Closed Bug 354443 Opened 18 years ago Closed 6 years ago

navigator.registerContentHandler doesn't sanity-check type/title args.


(Firefox Graveyard :: RSS Discovery and Preview, defect)

2.0 Branch
Not set


(Not tracked)



(Reporter: dveditz, Unassigned)



(Keywords: sec-other, Whiteboard: [sg:nse])

Spun off from bug 354316 comment 2

navigator.registerContentHandler doesn't sanity-check the type or title arguments (uri arg is handled in bug 354316).

The type should be restricted to the characters that are allowed as a MIME type:
    // reject types that contain characters other than
    // alphanumerics or '.', '-', '+', '/'
    if (contentType.match(/[^-./+a-z0-9]/i) )
         throw("Invalid MIME type");

Maybe there are a few other allowable characters, but it should be a whitelist of good characters rather than an attempt to filter bad ones.

Currently we silently drop non-feed types, the whatwg spec says we should raise an exception for types we deem privileged like text/html. It'd be odd to raise an exception for some types and not others, we should probably raise an exception no matter the reason we reject the type.

Not sure what checking we should do on the title. It gets saved as a pref and shown in a couple of different dialogs (as text, a listbox, a drop down). We'd want to allow localized text. Maybe just strip our control characters?
Whiteboard: [sg:nse] reveals bug 354316
Assignee: nobody → dmose
Requesting [wanted-firefox3].
Flags: blocking-firefox3?
Target Milestone: --- → Firefox 3 M10
Flags: blocking-firefox3? → blocking-firefox3-
Whiteboard: [sg:nse] reveals bug 354316 → [wanted-firefox3] [sg:nse] reveals bug 354316
Don't we also need this for the "registerProtocolHandler" API?

Should I make a spin off bug or is this one enough?
Group: security
Whiteboard: [wanted-firefox3] [sg:nse] reveals bug 354316 → [wanted-firefox3] [sg:nse]
ctalbert: spinoff bug would be good here, I think.
Target Milestone: Firefox 3 M10 → ---
Flags: wanted-firefox3+
Whiteboard: [wanted-firefox3] [sg:nse] → [sg:nse]
With a few exceptions, I'm mostly focused on MailCo-related hacking now.  Reassigning a bunch of bugs to default component owners.  I'm happy to help with brainstorming/advice as needed, however.  

Search for the string MAILMONKEY to delete any bugmail generated by this change.
Assignee: dmose → nobody
(In reply to comment #3)
> ctalbert: spinoff bug would be good here, I think.
Sorry, this fell through the cracks.  Filed bug 463164.
Depends on: 463164
Depends on: 1398169
As of Bug 1460481 we should WONTFIX this.
Closed: 6 years ago
Resolution: --- → WONTFIX
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.