Closed Bug 328697 Opened 18 years ago Closed 18 years ago

[FIX]null deref crash when using a javascript: URI with a chrome XMLHTTPRequest [@ nsJSThunk::EvaluateScript]

Categories

(Core :: DOM: Core & HTML, defect, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: Gavin, Assigned: bzbarsky)

References

(
URL
)

Details

(4 keywords)

Crash Data

Attachments

(2 files)

stack
9.04 KB, text/plain
Details
Like so, say
1.24 KB, patch
mrbkap
: review+
jst
: superreview+
jst
: approval-branch-1.8.1+
dveditz
: approval1.8.0.5+
Details | Diff | Splinter Review 
Testcase (needs to be chrome):
var xml = Components.classes["@mozilla.org/xmlextras/xmlhttprequest;1"]
                    .createInstance(Components.interfaces.nsIXMLHttpRequest);
xml.open("GET", "javascript:1;", true); // just "javascript:" (without the
                                        // statement) doesn't crash
xml.send(null);

The principal at:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/dom/src/jsurl/nsJSProtocolHandler.cpp&rev=1.119&mark=253,256#245
has a null URI.
Attached file stack 

    
    

    
  
So I assume we should treat having a system principal here as an NS_ERROR_NOT_AVAILABLE or something so we get a null principal, right?

    
  
Flags: blocking1.9a1?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Like so, saySplinter Review
      

    


  
Assignee: general → bzbarsky
Status: NEW → ASSIGNED

        Attachment #216992 -
        Flags: superreview?(jst)

        Attachment #216992 -
        Flags: review?(mrbkap)

    
  
Priority: -- → P2
Summary: null deref crash when using a javascript: URI with a chrome XMLHTTPRequest → [FIX]null deref crash when using a javascript: URI with a chrome XMLHTTPRequest

    
    

    
  
Comment on attachment 216992 [details] [diff] [review]
Like so, say

r=mrbkap

        Attachment #216992 -
        Flags: review?(mrbkap) → review+

    
    

    
  
Comment on attachment 216992 [details] [diff] [review]
Like so, say

sr=jst

        Attachment #216992 -
        Flags: superreview?(jst) → superreview+

    
    

    
  
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9alpha

    
    

    
  
I'm seeing this crash on the 1.8 branch, the <image><url>javascript:alert(Components.stack);</url></image> code in http://wargers.org/mozilla/contents.rdf is triggering it when passed through Firefox's feed handling code (that runs in chrome?!). TB18375976E is the stack.
Flags: blocking1.9a1? → blocking1.8.1?

    
    

    
  
(In reply to comment #7)
> (that runs in chrome?!)

bug 336903 was filed on that.

    
    

    
  
Comment on attachment 216992 [details] [diff] [review]
Like so, say

Yeah, we should probably fix this on branch too...

        Attachment #216992 -
        Flags: approval-branch-1.8.1?(jst)

        Attachment #216992 -
        Flags: approval-branch-1.8.1?(jst) → approval-branch-1.8.1+

    
    

    
  
Fixed on 1.8 branch.
Keywords: fixed1.8.1
Flags: blocking1.8.1?
Target Milestone: mozilla1.9alpha → mozilla1.8.1
Version: Trunk → 1.8 Branch

    
    

    
  
*** Bug 340205 has been marked as a duplicate of this bug. ***
Summary: [FIX]null deref crash when using a javascript: URI with a chrome XMLHTTPRequest → [FIX]null deref crash when using a javascript: URI with a chrome XMLHTTPRequest [@ nsJSThunk::EvaluateScript]

    
    

    
  
Please don't touch my target milestones.
Target Milestone: mozilla1.8.1 → mozilla1.9alpha
Version: 1.8 Branch → Trunk

    
    

    
  
Comment on attachment 216992 [details] [diff] [review]
Like so, say

I see no reason not to fix this on the 1.8.0 branch too...

        Attachment #216992 -
        Flags: approval1.8.0.5?

    
    

    
  
Comment on attachment 216992 [details] [diff] [review]
Like so, say

approved for 1.8.0 branch, a=dveditz for drivers

        Attachment #216992 -
        Flags: approval1.8.0.5? → approval1.8.0.5+

    
    

    
  
Fixed for 1.8.0.5.
Keywords: fixed1.8.0.5

    
    

    
  
Verified FIXED using Thunderbird version 1.5.0.5 (20060621) and using the steps to reproduce mentioned in bug 340205.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.5verified1.8.0.5
Crash Signature: [@ nsJSThunk::EvaluateScript]
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: