
Testcase (needs to be chrome): var xml = Components.classes["@mozilla.org/xmlextras/xmlhttprequest;1"] .createInstance(Components.interfaces.nsIXMLHttpRequest); xml.open("GET", "javascript:1;", true); // just "javascript:" (without the // statement) doesn't crash xml.send(null); The principal at: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp&rev=1.119&mark=253,256#245 has a null URI.
Reporter | ||
Comment 1•18 years ago
|
||
Assignee | ||
Comment 2•18 years ago
|
||
So I assume we should treat having a system principal here as an NS_ERROR_NOT_AVAILABLE or something so we get a null principal, right?
Assignee | ||
Updated•18 years ago
|
Flags: blocking1.9a1?
Assignee | ||
Comment 3•18 years ago
|
||
Assignee: general → bzbarsky
Status: NEW → ASSIGNED
Attachment #216992 -
Flags: superreview?(jst)
Attachment #216992 -
Flags: review?(mrbkap)
Assignee | ||
Updated•18 years ago
|
Priority: -- → P2
Summary: null deref crash when using a javascript: URI with a chrome XMLHTTPRequest → [FIX]null deref crash when using a javascript: URI with a chrome XMLHTTPRequest
Comment 4•18 years ago
|
||
Comment on attachment 216992 [details] [diff] [review] Like so, say r=mrbkap
Attachment #216992 -
Flags: review?(mrbkap) → review+
Comment 5•18 years ago
|
||
Comment on attachment 216992 [details] [diff] [review] Like so, say sr=jst
Attachment #216992 -
Flags: superreview?(jst) → superreview+
Assignee | ||
Comment 6•18 years ago
|
||
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9alpha
Reporter | ||
Comment 7•18 years ago
|
||
I'm seeing this crash on the 1.8 branch, the <image><url>javascript:alert(Components.stack);</url></image> code in http://wargers.org/mozilla/contents.rdf is triggering it when passed through Firefox's feed handling code (that runs in chrome?!). TB18375976E is the stack.
Flags: blocking1.9a1? → blocking1.8.1?
Reporter | ||
Comment 8•18 years ago
|
||
(In reply to comment #7) > (that runs in chrome?!) bug 336903 was filed on that.
Assignee | ||
Comment 9•18 years ago
|
||
Comment on attachment 216992 [details] [diff] [review] Like so, say Yeah, we should probably fix this on branch too...
Attachment #216992 -
Flags: approval-branch-1.8.1?(jst)
Updated•18 years ago
|
Attachment #216992 -
Flags: approval-branch-1.8.1?(jst) → approval-branch-1.8.1+
Reporter | ||
Updated•18 years ago
|
Flags: blocking1.8.1?
Target Milestone: mozilla1.9alpha → mozilla1.8.1
Version: Trunk → 1.8 Branch
Reporter | ||
Comment 11•18 years ago
|
||
*** Bug 340205 has been marked as a duplicate of this bug. ***
Reporter | ||
Updated•18 years ago
|
Summary: [FIX]null deref crash when using a javascript: URI with a chrome XMLHTTPRequest → [FIX]null deref crash when using a javascript: URI with a chrome XMLHTTPRequest [@ nsJSThunk::EvaluateScript]
Assignee | ||
Comment 12•18 years ago
|
||
Please don't touch my target milestones.
Target Milestone: mozilla1.8.1 → mozilla1.9alpha
Version: 1.8 Branch → Trunk
Assignee | ||
Comment 13•18 years ago
|
||
Comment on attachment 216992 [details] [diff] [review] Like so, say I see no reason not to fix this on the 1.8.0 branch too...
Attachment #216992 -
Flags: approval1.8.0.5?
Comment 14•18 years ago
|
||
Comment on attachment 216992 [details] [diff] [review] Like so, say approved for 1.8.0 branch, a=dveditz for drivers
Attachment #216992 -
Flags: approval1.8.0.5? → approval1.8.0.5+
Comment 16•18 years ago
|
||
Verified FIXED using Thunderbird version 1.5.0.5 (20060621) and using the steps to reproduce mentioned in bug 340205.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.5 → verified1.8.0.5
Updated•13 years ago
|
Crash Signature: [@ nsJSThunk::EvaluateScript]
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•