Closed
Bug 382681
Opened 14 years ago
Closed 14 years ago
Unsafe DOM mutation events in scrollable frame
Categories
(Core :: DOM: Events, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: vladimir.sukhoy, Assigned: smaug)
References
Details
(Keywords: fixed1.8.1.5, testcase, verified1.8.0.13, Whiteboard: [sg:dos] keep private until 355548 is fixed on branches)
Attachments
(2 files, 1 obsolete file)
|
1.93 KB,
application/xhtml+xml
|
Details | |
|
5.44 KB,
patch
|
sicking
:
review+
sicking
:
superreview+
dveditz
:
approval1.8.1.5+
dveditz
:
approval1.8.0.13+
|
Details | Diff | Splinter Review |
Using DOM mutation events it is possible to trash the UI so that the browser is unresponsive. See related bug 382568 and bug 355548 for more related test cases.
|
||
Comment 1•14 years ago
|
||
I get 100% cpu on trunk also. You mean that shouldn't happen?
|
Reporter | |
Comment 2•14 years ago
|
||
if the UI is still responsive, then it is not so bad. On branches the UI stop working, and that is equivalent to "denial of service".
|
|
Reporter | |
Comment 3•14 years ago
|
||
Oh, indeed, the UI gets unresponsive on trunk too.
Version: 1.8 Branch → Trunk
|
Assignee | |
Comment 4•14 years ago
|
||
On linux (trunk/1.8) I get endless loop of JS's "too much recursion"s (which as such isn't Security-Sensitive, IMO). bug 382568 and bug 355548 are crashers.
|
|
Reporter | |
Comment 5•14 years ago
|
||
IMO, it is security sensitive because it suggests a pattern to exploit things in a way similar to those. Should we file a metabug or whatever to keep these guys together?
|
|
Reporter | |
Comment 6•14 years ago
|
||
Ok, this testcase does crash 1.8 and 1.8.0 on MacOS for me it was just a matter of skipping a couple of legitimate mutation events and doing nasty stuff on the vulnerable one.
Attachment #266803 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 7•14 years ago
|
||
Crashes on Linux too. Severity elevated, title adjusted...
Severity: normal → critical
Summary: Suspicious DOM mutation events in scrollable frame → Unsafe DOM mutation events in scrollable frame
|
|
Assignee | |
Updated•14 years ago
|
Assignee: nobody → Olli.Pettay
|
|
Assignee | |
Comment 8•14 years ago
|
||
Just don't propagate any mutation events from native anonymous content. IsAnonymousForEvents() is needed because XUL has its own implementation for IsNativeAnonymous(). This fixes also Bug 382568.
Attachment #267939 -
Flags: superreview?(jonas)
Attachment #267939 -
Flags: review?(jonas)
|
|
Assignee | |
Updated•14 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 9•14 years ago
|
||
attachment 267939 [details] [diff] [review] fixes also bug 382700. Note, I didn't change nsGenericDOMDataNode::HandleDOMEvent to check nativeness, because it doesn't implement SetNativeAnonymous properly and native anon text nodes are AFAIK always inside native anonymous elements. (This all ofc works properly on trunk.)
|
|
Assignee | |
Updated•14 years ago
|
Flags: blocking1.8.1.5?
Flags: blocking1.8.0.13?
|
||
Updated•14 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Whiteboard: [sg:low dos] (related to worse bugs?) need r/sr=sicking
Attachment #267939 -
Flags: superreview?(jonas)
Attachment #267939 -
Flags: superreview+
Attachment #267939 -
Flags: review?(jonas)
Attachment #267939 -
Flags: review+
|
|
Assignee | |
Updated•14 years ago
|
Attachment #267939 -
Flags: approval1.8.1.5?
Attachment #267939 -
Flags: approval1.8.0.13?
|
|
||
Updated•14 years ago
|
Flags: blocking1.8.1.5?
Flags: blocking1.8.1.5+
Flags: blocking1.8.0.13?
Flags: blocking1.8.0.13+
Whiteboard: [sg:low dos] (related to worse bugs?) need r/sr=sicking → [sg:low dos] (related to worse bugs?)
|
|
||
Comment 10•14 years ago
|
||
Comment on attachment 267939 [details] [diff] [review] proposed patch approved for 1.8.1.5 and 1.8.0.13, a=dveditz for release-drivers
Attachment #267939 -
Flags: approval1.8.1.5?
Attachment #267939 -
Flags: approval1.8.1.5+
Attachment #267939 -
Flags: approval1.8.0.13?
Attachment #267939 -
Flags: approval1.8.0.13+
|
|
Assignee | |
Comment 11•14 years ago
|
||
Checked in to branches
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Keywords: fixed1.8.0.13,
fixed1.8.0.5
Resolution: --- → FIXED
|
|
Assignee | |
Updated•14 years ago
|
Keywords: fixed1.8.0.5 → fixed1.8.1.5
|
||
Comment 12•13 years ago
|
||
Verified on Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.13pre) Gecko/20070810 Firefox/1.5.0.13pre Fx15012 crashed but Fx15013pre did not.
Keywords: fixed1.8.0.13 → verified1.8.0.13
|
|
||
Updated•13 years ago
|
Flags: in-testsuite?
Whiteboard: [sg:low dos] (related to worse bugs?) → [sg:low dos] keep private until 355548 is fixed
|
|
||
Updated•12 years ago
|
Whiteboard: [sg:low dos] keep private until 355548 is fixed → [sg:dos] keep private until 355548 is fixed on branches
|
|
||
Updated•8 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•