Closed
Bug 448548
Opened 16 years ago
Closed 16 years ago
XSLT creates documents which don't have script handling objects
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
RESOLVED
FIXED
People
(Reporter: smaug, Assigned: smaug)
Details
(Keywords: fixed1.9.0.2, fixed1.9.1, verified1.8.1.17, Whiteboard: [sg:critical])
Attachments
(4 files, 1 obsolete file)
2.87 KB,
patch
|
sicking
:
review+
jst
:
superreview+
dveditz
:
approval1.9.0.2+
|
Details | Diff | Splinter Review |
2.90 KB,
patch
|
Details | Diff | Splinter Review | |
4.18 KB,
patch
|
sicking
:
review+
sicking
:
superreview+
dveditz
:
approval1.8.1.17+
|
Details | Diff | Splinter Review |
3.75 KB,
patch
|
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
This may cause similar problems as bug 393761 and bug 393762.
Assignee | ||
Comment 1•16 years ago
|
||
I'll test this some more once I have reasonable well working network connection.
Assignee | ||
Comment 2•16 years ago
|
||
Comment on attachment 331749 [details] [diff] [review]
WIP, not properly tested
This isn't quite good enough. New scriptglobalobject is set for those XSLT processed documents which are going to a contentviewer.
Better patch coming...
Attachment #331749 -
Attachment is obsolete: true
Assignee | ||
Comment 3•16 years ago
|
||
This let's one to override scripthandlingobject - basically when
document is set to a contentviewer and to a globalwindow.
Assignee | ||
Comment 4•16 years ago
|
||
Comment on attachment 331793 [details] [diff] [review]
a bit better
Should be enough for now.
Attachment #331793 -
Flags: superreview?(jst)
Attachment #331793 -
Flags: review?(jonas)
Attachment #331793 -
Flags: review?(jonas) → review+
Assignee | ||
Comment 5•16 years ago
|
||
I need to find some testcase for this.
...trying to modify moz_bug_r_a4@yahoo.com's testcases for XHR/DOMParser/.createDocument
Flags: wanted1.8.1.x?
Flags: blocking1.9.1?
Flags: blocking1.9.0.2?
Assignee | ||
Comment 6•16 years ago
|
||
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
Comment 7•16 years ago
|
||
Johnny, can we get this reviewed? We probably want to block on it, depending on how safe the fix is...
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x?
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.17?
Comment 9•16 years ago
|
||
"blocking" so we don't lose track, but if we can't patch all the holes this week might have to punt to the next update releases.
Flags: blocking1.9.0.2?
Flags: blocking1.9.0.2+
Flags: blocking1.8.1.17?
Flags: blocking1.8.1.17+
Whiteboard: [sg:critical]
Assignee | ||
Comment 10•16 years ago
|
||
The patch applies cleanly 1.9.0. Will upload 1.8 patch
Assignee | ||
Comment 11•16 years ago
|
||
Attachment #335032 -
Flags: superreview?(jonas)
Attachment #335032 -
Flags: review?(jonas)
Updated•16 years ago
|
Attachment #331793 -
Flags: superreview?(jst) → superreview+
Attachment #335032 -
Flags: superreview?(jonas)
Attachment #335032 -
Flags: superreview+
Attachment #335032 -
Flags: review?(jonas)
Attachment #335032 -
Flags: review+
Comment 12•16 years ago
|
||
Olli, do these patches address the new testcase in comment 8? I wasn't sure if that's an exploit found in your patch or just an additional testcase that does the same thing.
moz_bug_r_a4, care to comment?
Assignee | ||
Comment 13•16 years ago
|
||
Yes, the patches do address both testcases.
Comment 14•16 years ago
|
||
Comment on attachment 335032 [details] [diff] [review]
for 1.8
Approved for 1.8.1.17 and 1.9.0.2, a=dveditz for release-drivers.
Attachment #335032 -
Flags: approval1.9.0.2+
Attachment #335032 -
Flags: approval1.8.1.17+
Assignee | ||
Updated•16 years ago
|
Attachment #331793 -
Flags: approval1.9.0.2?
Comment 15•16 years ago
|
||
Comment on attachment 331793 [details] [diff] [review]
a bit better
meant this patch for 1.9.0.x
Attachment #331793 -
Flags: approval1.9.0.2? → approval1.9.0.2+
Updated•16 years ago
|
Attachment #335032 -
Flags: approval1.9.0.2+
Assignee | ||
Updated•16 years ago
|
Keywords: fixed1.8.1.17,
fixed1.9.0.2
Assignee | ||
Updated•16 years ago
|
Keywords: checkin-needed
Assignee | ||
Updated•16 years ago
|
Assignee | ||
Updated•16 years ago
|
Flags: in-testsuite?
Verified FIXED using the testcase in comment 8 against:
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16 -- where it reproduces, and against:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17, where it does NOT.
Replacing fixed1.8.1.17 keyword with verified1.8.1.17.
Keywords: fixed1.8.1.17 → verified1.8.1.7
Comment 17•16 years ago
|
||
keywords had a typo: "verified1.8.1.7". fixing that.
Keywords: verified1.8.1.7 → verified1.8.1.17
Comment 19•16 years ago
|
||
sorry typo too :):
a=asac for 1.8.0.15
Updated•16 years ago
|
Group: core-security
Comment 20•16 years ago
|
||
is lack of scriptglobalobject guaranteed to give chrome privileges?
Updated•16 years ago
|
Keywords: fixed1.9.1
Updated•16 years ago
|
Flags: blocking1.8.0.next+
Assignee | ||
Comment 21•12 years ago
|
||
Need to commit the mochitest.
Assignee | ||
Comment 22•12 years ago
|
||
Ah, hmm, testcase would need quite some changes.
Flags: in-testsuite? → in-testsuite-
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•