crash [@ NS_GetInnermostURI - nsScriptSecurityManager::CheckLoadURIWithPrincipal]

VERIFIED FIXED in mozilla1.9.1b4

Status

()

Core
Security: CAPS
--
critical
VERIFIED FIXED
9 years ago
7 years ago

People

(Reporter: wsmwk, Assigned: timeless)

Tracking

({crash, fixed1.9.1, topcrash})

Trunk
mozilla1.9.1b4
crash, fixed1.9.1, topcrash
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [tb3needs], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

9 years ago
topcrash 10 crasher for Thunderbird 3.0b1

security:caps?

Doesn't appear much in nightlies, but does in the a1-3 and b1 releases. none have comments check the graph at http://crash-stats.mozilla.com/report/list?product=Thunderbird&version=Thunderbird%3A3.0a1&version=Thunderbird%3A3.0a2&version=Thunderbird%3A3.0a3&version=Thunderbird%3A3.0b1&platform=windows&query_search=signature&query_type=contains&query=NS_GetInnermostURI&date=&range_value=4&range_unit=weeks&do_query=1&signature=NS_GetInnermostURI%28nsIURI*%29

bp-d298ebd7-630a-46bb-9cce-0487b2081220

NS_GetInnermostURI	nsNetUtil.h:1412
nsScriptSecurityManager::CheckLoadURIWithPrincipal	caps/src/nsScriptSecurityManager.cpp:1321
NS_InvokeByIndex_P	xpcom/reflect/xptcall/src/md/win32/xptcinvoke.cpp:101
XPCWrappedNative::CallMethod	js/src/xpconnect/src/xpcwrappednative.cpp:2263
XPC_WN_CallMethod	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1477
js_Invoke	js/src/jsinterp.cpp:1313

Comment 1

9 years ago
I'm wondering if there are any extensions installed - from what I can tell, no one calls CheckLoadURIWithPrincipal from js.
Content context menu does, http://mxr.mozilla.org/comm-central/source/mail/base/content/nsContextMenu.js#291 (as does contentAreaUtils.js which viewSourceUtils.js includes, but I don't see it hitting that).

It's the sort of thing I often miss, but I don't quite see what you could pass to CheckLoadURIWithPrincipal to make it crash getting the innermost URI.
Component: Account Manager → General
QA Contact: account-manager → general

Comment 3

9 years ago
ah, I was just looking in the comm-central mxr, which doesn't include toolkit, I guess.

I think passing null would make it crash. I think NS_PRECONDITION does nothing in release builds.
(Assignee)

Comment 4

9 years ago
this is a bug in caps. the method is scriptable it needs to handle null
Assignee: nobody → dveditz
Component: General → Security: CAPS
OS: Windows Vista → All
Product: Thunderbird → Core
QA Contact: general → caps
Hardware: x86 → All
Summary: crash [@ NS_GetInnermostURI(nsIURI*)] → crash [@ NS_GetInnermostURI - nsScriptSecurityManager::CheckLoadURIWithPrincipal]
(Assignee)

Comment 5

9 years ago
Created attachment 354912 [details] [diff] [review]
throw early
Assignee: dveditz → timeless
Status: NEW → ASSIGNED
Attachment #354912 - Flags: review?(bzbarsky)
Comment on attachment 354912 [details] [diff] [review]
throw early

sr=dveditz

leaving r?bz on in case he wants to look, but this is pretty self-obvious. But maybe handling null in NS_GetInnermostURI more gracefully would be worth the extra compare
  if (!nestedURI && uri)
before addref-ing.

You'd still need this change, of course, because if you survived the NS_GetInnermostURI call you'd crash on targetBaseURI->GetScheme(). This patch is both necessary and sufficient to fix this bug, additional changes to NS_GetInnermostURI can be a separate issue.

As long as you're in nsScriptSecurityManager, are there any other scriptable APIs that aren't sanity checking? checkLoadURI() doesn't check target, but falls through to this one. checkLoadURIStr/checkLoadURIStrWithPrincipal look OK, as does getCodebasePrincipal.

getChannelPrincipal() is scriptable and will crash on a null channel. "Don't do that" springs to mind, how robust do we want to be in the face of stupid XUL code?

isSystemPrincipal() can't handle a null return param, but that can't happen from script.
Attachment #354912 - Flags: superreview+
Comment on attachment 354912 [details] [diff] [review]
throw early

Looks good.

As far as NS_GetInnermostURI, I think we want to leave it as-is.  It's used in some performance-critical cases (and _does_ assert if passed unexpected input).
Attachment #354912 - Flags: review?(bzbarsky) → review+
Created attachment 355011 [details] [diff] [review]
Crashtest

This does a nice job of crashing without the patch and not with, but I'm not really sure I'm not making bad assumptions about things like any exception being fine, or what principal I should pass to get as close as possible without crashing.
Attachment #355011 - Flags: review?(bzbarsky)
Comment on attachment 355011 [details] [diff] [review]
Crashtest

Any non-system principal will do, so just do a check that the principal is not the system principal?  r=bzbarsky with that change.
Attachment #355011 - Flags: review?(bzbarsky) → review+
http://hg.mozilla.org/mozilla-central/rev/eb870a41e5cb
http://hg.mozilla.org/mozilla-central/rev/59c1cdb2cf7e
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
(Assignee)

Comment 11

9 years ago
Comment on attachment 354912 [details] [diff] [review]
throw early

wsm says this is a top crash on 1.9.1, it has a test and is tiny and correct, could we push to the branch?
Attachment #354912 - Flags: approval1.9.1?
(Reporter)

Comment 12

9 years ago
(In reply to comment #11)
> (From update of attachment 354912 [details] [diff] [review])
> wsm says this is a top crash on 1.9.1, it has a test and is tiny and correct,
> could we push to the branch?

indeed, this needs to go out with the next beta, 3.0b3.
#9 crasher for 3.0b2+3.0b3pre
Whiteboard: [tb3needs]
(In reply to comment #11)
> (From update of attachment 354912 [details] [diff] [review])
> wsm says this is a top crash on 1.9.1, it has a test and is tiny and correct,
> could we push to the branch?

Yes.

Updated

9 years ago
Duplicate of this bug: 476000

Updated

9 years ago
Attachment #354912 - Flags: approval1.9.1? → approval1.9.1+

Comment 15

9 years ago
Comment on attachment 354912 [details] [diff] [review]
throw early

a=me ... please land the test on the branch as well
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/79b969c3d4fa
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/3b6c1a8033a4
Keywords: fixed1.9.1
Target Milestone: --- → mozilla1.9.1b4
(Reporter)

Comment 17

8 years ago
v.fixed - don't see any crashes after 3.0b2 20090408014204
Status: RESOLVED → VERIFIED
Crash Signature: [@ NS_GetInnermostURI - nsScriptSecurityManager::CheckLoadURIWithPrincipal]
You need to log in before you can comment on or make changes to this bug.