Closed
Bug 463205
Opened 16 years ago
Closed 16 years ago
It's possible to make SessionStore inject text data into the wrong document
Categories
(Firefox :: Session Restore, defect)
Tracking
()
RESOLVED
FIXED
Firefox 3.1b2
People
(Reporter: moz_bug_r_a4, Assigned: zeniko)
References
Details
(Keywords: verified1.8.1.19, verified1.9.0.5, Whiteboard: [sg:high][fixed by bug 464620])
Attachments
(2 obsolete files)
SessionStore does not check whether a loaded document is an intended document
when restoring text data. (On trunk, SessionStore checks a top-level
document's url, but does not check subframes. On fx3/fx2, SessionStore does
not check at all.) Thus, it's possible to make SessionStore inject text data
into the wrong document by loading a new document during restoration.
|
Reporter | |
Comment 1•16 years ago
|
||
This tries to inject text data into http://htmledit.squarefree.com/
|
|
Reporter | |
Comment 2•16 years ago
|
||
This tries to steal text data from
http://mxr.mozilla.org/mozilla-central/source/netwerk/testserver/docs/post.html?raw=1&ctype=text/html
|
|
Reporter | |
Comment 3•16 years ago
|
||
testcase 1 does not work in https: on fx3/fx2.
|
|
Reporter | |
Comment 4•16 years ago
|
||
This tries to inject text data into http://htmledit.squarefree.com/
|
||
Updated•16 years ago
|
Flags: blocking1.9.0.5?
Flags: blocking1.8.1.19?
|
Assignee | |
Comment 5•16 years ago
|
||
Attachment #346550 -
Flags: review?(dietrich)
|
||
Comment 6•16 years ago
|
||
Could be sg:moderate because of the session-restore requirement, but it's not hard to imagine a page using a known crasher to effectively force a tab reload so sg:high for now.
Assignee: nobody → zeniko
Whiteboard: [sg:high]
|
|
||
Updated•16 years ago
|
Flags: wanted1.9.0.x+
Flags: wanted1.8.1.x+
Flags: blocking1.9.0.5?
Flags: blocking1.9.0.5+
Flags: blocking1.8.1.19?
Flags: blocking1.8.1.19+
|
|
||
Updated•16 years ago
|
Whiteboard: [sg:high] → [sg:high][needs r dietrich]
|
||
Comment 7•16 years ago
|
||
Comment on attachment 346550 [details] [diff] [review]
like so?
r=me, looks to resolve this case. minor issue: is there a case where the loaded URI might differ from the string-serialized URI in a valid way? if so, maybe nsIURI.equals() would be better?
|
|
||
Updated•16 years ago
|
Attachment #346550 -
Flags: review?(dietrich) → review+
|
|
||
Updated•16 years ago
|
Whiteboard: [sg:high][needs r dietrich] → [sg:high]
|
|
Assignee | |
Comment 8•16 years ago
|
||
Comment on attachment 346550 [details] [diff] [review]
like so?
Requesting approval for Beta 2 due to [sg:high].
(In reply to comment #7)
> is there a case where the loaded URI might differ from the string-
> serialized URI in a valid way?
Not AFAICT, as it is ourselves who restored that frame in the first place.
Attachment #346550 -
Flags: approval1.9.1b2?
|
|
Assignee | |
Comment 9•16 years ago
|
||
Attachment #347747 -
Flags: approval1.9.0.5?
|
|
||
Comment 10•16 years ago
|
||
Simon, is 1.8.1 branch affected? If so, can you make a patch for that as well?
|
|
||
Updated•16 years ago
|
Whiteboard: [sg:high] → [sg:high][has review][needs approval]
Target Milestone: --- → Firefox 3.1b2
|
|
Assignee | |
Comment 11•16 years ago
|
||
Comment on attachment 347747 [details] [diff] [review]
branch patch
This patch applies to the 1.8.1 branch as well.
Attachment #347747 -
Flags: approval1.8.1.18?
|
|
Assignee | |
Updated•16 years ago
|
Attachment #347747 -
Flags: approval1.8.1.18? → approval1.8.1.19?
|
|
||
Updated•16 years ago
|
Attachment #347747 -
Flags: approval1.9.0.5?
Attachment #347747 -
Flags: approval1.9.0.5+
Attachment #347747 -
Flags: approval1.8.1.19?
Attachment #347747 -
Flags: approval1.8.1.19+
|
|
||
Comment 12•16 years ago
|
||
Comment on attachment 347747 [details] [diff] [review]
branch patch
approved for 1.8.1.19 and 1.9.0.5, a=dveditz for release-drivers
|
||
Updated•16 years ago
|
Attachment #346550 -
Flags: approval1.9.1b2? → approval1.9.1b2+
|
|
||
Comment 13•16 years ago
|
||
Comment on attachment 346550 [details] [diff] [review]
like so?
a1.9.1b2=beltzner
|
|
Assignee | |
Comment 14•16 years ago
|
||
There's a more comprehensive fix in bug 464620. We'll still want to land the tests from attachment #346550 [details] [diff] [review], though.
Whiteboard: [sg:high][has review][needs approval] → [sg:high][has review][to be fixed in bug 464620]
|
|
||
Updated•16 years ago
|
Whiteboard: [sg:high][has review][to be fixed in bug 464620] → [sg:high][has review][has approval]
|
|
||
Comment 15•16 years ago
|
||
Comment on attachment 346550 [details] [diff] [review]
like so?
We're closing up for beta2 and this hasn't landed yet, so we'll hold off until after we branch.
Also: was this fixed on trunk by bug 464620 as indicated in the previous comment?
Attachment #346550 -
Flags: approval1.9.1b2+ → approval1.9.1b2-
|
|
Assignee | |
Comment 16•16 years ago
|
||
This issue was indeed FIXED by bug 464620 on Trunk and both the 1.8.1 and 1.9 branches. The tests will land in bug 464620 as well.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Whiteboard: [sg:high][has review][has approval] → [sg:high][fixed by bug 464620]
|
|
Assignee | |
Updated•16 years ago
|
Attachment #346550 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•16 years ago
|
Attachment #347747 -
Attachment is obsolete: true
|
|
||
Updated•16 years ago
|
Keywords: fixed1.8.1.19,
fixed1.9.0.5
|
||
Comment 17•16 years ago
|
||
Verified for 1.8.1.19 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.19pre) Gecko/2008112503 BonEcho/2.0.0.19pre.
Verified for 1.9.0.5 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5pre) Gecko/2008112505 GranParadiso/3.0.5pre.
|
||
Updated•16 years ago
|
Flags: wanted1.8.0.x-
|
|
||
Updated•15 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•