Unsafe DOM mutation events in object frame.

RESOLVED FIXED

Status

()

defect
--
critical
RESOLVED FIXED
12 years ago
7 years ago

People

(Reporter: vladimir.sukhoy, Unassigned)

Tracking

(4 keywords)

1.8 Branch
x86
All
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 382681] keep private until 355548 is fixed)

Attachments

(1 attachment)

Reporter

Description

12 years ago
Using DOM mutation events it is possible to crash the browser or make the UI unresponsive.
Reporter

Comment 1

12 years ago
See also bug 382568, bug 382681, bug 382700, bug 355548;
Here it is nsObjectFrame::CreateDefaultFrames that is vulnerable (does child manipulations which fire events and the JavaScript being invoked in the middle of frame code may do some damage).
Reporter

Updated

12 years ago
Blocks: 382754

Updated

12 years ago
Depends on: 382681
Reporter

Updated

12 years ago
No longer blocks: 382754
Fixed by the patch in bug 382681.

Updated

12 years ago
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
Whiteboard: [sg:dupe 382681]
No hang or crash using Thunderbird version 1.5.0.13 (20070809) with JS enabled.  Replacing fixed1.5.0.13 keyword with verified1.5.0.13.
Flags: in-testsuite?
Whiteboard: [sg:dupe 382681] → [sg:dupe 382681] keep private until 355548 is fixed
Group: core-security
You need to log in before you can comment on or make changes to this bug.