Closed Bug 328697 Opened 15 years ago Closed 15 years ago

[FIX]null deref crash when using a javascript: URI with a chrome XMLHTTPRequest [@ nsJSThunk::EvaluateScript]

Categories

(Core :: DOM: Core & HTML, defect, P2)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9alpha1

People

(Reporter: Gavin, Assigned: bzbarsky)

References

()

Details

(4 keywords)

Crash Data

Attachments

(2 files)

Testcase (needs to be chrome):
var xml = Components.classes["@mozilla.org/xmlextras/xmlhttprequest;1"]
                    .createInstance(Components.interfaces.nsIXMLHttpRequest);
xml.open("GET", "javascript:1;", true); // just "javascript:" (without the
                                        // statement) doesn't crash
xml.send(null);

The principal at:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp&rev=1.119&mark=253,256#245
has a null URI.
Attached file stack
So I assume we should treat having a system principal here as an NS_ERROR_NOT_AVAILABLE or something so we get a null principal, right?
Flags: blocking1.9a1?
Attached patch Like so, saySplinter Review
Assignee: general → bzbarsky
Status: NEW → ASSIGNED
Attachment #216992 - Flags: superreview?(jst)
Attachment #216992 - Flags: review?(mrbkap)
Priority: -- → P2
Summary: null deref crash when using a javascript: URI with a chrome XMLHTTPRequest → [FIX]null deref crash when using a javascript: URI with a chrome XMLHTTPRequest
Comment on attachment 216992 [details] [diff] [review]
Like so, say

r=mrbkap
Attachment #216992 - Flags: review?(mrbkap) → review+
Comment on attachment 216992 [details] [diff] [review]
Like so, say

sr=jst
Attachment #216992 - Flags: superreview?(jst) → superreview+
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9alpha
I'm seeing this crash on the 1.8 branch, the <image><url>javascript:alert(Components.stack);</url></image> code in http://wargers.org/mozilla/contents.rdf is triggering it when passed through Firefox's feed handling code (that runs in chrome?!). TB18375976E is the stack.
Flags: blocking1.9a1? → blocking1.8.1?
(In reply to comment #7)
> (that runs in chrome?!)

bug 336903 was filed on that.
Comment on attachment 216992 [details] [diff] [review]
Like so, say

Yeah, we should probably fix this on branch too...
Attachment #216992 - Flags: approval-branch-1.8.1?(jst)
Attachment #216992 - Flags: approval-branch-1.8.1?(jst) → approval-branch-1.8.1+
Fixed on 1.8 branch.
Keywords: fixed1.8.1
Flags: blocking1.8.1?
Target Milestone: mozilla1.9alpha → mozilla1.8.1
Version: Trunk → 1.8 Branch
*** Bug 340205 has been marked as a duplicate of this bug. ***
Summary: [FIX]null deref crash when using a javascript: URI with a chrome XMLHTTPRequest → [FIX]null deref crash when using a javascript: URI with a chrome XMLHTTPRequest [@ nsJSThunk::EvaluateScript]
Please don't touch my target milestones.
Target Milestone: mozilla1.8.1 → mozilla1.9alpha
Version: 1.8 Branch → Trunk
Comment on attachment 216992 [details] [diff] [review]
Like so, say

I see no reason not to fix this on the 1.8.0 branch too...
Attachment #216992 - Flags: approval1.8.0.5?
Comment on attachment 216992 [details] [diff] [review]
Like so, say

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #216992 - Flags: approval1.8.0.5? → approval1.8.0.5+
Fixed for 1.8.0.5.
Keywords: fixed1.8.0.5
Verified FIXED using Thunderbird version 1.5.0.5 (20060621) and using the steps to reproduce mentioned in bug 340205.
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsJSThunk::EvaluateScript]
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.