35859 - loading chrome: urls in a window

Status: VERIFIED FIXED

(Core :: Security, defect, P3)

Description

[Norris Boyd]

Subject: 
        BUG: loading chrome: urls in a window
   Date: 
        Fri, 14 Apr 2000 16:39:15 +0300
   From: 
        Georgi Guninski <joro@nat.bg>
     To: 
        Norris Boyd <norris@netscape.com>




Normally Mozilla does not allow loading chrome: urls (using
<A>,window.open(),redirects, etc.)
But it is possible to circumvent this using <BASE HREF="...">.
I cannot make a dangerous exploit now, but if another bug pops up it may
be possible to create a bad exploit.
The code is:
---------------------------------------------------------------
<SCRIPT>
a=window.open("about:blank","a");
</SCRIPT>
<BASE HREF="chrome://messenger/content/messenger.xul?">
<A HREF="#" TARGET="a">chrome</A>
---------------------------------------------------------------

Comment 1

[Norris Boyd]

The problem is in nsHTMLFrameInnerFrame::Reflow. The code calls
aPresContext->GetBaseURL to get a URL to use as the current page's URL to
determine if it can load the new URL. But of course BASE HREF changes that. I
can't find any other means in nsHTMLFrameInnerFrame::Reflow to obtain the URL of
the current page.

Comment 2

[Mitchell Stoltz (not reading bugmail)]

Bulk reassigning most of norris's bugs to mstoltz.

Comment 3

[Phil Peterson]

[nsbeta2+]

Comment 4

[Paul Wyskoczka]

Changed QA contact to Cathy.

Comment 5

[Mitchell Stoltz (not reading bugmail)]

Fixed by adding CheckLoadURI check to BASE tag processing. Cathy, could you try
some variations on this bug and make sure the hole is closed? Marking FIXED.

Comment 6

[cathy zhang]

The bug is fixed, I tried different variations
http://cathyz/bugs/35859_chrome.html  (with/without ? # )
http://cathyz/bugs/35859_link.html
http://cathyz/bugs/35859_window.html
http://cathyz/bugs/35859_form.html
http://cathyz/bugs/35859_meta.html

Comment 7

[Bob Clary [:bc] (inactive)]

*** Bug 38829 has been marked as a duplicate of this bug. ***