Closed
Bug 352465
Opened 18 years ago
Closed 18 years ago
"open a blocked popup" feature uses the global window as the opener for blocked popups (variant of bug 343175)
Categories
(SeaMonkey :: General, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: Gavin, Assigned: csthomas)
References
()
Details
(Keywords: fixed-seamonkey1.0.8, fixed-seamonkey1.1.1, Whiteboard: [sg:moderate?])
Attachments
(3 files, 3 obsolete files)
219 bytes,
text/html
|
Details | |
177 bytes,
text/html
|
Details | |
8.19 KB,
patch
|
neil
:
review+
kairo
:
approval-seamonkey1.0.8+
kairo
:
approval-seamonkey1.1.1+
|
Details | Diff | Splinter Review |
SeaMonkey is still vulnerable to the XSS exploit reported in bug 343175, because it always uses the topmost window as the opener for blocked popups, instead of the window that originally tried to open the popup.
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/xpfe/browser/resources/content/navigator.js&rev=1.596&mark=2442#2439
The testcase in bug 343175 does not work, since the frame injection bug that it uses (bug 343168) was also fixed. I will attach a new testcase.
I tested the 1.0.5 candidate build, 1.8 branch and trunk builds should be equally affected.
Reporter | ||
Comment 1•18 years ago
|
||
Reporter | ||
Comment 2•18 years ago
|
||
Reporter | ||
Comment 3•18 years ago
|
||
To test this bug, load https://recluse.mozilla.org/attachment.cgi?id=238154 .
Expected results: "My opener was bugzilla.mozilla.org"
Actual results: "My opener was recluse.mozilla.org"
Reporter | ||
Comment 4•18 years ago
|
||
I'd ask for blocking-seamonkey1.0.6 if that flag existed - I don't really think this is critical enough to block the 1.0.5 release at this stage.
Comment 5•18 years ago
|
||
jst, any idea why nsGlobalWindow::FireAbuseEvents doesn't fire the events on the document of the window that tried to open the blocked popup? Instead the UI code has to grovel through the frameset looking for a window that it thinks matches..
Comment 6•18 years ago
|
||
FireAbuseEvents fires on the window on which open() was called... Generally, detecting which window _originated_ the load is Hard.
Flags: blocking-seamonkey1.5a?
Flags: blocking-seamonkey1.1b?
Flags: blocking-seamonkey1.0.6?
Reporter | ||
Comment 7•18 years ago
|
||
This should be easier to fix once bug 354973 is fixed.
Flags: blocking-seamonkey1.0.6? → blocking-seamonkey1.0.7?
Reporter | ||
Comment 8•18 years ago
|
||
Were the blocking-seamonkey-*? flags on this bug ignored because the people driving SeaMonkey releases can't see this bug?
Flags: blocking-seamonkey1.1b? → blocking-seamonkey1.1?
Comment 9•18 years ago
|
||
Neil and biesi can see these bugs.
http://wiki.mozilla.org/SeaMonkey:Project_Organization
Reporter | ||
Comment 10•18 years ago
|
||
I know that Neil and biesi are in the security group, but I made the (perhaps incorrect) assumption based on bugmail that KaiRo and CTho are the ones that deal with most SeaMonkey blocking requests, so I thought that might explain why this bug's blocking nominations weren't dealt with. I see now that they were made about 2 days before the associated releases, though, so I guess it probably wouldn't have mattered either way.
Assignee | ||
Comment 11•18 years ago
|
||
dveditz, neil, I don't really care who reviews and who superreviews. neil, I'm not sure if dveditz actually wants to review this.
Assignee: general → cst
Status: NEW → ASSIGNED
Attachment #248805 -
Flags: superreview?(neil)
Attachment #248805 -
Flags: review?(dveditz)
Assignee | ||
Comment 12•18 years ago
|
||
Comment on attachment 248805 [details] [diff] [review]
patch
It's important to have prefs set the right way when testing patches :(
Attachment #248805 -
Attachment is obsolete: true
Attachment #248805 -
Flags: superreview?(neil)
Attachment #248805 -
Flags: review?(dveditz)
Assignee | ||
Comment 13•18 years ago
|
||
This depends on attachment 245720 [details] [diff] [review]. Unfortunately I can't test it, as that patch is in some garbage format that patch doesn't understand, and it's way too much to hack in by hand.
Attachment #248808 -
Flags: superreview?(neil)
Attachment #248808 -
Flags: review?(dveditz)
Comment 14•18 years ago
|
||
(In reply to comment #8)
>Were the blocking-seamonkey-*? flags on this bug ignored because the people
>driving SeaMonkey releases can't see this bug?
Personally I was waiting on the fix to what turned out to be bug 354973.
Reporter | ||
Comment 15•18 years ago
|
||
(In reply to comment #14)
> Personally I was waiting on the fix to what turned out to be bug 354973.
That's fine, I'm just asking because the blocking flag was neither denied nor granted, which made it seem as though it was being ignored. When I made that comment, I didn't realize the blocking request was made so close to the release.
Comment 16•18 years ago
|
||
Is it correct that this is not fixed in Firefox 1.5.0.9 and 2.0.0.1 yet? If so, we can probably ship the already tagged SeaMonkkey 1.0.7 unfixed and include a fix in 1.1 and 1.0.8
Reporter | ||
Comment 17•18 years ago
|
||
(In reply to comment #16)
> Is it correct that this is not fixed in Firefox 1.5.0.9 and 2.0.0.1 yet?
Yes, that's correct. If I knew that the next releases were this close I probably wouldn't have asked for blocking.
Comment 18•18 years ago
|
||
Comment on attachment 248808 [details] [diff] [review]
patch v2
Wrong sort of popup event!
You need to save the name etc. from onPopupBlocked() - it might be simpler to save the whole event (ask jst if that's reasonable).
Attachment #248808 -
Flags: superreview?(neil) → superreview-
Comment 19•18 years ago
|
||
As Firefox does not ship a fix yet, this should be pushed out to the next releases, but it really blocks those.
Flags: blocking-seamonkey1.1?
Flags: blocking-seamonkey1.1.1+
Flags: blocking-seamonkey1.1-
Flags: blocking-seamonkey1.0.8+
Flags: blocking-seamonkey1.0.7?
Assignee | ||
Comment 20•18 years ago
|
||
Neil, I'm not sure what erroneous code you wanted me to remove. Sorry. I cleaned up various whitespace stuff in nearby code.
Attachment #248808 -
Attachment is obsolete: true
Attachment #249816 -
Flags: superreview?(neil)
Attachment #249816 -
Flags: review?(neil)
Attachment #248808 -
Flags: review?(dveditz)
Comment 21•18 years ago
|
||
Comment on attachment 249816 [details] [diff] [review]
patch v3
>- separator.hidden = !createShowPopupsMenu(event.target);
>+ separator.hidden = !createShowPopupsMenu(event);
> }
>
>-function createShowPopupsMenu(parent) {
>+function createShowPopupsMenu(event)
>+{
>+ var parent = event.target;
This was the spurious change that you don't need.
> while (parent.lastChild && parent.lastChild.hasAttribute("uri"))
> parent.removeChild(parent.lastChild);
Now that you no longer set the uri attribute you need another way to detect your dynamically added menuitems (none of which have ids for instance).
>- if (popupUrls.length == 0)
>+ if (popups.length == 0)
This was the whitespace change that I was looking for :-)
>+ var popup = target.popup;
popup doesn't always exist (see above).
>+ var reqWin = popup.reqWin;
>+ var uri = popup.url.spec;
>+ if (reqWin && reqWin.document == popup.reqDoc && uri) {
reqWin and uri will always exist if popup does.
>+ reqWin.open(uri, popup.name, popup.features); /// trunk-only???? (for name... s/popup.name/""/ ?)
/// ????
Attachment #249816 -
Flags: superreview?(neil)
Attachment #249816 -
Flags: superreview+
Attachment #249816 -
Flags: review?(neil)
Attachment #249816 -
Flags: review-
Assignee | ||
Comment 22•18 years ago
|
||
Attachment #249816 -
Attachment is obsolete: true
Attachment #250015 -
Flags: review?(neil)
Updated•18 years ago
|
Attachment #250015 -
Flags: review?(neil) → review+
Assignee | ||
Updated•18 years ago
|
Attachment #250015 -
Flags: approval-seamonkey1.1.1?
Attachment #250015 -
Flags: approval-seamonkey1.0.8?
Assignee | ||
Updated•18 years ago
|
Assignee: general → cst
Assignee | ||
Updated•18 years ago
|
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Comment 24•18 years ago
|
||
Comment on attachment 250015 [details] [diff] [review]
v4
a=me for 1.0.8 and 1.1.1
Attachment #250015 -
Flags: approval-seamonkey1.1.1?
Attachment #250015 -
Flags: approval-seamonkey1.1.1+
Attachment #250015 -
Flags: approval-seamonkey1.0.8?
Attachment #250015 -
Flags: approval-seamonkey1.0.8+
Updated•18 years ago
|
Flags: blocking-seamonkey1.5a?
Updated•18 years ago
|
Whiteboard: [sg:moderate?]
Assignee | ||
Comment 25•18 years ago
|
||
Landed on both branches.
Keywords: fixed-seamonkey1.0.8,
fixed-seamonkey1.1.1
Comment 26•18 years ago
|
||
This broke popup unblocking on the 1.8.0 branch. There are no menu items for unblocking and the context menu for the blocker icon is just a tiny square.
Comment 27•18 years ago
|
||
Is there a bug on that? That should block upcoming releases...
Assignee | ||
Comment 28•18 years ago
|
||
I may have merged incorrectly... 1.8.0 differed from trunk much more than 1.8 did. I'll look into it in a few minutes.
Assignee | ||
Comment 29•18 years ago
|
||
- var popup = popups[i];
+ var popup = browser.popups[i];
<CTho> NeilAway: do i need r/a, or just land it as bustage fix?
<NeilAway> CTho: just land it
Fixed.
Updated•18 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•