Closed Bug 382700 Opened 18 years ago Closed 18 years ago

Unsafe DOM mutation events in object frame.

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Version:
1.8 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: vladimir.sukhoy, Unassigned)

References

Details

(4 keywords, Whiteboard: [sg:dupe 382681] keep private until 355548 is fixed)

Attachments

(1 file)

the test case: crashes MacOS 1_8 branch, makes Windows 1_8 branch unresponsive.
1.53 KB, application/xhtml+xml
Details
Using DOM mutation events it is possible to crash the browser or make the UI unresponsive.
See also bug 382568, bug 382681, bug 382700, bug 355548; Here it is nsObjectFrame::CreateDefaultFrames that is vulnerable (does child manipulations which fire events and the JavaScript being invoked in the middle of frame code may do some damage).
Blocks: 382754
No longer blocks: 382754
Fixed by the patch in bug 382681.
Keywords: fixed1.8.0.13, fixed1.8.0.5
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Whiteboard: [sg:dupe 382681]
No hang or crash using Thunderbird version 1.5.0.13 (20070809) with JS enabled. Replacing fixed1.5.0.13 keyword with verified1.5.0.13.
Keywords: fixed1.8.0.13verified1.8.0.13
Flags: in-testsuite?
Whiteboard: [sg:dupe 382681] → [sg:dupe 382681] keep private until 355548 is fixed
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: