Closed
Bug 335335
Opened 19 years ago
Closed 19 years ago
Fix string URI consumers to use CheckLoadURIStr
Categories
(SeaMonkey :: General, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: bzbarsky, Assigned: csthomas)
References
Details
Attachments
(1 file, 1 obsolete file)
|
2.04 KB,
patch
|
Details | Diff | Splinter Review |
At least the following consumers in Seamonkey code use CheckLoadURI for strings, which we've discovered (in bug 334341) is unsafe:
<method name="onLinkAdded"> in tabbrowser.xml
These should probably be switched to CheckLoadURIStr or something... And other consumers of CheckLoadURI should be checked over.
|
Reporter | |
Updated•19 years ago
|
Flags: blocking-seamonkey1.1a?
Flags: blocking-seamonkey1.0.2?
|
|
||
Comment 1•19 years ago
|
||
We certainly want this fixed for any upcoming release, esp. security releases :)
Flags: blocking-seamonkey1.1a?
Flags: blocking-seamonkey1.1a+
Flags: blocking-seamonkey1.0.2?
Flags: blocking-seamonkey1.0.2+
|
||
Comment 2•19 years ago
|
||
http://developer.mozilla.org/en/docs/Safely_loading_URIs has some information about this. Basically, everything that ends up loading URIs via a docshell should use checkLoadURIStr instead of checkLoadURI to ensure that the fixed up URI is also checked.
|
Assignee | |
Comment 3•19 years ago
|
||
My best guess (well, the other option is to pass href directly, but if we use the uri for the load, might as well use its spec).
Attachment #221771 -
Flags: review?(neil)
|
|
Assignee | |
Comment 4•19 years ago
|
||
Assignee: general → cst
Attachment #221771 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #221776 -
Flags: review?(bzbarsky)
Attachment #221771 -
Flags: review?(neil)
|
|
Reporter | |
Comment 5•19 years ago
|
||
Comment on attachment 221776 [details] [diff] [review]
v2
I'm not a peer for this code. Please don't ask me for review on UI patches, in general...
Attachment #221776 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Updated•19 years ago
|
Attachment #221776 -
Flags: review?(neil)
|
||
Comment 6•19 years ago
|
||
(In reply to comment #2)
>Basically, everything that ends up loading URIs via a docshell should use
>checkLoadURIStr instead of checkLoadURI
Except this URI isn't loading via a docshell, it's the source of an image.
bz: feel free to reopen if I've misunderstood this bug.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
|
|
Reporter | |
Comment 7•19 years ago
|
||
No, if this is loading an image then it's fine.
|
|
||
Updated•19 years ago
|
Attachment #221776 -
Flags: review?(neil)
|
||
Updated•19 years ago
|
Group: security
|
|
Assignee | |
Updated•19 years ago
|
Flags: blocking-seamonkey1.1a+
Flags: blocking-seamonkey1.0.2+
You need to log in
before you can comment on or make changes to this bug.
Description
•