Closed Bug 430214 Opened 16 years ago Closed 16 years ago

[FIX] Don't fire events while there are scriptblockers

Categories

(Core :: DOM: Events, defect)

Product:
Core
Component:
DOM: Events
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: sicking, Assigned: smaug)

References

(Blocks 1 open bug)

Details

(Keywords: fixed1.9.1, Whiteboard: [sg:critical?])

Attachments

(6 files, 5 obsolete files)

testcase for selectedItemChanged
979 bytes, text/html
Details
remove selectedItemChanged
853 bytes, patch
sicking
: review+
sicking
: superreview+
beltzner
: approval1.9.1+
Details | Diff | Splinter Review
Some tests for 'broadcast'
2.74 KB, patch
Details | Diff | Splinter Review
warnings
1.95 KB, patch
sicking
: review+
sicking
: superreview+
Details | Diff | Splinter Review
always with AddScriptRunner
4.26 KB, patch
roc
: review+
roc
: superreview+
beltzner
: approval1.9.1+
Details | Diff | Splinter Review
fix for 'broadcast', v2
7.17 KB, patch
beltzner
: approval1.9.1+
Details | Diff | Splinter Review 
Ideally we should make nsEventDispatcher refuse to dispatch events if there currently are scriptblockers. For now we should assert if it happens and start fixing places where it does.
Marking this as [sg:critical?] I'd be surprised if there weren't exploitable bugs here.
Whiteboard: [sg:critical?]
Jonas, should this wait for bug 430215 or could I just patch nsEventDispatcher?
Assignee: nobody → Olli.Pettay
Attached patch like this? (obsolete) — Splinter Review 
So um, this does prevent events to be dispatched.
In some cases load and DOMContentLoaded, and also XUL's broadcast.
Have to fix those cases before landing, I guess.
Running chrome/browser-chrome/mochitest reveals also
selectedItemChanged, select, overflow and underflow.
I think we need to just assert for a while before flipping the switch. But defenitely let's try to get the assertions in and quiet asap
Attached patch patch for selectedItemChanged (obsolete) — Splinter Review 
I don't want to remove events which have been there since 2002.
selectedItemChanged was added for XBL form controls so it isn't really used, 
but some website may use it. Trying to keep it working as well as possible.
Looking at the code reveals that selectedItemChanged is evil.
Attachment #348189 - Flags: superreview?(jonas)
Attachment #348189 - Flags: review?(jonas)
I think at least some of the load and DOMContentLoaded happen because of
XBL documents. Those documents aren't available to scripts.

Verifying and possibly modifying https://bugzilla.mozilla.org/attachment.cgi?id=348115 to handle that case.
Attached patch Just debug warning (obsolete) — Splinter Review 
This reduces warnings by removing cases when scripts won't run, at least not
content scripts.
Attachment #348115 - Attachment is obsolete: true
> Created an attachment (id=348342) [details]
With this broadcast, ValueChange (for accessibility, I think), selectedItemChanged (attachement 348189 fixes this), select, overflow and underlow events are dispatched when running chrome/browser-chrome/mochitest.
I haven't look at 'select' yet, but otherwise should be pretty easy to fix.
Attached patch fix for 'broadcast' (obsolete) — Splinter Review 

    
    

    
  
Comment on attachment 348362 [details] [diff] [review]
fix for 'broadcast'

This is a quick WIP. Should write some testcases and perhaps file a new bug for this.

    
    

    
  
Comment on attachment 348189 [details] [diff] [review]
patch for selectedItemChanged

Ugh, we should just remove this event IMHO. I tried googling for anyone using this event, and looked at every page that google turned up that contains 'selectedItemChanged' and 'firefox' but isn't about winforms (winforms has a feature with this name). The only thing I found was the XBL forms implementation which I found mirrored on two sites.

So it seems unlikely to me that this is used.

    
    

    
  


  
I don't have a strong opinion about this, so I'm happy to remove.

        Attachment #348189 -
        Attachment is obsolete: true

        Attachment #348428 -
        Flags: superreview?(jonas)

        Attachment #348428 -
        Flags: review?(jonas)

        Attachment #348189 -
        Flags: superreview?(jonas)

        Attachment #348189 -
        Flags: review?(jonas)

        Attachment #348428 -
        Flags: superreview?(jonas)

        Attachment #348428 -
        Flags: superreview+

        Attachment #348428 -
        Flags: review?(jonas)

        Attachment #348428 -
        Flags: review+

    
    

    
  
Comment on attachment 348362 [details] [diff] [review]
fix for 'broadcast'

Neil, would this be too ugly for 'broadcast'. This basically delays broadcast until the end the update and reuses nsDelayedBroadcastUpdate class.

        Attachment #348362 -
        Flags: review?(enndeakin)

    
    

    
  


  
Note, nsContentUtils::AddScriptRunner is null-safe.

With this and other patches running chrome/browser-chrome/mochitest gives only one warning, ValueChange somewhere in browser-chrome test.

        Attachment #348552 -
        Flags: superreview?(roc)

        Attachment #348552 -
        Flags: review?(roc)

    
    

    
  
Comment on attachment 348362 [details] [diff] [review]
fix for 'broadcast'

So EndUpdate is always called after an attribute changed?

You should probably have the other Neil look at this too.

        Attachment #348362 -
        Flags: review?(enndeakin) → review+

    
    

    
  
Comment on attachment 348362 [details] [diff] [review]
fix for 'broadcast'

>So EndUpdate is always called after an attribute changed?
EndUpdate is always called whenever AttributeChange is called. Both are part of the update batch.

        Attachment #348362 -
        Flags: superreview?(neil)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        warningsSplinter Review
      

    


  
With the patches there shouldn't be any warnings.
It might be better to not have the !nsContentUtils::IsChromeDoc check,
but for now it should be enough, IMO.

        Attachment #348342 -
        Attachment is obsolete: true

        Attachment #348565 -
        Flags: superreview?(jonas)

        Attachment #348565 -
        Flags: review?(jonas)

    
    

    
  
+  if (nsContentUtils::IsSafeToRunScript()) {
+    CheckOverflow(parts);
+    return weakFrame.IsAlive();
+  }
+
+  nsContentUtils::AddScriptRunner(new nsOverflowChecker(this));
+  return PR_TRUE;

Why do we need the "if" block here? Can't we always just take the AddScriptRunner path?

(I do think we should return weakFrame.IsAlive() on that path though.

    
    

    
  
(In reply to comment #21)
> Why do we need the "if" block here? Can't we always just take the
> AddScriptRunner path?
> 
> (I do think we should return weakFrame.IsAlive() on that path though.
We need to return weakFrame.IsAlive() if we always use AddScriptRunner.
But I was trying to reduce temporary objects, so that is the reason
for if()

    
    

    
  
I don't think we care about reducing temporary objects. Let's keep the code as simple as possible.

    
    

    
  


  

        Attachment #348552 -
        Attachment is obsolete: true

        Attachment #348637 -
        Flags: superreview?(roc)

        Attachment #348637 -
        Flags: review?(roc)

        Attachment #348552 -
        Flags: superreview?(roc)

        Attachment #348552 -
        Flags: review?(roc)

        Attachment #348637 -
        Flags: superreview?(roc)

        Attachment #348637 -
        Flags: superreview+

        Attachment #348637 -
        Flags: review?(roc)

        Attachment #348637 -
        Flags: review+

    
    

    
  
Comment on attachment 348362 [details] [diff] [review]
fix for 'broadcast'

>+    nsCOMPtr<nsIDOMElement> broadcaster = do_QueryInterface(aElement);
>+    if (broadcaster && mBroadcasterMap &&
>+        CanBroadcast(aNameSpaceID, aAttribute)) {
>         nsCOMPtr<nsIDOMElement> domele = do_QueryInterface(aElement);
Just move the existing domele up?

>                 BroadcastListener* bl =
>                     static_cast<BroadcastListener*>(entry->mListeners[i]);
> 
>                 if ((bl->mAttribute == aAttribute) ||
>                     (bl->mAttribute == nsGkAtoms::_asterix)) {
>                     nsCOMPtr<nsIContent> listener
>                         = do_QueryReferent(bl->mListener);
>+                    nsCOMPtr<nsIDOMElement> listenerEl =
>+                        do_QueryInterface(listener);
Directly query the nsIDOMElement referent?

sr=me with those fixed.

>+                ExecuteOnBroadcastHandlerFor(broadcaster,
>+                                             delayedAttrChangeBroadcasts[i].mListener,
>+                                             attrName);
I wonder why ExecuteOnBroadcastHandlerFor never used nsIContent* aListener.

        Attachment #348362 -
        Flags: superreview?(neil) → superreview+

    
    

    
  


  

        Attachment #348362 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 348565 [details] [diff] [review]
warnings

Please file a follow-up bug on getting this fixed for chrome documents.

I think the biggest reason is that if something is wrong with chrome documents, it's entirely possible that it'll be wrong for things like remote XUL and the like.

    
    

    
  
Comment on attachment 348565 [details] [diff] [review]
warnings

(and of course hold off on checking this in until we're reasonably sure it won't fire too much)

        Attachment #348565 -
        Flags: superreview?(jonas)

        Attachment #348565 -
        Flags: superreview+

        Attachment #348565 -
        Flags: review?(jonas)

        Attachment #348565 -
        Flags: review+

    
    

    
  
The reason for checking chrome for now is the one ValueChange event which is
dispatched in DownloadProgressListener. I'm not quite sure what to do with
that.

        Attachment #348428 -
        Flags: approval1.9.1?

        Attachment #348637 -
        Flags: approval1.9.1?

        Attachment #348737 -
        Flags: approval1.9.1?
Summary: Don't fire events while there are scriptblockers → [FIX] Don't fire events while there are scriptblockers

    
    

    
  
I'm sorry - been trying to read through this bug and figure it out, but it's really hard to tell. Are all these patches being submitted for approval? Are some obsolete?

    
    

    
  
The ones with approval1.9? are fixing possible security problems where events
are dispatched at unsafe time.

"fix for 'broadcast', V2" is the same as "fix for 'broadcast'" but with 
review comments addressed.

        Attachment #348428 -
        Flags: approval1.9.1? → approval1.9.1+

        Attachment #348637 -
        Flags: approval1.9.1? → approval1.9.1+

    
    

    
  
Comment on attachment 348737 [details] [diff] [review]
fix for 'broadcast', v2

a191=beltzner for these three patches; should probably create a bundle so that they land together

        Attachment #348737 -
        Flags: approval1.9.1? → approval1.9.1+

    
    

    
  
Actually I may want to land them separately when it is quiet time.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical?] → [sg:critical?], [needs-1.9.1-landing]

    
    

    
  
I didn't land the "warning" patch.

    
    

    
  
Wait, we still don't have code in nsEventDispatcher that refuses to dispatch events even if other code attempts to while there are script-blockers, right? (The idea being a belts-and-suspenders defense-in-depth thing since ideally no one should attempt to fire events under such circumstances)

That's what this bug originally was intended for, but I'm happy to file a new bug on that since a lot of good related work in this bug has already been done.

    
    

    
  
Ah, true. New bug would be good.
Keywords: fixed1.9.1
Depends on: 468176

    
    

    
  
Comment on attachment 348362 [details] [diff] [review]
fix for 'broadcast'

>@@ -970,56 +970,50 @@ nsXULDocument::AttributeChanged(nsIDocum
...
>             nsAutoString value;
...
>+                      nsDelayedBroadcastUpdate delayedUpdate(broadcaster,
>+                                                             listenerEl,
>+                                                             aAttribute,
>+                                                             value,
>+                                                             attrSet);
This copies value (an nsAutoString) into the mValue (an nsString), thus causing the creation of a string buffer and the copying of the value. If instead value had been made an nsString then that would have caused the creation of a string buffer, the value would have been copied there rather than an auto buffer, and then this the buffer would have been shared with mValue.
Blocks: 515229
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: