Closed
Bug 328851
Opened 18 years ago
Closed 18 years ago
[FIX]print preview killing browser's chrome
Categories
(Core :: Security, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.9alpha8
People
(Reporter: guninski, Assigned: bzbarsky)
References
(Depends on 1 open bug, )
Details
(Keywords: fixed1.8.1, verified1.8.0.4, Whiteboard: [sg:low])
Attachments
(3 files)
|
1.11 KB,
patch
|
jst
:
review+
brendan
:
superreview+
jst
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.4+
|
Details | Diff | Splinter Review |
|
811 bytes,
text/xml
|
Details | |
|
448 bytes,
text/html
|
Details |
abuse of print preview and xbl kills browser's chrome and replace it with the print preview one. don't know if it can be used more. demo in the url.
|
Reporter | |
Comment 1•18 years ago
|
||
related to Bug 328469 and Bug 325991. in the description s/used/abused/
|
Assignee | |
Comment 2•18 years ago
|
||
So there are two things going on here:
1) Closing print preview reenables script, then recreates the galley presentation. This runs the XBL constructor, etc. So the JS executes before we've exited print preview. If we do need to reenable script before we restore the galley presentation (seems likely, if XBL is involved), we should probably make sure to finish all UI operations first... or something. Not sure.
2) The access to Components.classes really breaks things. I added some debug code to XPFE to see what's going on:
var webBrowserPrint = this.getWebBrowserPrint();
alert('got here');
try {
webBrowserPrint.exitPrintPreview();
} catch (e) { alert(e); }
alert('got here too');
I see one alert (the "got here") alert. The other alerts do not happen. No code in this function after this point executes. So it feels to me like the JS engine thinks an exception got thrown.. but it's not catchable, etc.
I'm trying to come up with a better testcase for that right now.Assignee: nobody → dveditz
Component: General → Security
Product: Firefox → Core
QA Contact: general → toolkit
|
|
Assignee | |
Comment 3•18 years ago
|
||
Not quite a testcase, but:
data:text/html,<iframe src='javascript:window.location="javascript:Components.classes"; alert("aaa");'></iframe>
In this case I never see an error in the JS console. We do get a false return in nsJSContext::EvaluateString, but when we look for a native call context to notify about the pending exception we don't find one.
Note that if I do s/window/parent/ above then I DO get the error reported, via js_ReportUncaughtException called from JS_EvaluateUCScriptForPrincipals. I don't know why that's not happening correctly in the data: URI above, but I bet that if we figured it out we could fix this bug. ;)|
|
Assignee | |
Comment 4•18 years ago
|
||
So there are several things going on here. First of all, we lose error reports from javascript: URIs. It's not obvious how best to fix that; I've filed bug 328902 on it. After that, the problem is that when we get an error in EvaluateString we set the "exception thrown" boolean on the current XPConnect context... but the current XPConnect context is the one for the chrome call into C++, so chrome gets broken. The safe fix for this is to make sure that NotifyXPCIfExceptionPending() only messes with XPCCallContexts that correspond to the JSContext it gets passed, imo.
Depends on: 328902
|
|
Assignee | |
Comment 5•18 years ago
|
||
This fixes the testcase for me. JS does still run when we exit print preview; Georgi, would you mind filing a separate bug for us to sort out whether that should happen?
Attachment #213513 -
Flags: superreview?(brendan)
Attachment #213513 -
Flags: review?(jst)
Attachment #213513 -
Flags: approval-branch-1.8.1?(jst)
|
|
Assignee | |
Comment 6•18 years ago
|
||
Not sure what other branches we should also take this on...
Assignee: dveditz → bzbarsky
Priority: -- → P1
Summary: print preview killing browser's chrome → [FIX]print preview killing browser's chrome
Target Milestone: --- → mozilla1.9beta
|
||
Comment 7•18 years ago
|
||
Comment on attachment 213513 [details] [diff] [review] Proposed safe fix r=jst
Attachment #213513 -
Flags: review?(jst) → review+
|
||
Comment 8•18 years ago
|
||
Comment on attachment 213513 [details] [diff] [review] Proposed safe fix This looks good, but it implies that we don't need to set the exception pending somewhere else. That seems to be the right thing. Just looking for a way to deduce that other than testing ;-). /be
Attachment #213513 -
Flags: superreview?(brendan) → superreview+
|
|
Assignee | |
Comment 9•18 years ago
|
||
See bug 328902 -- I think the call to NotifyXPCIfExceptionPending() is just wrong in this case. I could add a warning if cx != aCx if you'd like...
|
|
Assignee | |
Comment 10•18 years ago
|
||
Fixed on trunk. Still not sure how much we want this for branches...
|
|
Assignee | |
Updated•18 years ago
|
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
||
Comment 11•18 years ago
|
||
No, no need for a warning if we understand what's going wrong and are tracking it already via bug 328902. /be
|
|
Reporter | |
Comment 12•18 years ago
|
||
cloning the attachmets here to make the bug self contained
|
|
Reporter | |
Comment 13•18 years ago
|
||
cloning the attachments here to make the bug self contained
|
|
Reporter | |
Comment 14•18 years ago
|
||
bz fixed the bug (or at least kludged it) on today's suite trunk. chrome no longer killed. got assertion: ###!!! ASSERTION: no document: 'doc', file nsXULElement.cpp, line 2205 will file a bug about the js execution later, investigating.
|
|
Reporter | |
Comment 15•18 years ago
|
||
(In reply to comment #5) > JS does still run when we exit print preview; a reason for this may be because of redraw - print preview seems to occupy the browser window. but if this is the case it is strange why the system exploit worked. on todays trunk js doesn work after print preview when js is disabled (it used to before) > Georgi, would you mind filing a separate bug for us to sort out whether that > should happen? > filed Bug 328961 with a testcase when js shouldn't work when print previewing a message on latest suite trunk
|
|
Assignee | |
Comment 16•18 years ago
|
||
> ###!!! ASSERTION: no document: 'doc', file nsXULElement.cpp, line 2205
Known thing; always happens when leaving preview. :(
|
|
||
Updated•18 years ago
|
Attachment #213513 -
Flags: approval-branch-1.8.1?(jst) → approval-branch-1.8.1+
|
|
Assignee | |
Comment 17•18 years ago
|
||
Is this something we should fix on the 1.8.0 and 1.7.* branches? Fixed on the 1.8 branch.
|
||
Updated•18 years ago
|
Flags: blocking1.8.0.3? → blocking1.8.0.3+
|
|
Assignee | |
Updated•18 years ago
|
Attachment #213513 -
Flags: approval1.8.0.3?
|
|
||
Comment 18•18 years ago
|
||
Comment on attachment 213513 [details] [diff] [review] Proposed safe fix approved for 1.8.0 branch, a=dveditz for drivers
Attachment #213513 -
Flags: approval1.8.0.3? → approval1.8.0.3+
|
|
Assignee | |
Updated•18 years ago
|
Keywords: fixed1.8.0.3
|
||
Comment 19•18 years ago
|
||
verified with: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060505 Firefox/1.5.0.4
Keywords: fixed1.8.0.4 → verified1.8.0.4
|
|
||
Comment 20•18 years ago
|
||
This is more of a Denial of Service problem now (as opposed to the more critical issue in bug 328469 where this testcase comes from), right? Please correct me if sg:low is not appropriate.
Whiteboard: [sg:low]
|
|
Reporter | |
Comment 21•18 years ago
|
||
(In reply to comment #20) > This is more of a Denial of Service problem now (as opposed to the more > critical issue in bug 328469 where this testcase comes from), right? Please > correct me if sg:low is not appropriate. > i don't mind sg:low. bug 328469 where this testcase comes from is dangerous.
|
|
||
Updated•18 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•