Last Comment Bug 355126 - (CVE-2008-5012) stealing pictures via canvas and http redirect
(CVE-2008-5012)
: stealing pictures via canvas and http redirect
Status: RESOLVED FIXED
[sg:high]
: verified1.8.1.18, verified1.8.1.19, verified1.9.0.5
Product: Core
Classification: Components
Component: Canvas: 2D (show other bugs)
: 1.8 Branch
: All All
: -- normal (vote)
: ---
Assigned To: Joe Drew (not getting mail)
:
:
Mentors:
Depends on: 89419 397524
Blocks: 451619
  Show dependency treegraph
 
Reported: 2006-10-02 06:28 PDT by georgi - hopefully not receiving bugspam
Modified: 2009-01-09 12:56 PST (History)
17 users (show)
dveditz: blocking1.9.0.5+
dveditz: wanted1.9.0.x+
dveditz: blocking1.8.1.18+
dveditz: blocking1.8.1.19+
dveditz: wanted1.8.1.x+
asac: blocking1.8.0.next-
asac: wanted1.8.0.x-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
stealing porn - won't work from bugzilla, needs /cgi-bin/re.pl (cgi that does http redirect) (1.07 KB, text/html)
2006-10-02 06:29 PDT, georgi - hopefully not receiving bugspam
no flags Details
1.8 fix (6.42 KB, patch)
2008-10-27 18:17 PDT, Joe Drew (not getting mail)
no flags Details | Diff | Splinter Review
safer fix (13.51 KB, patch)
2008-10-28 17:47 PDT, Joe Drew (not getting mail)
bzbarsky: review+
pavlov: superreview+
dveditz: approval1.8.1.18+
Details | Diff | Splinter Review
patch to fix 89419 on 1.9.0 (9.97 KB, patch)
2008-10-30 10:41 PDT, Joe Drew (not getting mail)
pavlov: superreview+
Details | Diff | Splinter Review
Chain the event sink requests - 1.8 (5.66 KB, patch)
2008-11-19 14:46 PST, Joe Drew (not getting mail)
bzbarsky: review-
Details | Diff | Splinter Review
Fix bug 89419 + chain event requests - 1.9.0 (11.00 KB, patch)
2008-11-19 14:48 PST, Joe Drew (not getting mail)
no flags Details | Diff | Splinter Review
Address review comments - 1.8.0 (6.48 KB, patch)
2008-11-20 13:17 PST, Joe Drew (not getting mail)
no flags Details | Diff | Splinter Review
Address review comments - 1.9.0 (11.78 KB, patch)
2008-11-20 14:41 PST, Joe Drew (not getting mail)
bzbarsky: review+
Details | Diff | Splinter Review
Fix bug in previous patch - 1.8 (6.86 KB, patch)
2008-11-20 14:43 PST, Joe Drew (not getting mail)
bzbarsky: review+
Details | Diff | Splinter Review
Fix bugs in previous patch - 1.8 (6.06 KB, patch)
2008-11-21 15:43 PST, Joe Drew (not getting mail)
bzbarsky: review+
pavlov: superreview+
dveditz: approval1.8.1.19+
Details | Diff | Splinter Review
Fix bugs in previous patch - 1.9.0 (11.21 KB, patch)
2008-11-21 15:44 PST, Joe Drew (not getting mail)
bzbarsky: review+
pavlov: superreview+
dveditz: approval1.9.0.5+
Details | Diff | Splinter Review
Fix reftest failures (2.90 KB, patch)
2008-11-25 23:21 PST, Joe Drew (not getting mail)
bzbarsky: review+
pavlov: superreview+
samuel.sidler+old: approval1.9.0.5+
Details | Diff | Splinter Review
Fix for 1.8.0 version (9.95 KB, patch)
2008-12-08 03:50 PST, Jan Horak
bzbarsky: review-
Details | Diff | Splinter Review
Fix for 1.8.0 version, without nsCanvasRenderingContext2D changes (12.76 KB, patch)
2008-12-09 02:31 PST, Jan Horak
bzbarsky: review-
Details | Diff | Splinter Review

Description georgi - hopefully not receiving bugspam 2006-10-02 06:28:02 PDT
stealing pictures via canvas and http redirect

using a canvases, drawImage, toDataURL and an image that is redirected 
via the http protocolit is possible to get the content of arbitrary 
accessible http images.

affects both trunk and 2.0 branch.

testcase to follow.
Comment 1 georgi - hopefully not receiving bugspam 2006-10-02 06:29:34 PDT
Created attachment 240929 [details]
stealing porn - won't work from bugzilla, needs /cgi-bin/re.pl (cgi that does http redirect)
Comment 2 Vladimir Vukicevic [:vlad] [:vladv] 2006-10-02 23:33:31 PDT
Ugh.  So the nsIImageLoadingContent instance seems to return the current URI to be whatever the original load of the image came from, not what the HTTP redirect sent it off to?  Or am I misunderstanding the bug -- I assume that re.pl is supposed to just send back a HTTP 302 redirect to the given URL?
Comment 3 georgi - hopefully not receiving bugspam 2006-10-03 00:13:51 PDT
(In reply to comment #2)
> I assume that
> re.pl is supposed to just send back a HTTP 302 redirect to the given URL?

this is correct. a sample re.pl (tested on apache 1.3):
-----------
#!/usr/bin/perl -w
if (! defined($ARGV[0])) {print "Location: about:blank\r\n\r\n";exit(1)};
print "Location: " . $ARGV[0] . "\r\n\r\n";
-----------


Comment 4 georgi - hopefully not receiving bugspam 2006-10-05 08:19:19 PDT
when right clicking on a redirected image, properties show the first url and not the redirected one.
Comment 5 chris hofmann 2008-01-16 13:14:49 PST
should this be nominated for fx3/blcoking1.9 ?

any ideas on the sg: level?

so is one form of the attack, to put up content on a social networking site that loads images from from evil.com without informing the user of the image location?
Comment 6 georgi - hopefully not receiving bugspam 2008-01-17 01:28:08 PST
(In reply to comment #5)
> so is one form of the attack, to put up content on a social networking site
> that loads images from from evil.com without informing the user of the image
> location?
> 

the most interesting attack i can think of is:
suppose you have web server "p0rn" in your intranet and it is not accessible from the internet. images with known names can be read from "p0rn" and then sent back.
Comment 7 georgi - hopefully not receiving bugspam 2008-01-17 01:43:31 PST
this is fixed on trunk, latest branch is vulnerable.

note that variants of this have great exploiting potential.

1st, it possible to do transforms on any images, it is not possible to retrieve the result - this is dumb imho.

2nd, if someone innocently adds |image| interface to some interesting element, the element probably may be stolen - i am unsuccessfully trying svg attacks
Comment 8 georgi - hopefully not receiving bugspam 2008-01-31 23:19:08 PST
[sg:high] per definition
 * High: Vulnerability can be used to gather sensitive data from
         sites in other windows or inject data or code into those
         sites, requiring no more than normal browsing actions.
Comment 9 Daniel Veditz [:dveditz] 2008-02-14 15:36:41 PST
Was there a specific trunk fix we could back-port?
Comment 10 georgi - hopefully not receiving bugspam 2008-02-17 01:22:07 PST
according to a binary search the fixing range is:
20071108
20071109

this leads to:
Bug 397524 – [FIX]Canvas security checks should use principals, not URIs
Comment 11 Boris Zbarsky [:bz] (still a bit busy) 2008-02-17 10:56:46 PST
The easiest thing for branch here might be to expose the "final" URI (if different from the original) on images and use that in canvas.  Backporting bug 397524 is a bit of a hassle, since it relies on various other principal changes (to avoid too much memory usage), etc...
Comment 12 Jesse Ruderman 2008-08-23 00:59:28 PDT
Chris Evans discovered this bug independently: bug 451619.

He and Michal Zalweski came up with some interesting attack scenarios.  They are sad that this security bug has been known but not fixed (on the Firefox 2 branch) for almost two years.
Comment 13 Boris Zbarsky [:bz] (still a bit busy) 2008-08-25 09:52:47 PDT
So can we find someone to do comment 11?  It'll involve 4 bytes bloat per image to avoid changing interfaces, or porting a lot more of the deps of bug 397524.  I guess the first question is how the imagelib owner feels about the former, right?  pav?
Comment 14 Vladimir Vukicevic [:vlad] [:vladv] 2008-08-25 11:11:31 PDT
I think it would be enough to just mark the image if it was redirected, and let canvas check if a redirect happened at all, if it's not that easy to get the final URI on the image.
Comment 15 Boris Zbarsky [:bz] (still a bit busy) 2008-08-25 11:29:35 PDT
Well, the only place to get it is from the final channel, which is only known to imagelib.  So imagelib needs to expose that information.

That's probably no harder than exposing whether a redirect happened (something else only imagelib knows).
Comment 16 Stuart Parmenter 2008-08-25 12:47:16 PDT
sure!
Comment 17 Boris Zbarsky [:bz] (still a bit busy) 2008-10-10 19:52:53 PDT
Joe, can you take a look at the imagelib end of this?  Note bug 451619 comment 7, which sort of means we want to get it into all of the upcoming branch security releases in a few weeks...
Comment 18 Joe Drew (not getting mail) 2008-10-20 20:07:57 PDT
This bug (and non-security bug 458845) is fixed by the patch to bug 89419. I presume that bug 451619 is similarly fixed, but moz-icon has been patched (it seems) so all I get are 

Security Error: Content at http://lcamtuf.coredump.cx/ico_sniff2.cgi/foo.QPQP1919 may not load or link to moz-icon://lcamtuf.coredump.cx//foo.QPQP1919?size=8.

errors.
Comment 19 Boris Zbarsky [:bz] (still a bit busy) 2008-10-21 04:29:08 PDT
Joe, did you t
Comment 20 Boris Zbarsky [:bz] (still a bit busy) 2008-10-21 04:30:41 PDT
er, I meant:

Joe, did you test bug 451619 with your changes on 1.8 branch?
Comment 21 Boris Zbarsky [:bz] (still a bit busy) 2008-10-21 04:34:03 PDT
That is, we need to fix this bug (and bug 451619) on trunk, 1.9.0, and 1.8.1.  This might require three completely different patches, of course. :(
Comment 22 georgi - hopefully not receiving bugspam 2008-10-21 05:40:52 PDT
>That is, we need to fix this bug (and bug 451619) on trunk, 1.9.0, and 1.8.1. 

hm, iirc it is just 1.8 branch that is unfixed.
Comment 23 Boris Zbarsky [:bz] (still a bit busy) 2008-10-21 06:15:00 PDT
Oh, right, since we use the channel principal on trunk.  OK.
Comment 24 Joe Drew (not getting mail) 2008-10-27 13:50:39 PDT
(In reply to comment #20)
> Joe, did you test bug 451619 with your changes on 1.8 branch?

I did not. The fix as-is doesn't apply to 1.8 anyways.
Comment 25 Joe Drew (not getting mail) 2008-10-27 18:17:59 PDT
Created attachment 345035 [details] [diff] [review]
1.8 fix

This is a version of the patch for bug 89419 as ported to current 1.8 trunk. It continues to fix this bug, and as far as I can tell is the minimum set of code that will fix this bug properly.
Comment 26 Boris Zbarsky [:bz] (still a bit busy) 2008-10-27 21:55:59 PDT
For branch it might be better to expose the post-redirect URI via an nsISomething2 instead of making an API change...
Comment 27 Joe Drew (not getting mail) 2008-10-28 17:47:17 PDT
Created attachment 345208 [details] [diff] [review]
safer fix

Boris points out that we shouldn't be changing any part of the interface in a stable release, so this patch goes to great strains not to change the interface. It still fixes bug 89419, but that part can be removed from imgRequest::OnChannelRedirect if we want to, and the fix to this bug should still work.
Comment 28 Boris Zbarsky [:bz] (still a bit busy) 2008-10-28 22:31:55 PDT
Comment on attachment 345208 [details] [diff] [review]
safer fix

Looks great to me
Comment 29 Stuart Parmenter 2008-10-28 22:35:10 PDT
Comment on attachment 345208 [details] [diff] [review]
safer fix

looks good here too, although we should really test this a bunch
Comment 30 Daniel Veditz [:dveditz] 2008-10-28 23:19:04 PDT
Comment on attachment 345208 [details] [diff] [review]
safer fix

approved for 1.8.1.18, a=dveditz

Let's land this and get some testing, then.
Comment 31 Samuel Sidler (old account; do not CC) 2008-10-29 07:30:38 PDT
Joe, can you get this landed as soon as possible?
Comment 32 Joe Drew (not getting mail) 2008-10-30 10:41:57 PDT
Created attachment 345515 [details] [diff] [review]
patch to fix 89419 on 1.9.0

While this bug doesn't exist in 1.9.0 and 1.9.1, attachment 345208 [details] [diff] [review] also fixes bug 89419 in 1.8. I'd really like it if upgrading from Firefox 2.0.0.18 to 3.0.x didn't regress any functionality, so this is a patch to fix bug 89419 in 1.9.0.

Sam/Daniel, is this something we'd accept in a dot release before another MU offer?
Comment 33 Samuel Sidler (old account; do not CC) 2008-10-31 13:35:20 PDT
Comment on attachment 345515 [details] [diff] [review]
patch to fix 89419 on 1.9.0

We'll decide at our next triage session. I'm guessing there are enough changes between the 1.8 and 1.9 versions of this patch that it'll need additional review though. Correct?
Comment 34 Boris Zbarsky [:bz] (still a bit busy) 2008-11-02 10:38:15 PST
If we want to store the channel and we're listening for redirects anyway, should we just stop doing the loadgroup thing we're doing now?  I thought we only did that so that we wouldn't have to listen for redirects...
Comment 35 Samuel Sidler (old account; do not CC) 2008-11-03 11:55:05 PST
Comment on attachment 345515 [details] [diff] [review]
patch to fix 89419 on 1.9.0

We'd like to take this in 1.9.0.5. Please request approval after it gets reviewed.
Comment 36 Joe Drew (not getting mail) 2008-11-03 13:09:38 PST
bz, can you post a similar question to bug 89419? I think I'd prefer to do the most conservative change in 1.9.0, with a more full/correct change in 1.9.1.
Comment 37 Boris Zbarsky [:bz] (still a bit busy) 2008-11-03 20:36:49 PST
Ok, makes sense.  I made that comment there.
Comment 38 Boris Zbarsky [:bz] (still a bit busy) 2008-11-03 21:25:40 PST
Does that patch clobber the callbacks on a channel passed to LoadImageWithChannel?  (Same question for the 1.8 branch patch, actually, now that I think of it.)
Comment 39 Al Billings [:abillings] 2008-11-04 13:14:30 PST
So I tested this with 1.8.1.17 and the 1.8.1.18 final build and it seems to be fixed. The testcase, rather than telling me it has pr0n, gives me the following security exception as an alert:

exc=[Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "<url to my test page> Line: 17"

I assume that is is correct but can someone more familiar with the fix confirm?
Comment 40 Joe Drew (not getting mail) 2008-11-04 14:51:53 PST
Yep, that's the correct behaviour. (It means that canvas.toDataURL wasn't allowed.)
Comment 41 Al Billings [:abillings] 2008-11-04 15:35:37 PST
Marking verified then and resolving this as fixed.
Comment 42 Daniel Veditz [:dveditz] 2008-11-12 18:09:50 PST
Although not a security bug on Firefox 3, we need to fix bug 89419 there or else users will have the bug fixed in 2.0.0.18, broken again in 3, and then fixed in 3.1.
Comment 43 Samuel Sidler (old account; do not CC) 2008-11-12 22:21:47 PST
Joe/Boris: What more needs to happen here? (comment 38, I'm guessing.) Code freeze is on Monday, which is ever-approaching.
Comment 44 Boris Zbarsky [:bz] (still a bit busy) 2008-11-13 07:31:55 PST
Yeah, the review is pending an answer to the question in comment 38.
Comment 45 Joe Drew (not getting mail) 2008-11-13 15:18:09 PST
Yeah, that's true for both 1.8 and this 1.9 patch.
Comment 46 Boris Zbarsky [:bz] (still a bit busy) 2008-11-13 16:50:06 PST
Then we should probably pass calls along to the existing callbacks instead of just clobbering them.  Otherwise we can get weird bugs with extensions...

I really wish I'd caught that in the 2.x patch.  :(
Comment 47 Samuel Sidler (old account; do not CC) 2008-11-13 17:43:53 PST
Never too late to fix it (well, after this release it will be).

Joe, can we get a new patch for 1.9.0 *and* a patch to fix 1.8.1 per comment 46?
Comment 48 Joe Drew (not getting mail) 2008-11-19 14:46:24 PST
Created attachment 349048 [details] [diff] [review]
Chain the event sink requests - 1.8
Comment 49 Joe Drew (not getting mail) 2008-11-19 14:48:25 PST
Created attachment 349049 [details] [diff] [review]
Fix bug 89419 + chain event requests - 1.9.0
Comment 50 Joe Drew (not getting mail) 2008-11-19 14:50:12 PST
Please check the interdiff between attachment 345515 [details] [diff] [review] and attachment 349049 [details] [diff] [review]. It should be functionally equivalent to attachment 349048 [details] [diff] [review].
Comment 51 Boris Zbarsky [:bz] (still a bit busy) 2008-11-20 10:58:13 PST
Comment on attachment 349048 [details] [diff] [review]
Chain the event sink requests - 1.8

>Index: modules/libpr0n/src/imgRequest.cpp
>+void imgRequest::SetChannel(nsIChannel *aChannel)
>+  if (mChannel) {
>+    nsCOMPtr<nsIInterfaceRequestor> requestor(do_QueryInterface(mPrevChannelSink));

There's no particular reason this should work.  getInterface can't be inverted by queryInterface...

You probably want to store the old callbacks and just getInterface in OnChannelRedirect as needed.

You also need to proxy over getInterface calls for interfaces you're not doing yourself (so everything but nsIChannelEventSink, I would think).

>+      requestor->GetInterface(NS_GET_IID(nsIChannelEventSink),

do_GetInterface, please.

>@@ -641,17 +666,20 @@ NS_IMETHODIMP imgRequest::OnStartRequest
>     else
>-      mChannel = do_QueryInterface(aRequest);
>+    {

Follow file style here?

> imgRequest::OnChannelRedirect(nsIChannel *oldChannel, nsIChannel *newChannel, PRUint32 flags)
>+    rv = mPrevChannelSink->OnChannelRedirect(oldChannel, newChannel, flags);

If that fails, don't you want to bail out right away, since the redirect won't be happening?

>-  mChannel = newChannel;
>-  mChannel->SetNotificationCallbacks(this);
>+  SetChannel(nsnull);

s/nsnull/newChannel/?  On trunk worth adding a test that would catch this.

Let's get this diff right and then do the 1.9.x one accordingly; I'm assuming it basically mirrors this one.
Comment 52 Joe Drew (not getting mail) 2008-11-20 13:12:54 PST
(In reply to comment #51)
> (From update of attachment 349048 [details] [diff] [review])
> > imgRequest::OnChannelRedirect(nsIChannel *oldChannel, nsIChannel *newChannel, PRUint32 flags)
> >+    rv = mPrevChannelSink->OnChannelRedirect(oldChannel, newChannel, flags);
> 
> If that fails, don't you want to bail out right away, since the redirect won't
> be happening?

Ah - I didn't realize that would cancel the load. Fixed.

> >-  mChannel = newChannel;
> >-  mChannel->SetNotificationCallbacks(this);
> >+  SetChannel(nsnull);
> 
> s/nsnull/newChannel/?  On trunk worth adding a test that would catch this.

Whoa. Thanks.

New patches forthcoming.
Comment 53 Joe Drew (not getting mail) 2008-11-20 13:17:55 PST
Created attachment 349267 [details] [diff] [review]
Address review comments - 1.8.0
Comment 54 Joe Drew (not getting mail) 2008-11-20 14:00:33 PST
Comment on attachment 349267 [details] [diff] [review]
Address review comments - 1.8.0

>+    return mPrevChannelSink->QueryInterface(aIID, aResult);

Pretend that this is mPrevChannelSink->GetInterface(aIID, aResult).
Comment 55 Joe Drew (not getting mail) 2008-11-20 14:41:18 PST
Created attachment 349284 [details] [diff] [review]
Address review comments - 1.9.0
Comment 56 Joe Drew (not getting mail) 2008-11-20 14:43:29 PST
Created attachment 349285 [details] [diff] [review]
Fix bug in previous patch - 1.8

There was the previously mentioned bug, and also the fact that, when you duplicate channels, notification callbacks are copied, so it's really easy to get into an infinite loop. This patch (and the one for 1.9.0) fixes that too.
Comment 57 Boris Zbarsky [:bz] (still a bit busy) 2008-11-20 18:33:24 PST
Comment on attachment 349284 [details] [diff] [review]
Address review comments - 1.9.0

This looks good.

One thing that could be simpler is the redirect handling.  If we just pass a boolean to SetChannel for whether to set up callbacks on the new channel, we could simply avoid doing it when coming from redirects (since we're already all set there) and not worry about the recursion issues.  Either way for branches, in the interests of getting this in ASAP, but for the trunk patch we should make this cleaner.
Comment 58 Boris Zbarsky [:bz] (still a bit busy) 2008-11-20 18:35:51 PST
The trunk comments basically mean bug 89419, I guess.
Comment 59 Joe Drew (not getting mail) 2008-11-21 15:43:54 PST
Created attachment 349508 [details] [diff] [review]
Fix bugs in previous patch - 1.8

The previous generation of patches didn't hold on to the callback after redirect (explicitly nulling it out). The 1.8 version also didn't store the callback, in an oversight. This generation of the patches matches the trunk patch in bug 89419, and should hopefully be the last.
Comment 60 Joe Drew (not getting mail) 2008-11-21 15:44:46 PST
Created attachment 349509 [details] [diff] [review]
Fix bugs in previous patch - 1.9.0
Comment 61 Boris Zbarsky [:bz] (still a bit busy) 2008-11-21 20:05:09 PST
Comment on attachment 349508 [details] [diff] [review]
Fix bugs in previous patch - 1.8

>Index: modules/libpr0n/src/imgRequest.cpp
>+      nsCOMPtr<nsIChannel> tmp(do_QueryInterface(aRequest));

No need for |tmp|.  Just QI into mChannel.

> imgRequest::GetInterface(const nsIID & aIID, void **aResult)
>+    return QueryInterface(aIID, aResult);
>+  else {

else-after-return super-nit....

r=bzbarsky
Comment 62 Boris Zbarsky [:bz] (still a bit busy) 2008-11-21 20:07:12 PST
Comment on attachment 349509 [details] [diff] [review]
Fix bugs in previous patch - 1.9.0

r=bzbarsky with the same else-after-return nit.

Oh, and for both patches no need to SetNotificationCallbacks in OnStopRequest, I'd think.
Comment 63 Daniel Veditz [:dveditz] 2008-11-24 13:56:51 PST
Comment on attachment 349509 [details] [diff] [review]
Fix bugs in previous patch - 1.9.0

Approved for 1.9.0.5, a=dveditz for release-drivers
Comment 64 Daniel Veditz [:dveditz] 2008-11-24 13:57:02 PST
Comment on attachment 349508 [details] [diff] [review]
Fix bugs in previous patch - 1.8

Approved for 1.8.1.19, a=dveditz for release-drivers
Comment 65 Joe Drew (not getting mail) 2008-11-25 23:21:11 PST
Created attachment 350120 [details] [diff] [review]
Fix reftest failures

There were two problems with the previous patch I checked in to the 1.9.0 branch, one of which was causing reftest failures.

The first, which was more glaring but seemingly untriggered in our test framework, was that I was setting mRequest to nsnull instead of newChannel on redirect.

The second was more insidious. Prior to attachment 349509 [details] [diff] [review], imgRequests kept track only of one nsIRequest -- generally a load group, but a channel fulfilled this too. I was too hasty in my previous patch, and assumed that always using a load group would be a good idea. This turns out to not be the case: the reftest /layout/reftests/object/malformed-should-fallback.html has a malformed PNG file that fails decoding, which leads to the imgRequest immediately canceling its nsIRequest - in this case a load group - which cancels the channel and removes it from the load group. However, nsBaseChannel also removes itself from its load group in OnStopRequest. (This was one instance of bug 65853.) Also, and this was worse, the html file was in the load group, so it was canceled along with the PNG file load, so when the onload blocker got removed, there was nothing left in the load group, and thus no onload fired.

This problem also exists in the trunk patch on bug 89419, and it'll be a moot issue once bug 466230 is fixed.
Comment 66 Boris Zbarsky [:bz] (still a bit busy) 2008-11-26 06:51:44 PST
Comment on attachment 350120 [details] [diff] [review]
Fix reftest failures

>+++ modules/libpr0n/src/imgRequest.cpp	26 Nov 2008 07:07:02 -0000
>-  mChannel = nsnull;
>+  mChannel = newChannel;

Doh!  r=bzbarsky.
Comment 67 Samuel Sidler (old account; do not CC) 2008-11-26 15:50:52 PST
Comment on attachment 350120 [details] [diff] [review]
Fix reftest failures

Approved for 1.9.0.5. a=ss
Comment 68 Samuel Sidler (old account; do not CC) 2008-11-30 13:26:41 PST
The three approved patches in this bug (two for 1.9.0.5, one for 1.8.1.19) landed.
Comment 69 Al Billings [:abillings] 2008-12-01 13:32:13 PST
Is the original testcase on this bug still valid for manual verification in 1.8.1.19 or does it need to be updated?
Comment 70 georgi - hopefully not receiving bugspam 2008-12-02 01:07:34 PST
>Is the original testcase on this bug still valid for manual verification in
> 1.8.1.19 or does it need to be updated?

it is valid but it doesn't work from bugzilla because it needs HTTP redirect - in the testcase the cgi re.pl does a http redirect.
Comment 71 georgi - hopefully not receiving bugspam 2008-12-02 01:30:50 PST
simple redirect cgis that work with apache:
-------
#!/bin/bash

echo Location: $1
echo

-------
#!/usr/bin/perl -w
if (! defined($ARGV[0])) {print "Location: about:blank\r\n\r\n";exit(1)};
print "Location: " . $ARGV[0] . "\r\n\r\n";

-------

-------
Comment 72 Joe Drew (not getting mail) 2008-12-02 07:05:43 PST
To test this bug, you can use the testcase at http://test.woot.net/mozilla/355126/

To test bug 89419 on branch, you can use the testcase at http://capricorn.woot.net/~jdrew/bugs/mozilla89419
Comment 73 Al Billings [:abillings] 2008-12-02 10:00:05 PST
Yeah, I know it doesn't work on bugzilla. I have a redirector set up on one of my own sites. I was just seeing some odd result with my server for some reason. I've fixed it now and both it and Joe Drew's copy are showing that this is fixed in 1.8.1.19 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.19pre) Gecko/2008120103 BonEcho/2.0.0.19pre. 

This is fixed in 1.9.0.5 as well checking with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5pre) Gecko/2008120105 GranParadiso/3.0.5pre. I notice the it seems fixed in 3.0.4 for some reason as the testcase fails there too. 

Bug 89419 is still fixed on branch. I had tested this before but I just double-checked. It is fixed on 1.9.0.5 as well and I've marked that over there.
Comment 74 georgi - hopefully not receiving bugspam 2008-12-03 03:32:25 PST
>I notice the it seems fixed in 3.0.4 for some reason as the testcase fails there too.

see Comment #10. this got fixed by Bug 397524 on 2007-11-08 though it missed the 1.8 branch and this is the problem.
Comment 75 Jan Horak 2008-12-08 03:50:30 PST
Created attachment 351874 [details] [diff] [review]
Fix for 1.8.0 version
Comment 76 Boris Zbarsky [:bz] (still a bit busy) 2008-12-08 22:50:46 PST
Comment on attachment 351874 [details] [diff] [review]
Fix for 1.8.0 version

I'm not sure what this is a diff against, but if it's against the 1.8.0 in our CVS it doesn't compile because bug 333613 only landed in 1.8.1.  Further, given that that bug didn't land, it's not clear that this is even needed.

It would be a lot easier to review a patch with -pU8 or so, by the way.

Oh, if we do need it, just use imgRequest instead of regetting it again?
Comment 77 Jan Horak 2008-12-09 02:31:14 PST
Created attachment 352081 [details] [diff] [review]
Fix for 1.8.0 version, without nsCanvasRenderingContext2D changes

Thanks for your reaction. I removed changes of nsCanvasRenderingContext2D.cpp file from patch (as long as they are irrelevant). I tried a testcase mentioned in previous messages and after applying the patch it is working correctly.

Could you please look into it once again? Thanks in advance.

I'm sorry for form of last patch (I used gendiff). I hope this time it will be better.
Comment 78 Boris Zbarsky [:bz] (still a bit busy) 2008-12-09 11:38:43 PST
I guess my real question is what this patch is trying to fix.  1.8.0 is not affected by this bug, since this bug only applies to extracting information from a canvas, which canniot be done at all on 1.8.0.

The attached patch fixes bug 89419, looks like, but I'm not sure whether that's the goal.  I'm also not sure that bug needs fixing on 1.8.0, but that discussion would probably better belong in that bug.
Comment 79 Alexander Sack 2008-12-16 00:30:34 PST
not blocking on 1.8.0 based on comment 78
Comment 80 Boris Zbarsky [:bz] (still a bit busy) 2009-01-09 12:56:39 PST
Comment on attachment 352081 [details] [diff] [review]
Fix for 1.8.0 version, without nsCanvasRenderingContext2D changes

r- pending response to comment 78.

Note You need to log in before you can comment on or make changes to this bug.