Closed
Bug 52526
Opened 24 years ago
Closed 24 years ago
Site goes into loop opening infinite number of windows
Categories
(Core :: Networking: Cookies, defect, P2)
Tracking
()
VERIFIED
FIXED
M18
People
(Reporter: alistair.vining, Assigned: hjtoi-bugzilla)
References
()
Details
(Whiteboard: [nsbeta3+])
Attachments
(1 file)
13.86 KB,
patch
|
Details | Diff | Splinter Review |
- Browse to http://www.nationalreview.com/ with cookies set to "ask". - Say no when the site asks to set a cookie and remember this decision. Either a) The browser keeps putting up more requests to set cookies or b) it keeps opening more and more windows. Result perhaps depends on whether the pop-up has appeared when the cookies are refused. There's some cookie-handling javascript on the page which is probably connected, but I'm pleading ignorance and laziness. Browser version 2000-09-13 08:00
Comment 1•24 years ago
|
||
Seeing this w/ linux CVS from 091321. If cookies are disallowed (including using the dialog for the first visit), I get an infinite number of popups. If they are allowed, I see only one. I also get 3 modal "allow cookie" dialogs on the first visit, all at once (that's probably a seprate issue and I'm unsure if it has been filed or not.)
Comment 2•24 years ago
|
||
I don't think this is a cookie problem. I'm not seeing an infinite number of requests to set cookies -- I see only about three such requests each from different hosts so that's understandable. I am seeing the browser opening more and more windows which appear to be related to the content. Furthermore, I see the same problem if I restore the cookie-warning pref to its default value (no cookie warning box).
Reporter | ||
Comment 3•24 years ago
|
||
Yes, there could be two separate issues here. The multiple 'accept cookies' dialogs I can also see at: http://www.linuxworld.com/linuxworld/lw-2000-09/lw-09-vcontrol_2.html but only sporadically (3 from itworld.com). I admit, I haven't tested the various combinations of preferences systematically.
Comment 4•24 years ago
|
||
I am unable to reproduce the multiple-cookie problem at site http://www.linuxworld.com/linuxworld/lw-2000-09/lw-09-vcontrol_2.html. I suggest that we separate this out into two bugs. This bug is about the opening of infinite number of content windows which has nothing to do with cookies and is reproducible. Open a new report on the repeated cookie-requests and indicate that it is intermittent (I have not been able to reproduce it). Possibly the repeated cookie warning boxes has to do with the fact that the cookie warning box is not always modal (bug 51338) which I am currently working on. If it were always modal, the browser would "freeze" until you dismissed the warning box so it would not be possible to get multiple simultaneous warning boxes. Updating summary to reflect that this current box has nothing to do with cookies.
Status: NEW → ASSIGNED
Summary: Refusing cookies starts infinite loop → Site goes into loop opening infinite number of windows
Whiteboard: nsbeta3
Target Milestone: --- → M18
Comment 5•24 years ago
|
||
I am not so sure this has nothing to do with cookies. As I commented, If I edit the cookie permissions so that this site is allowed, I only get one popup window. Can anyone else reproduce that?
Comment 6•24 years ago
|
||
Yes, you are correct. Setting the cookie pref to accept-all-cookies does not have the problem whereas rejecting all cookies does have the problem. That doesn't necessarily mean that it is a cookie problem, but at least we know that somehow cookies are involved. I'll investigate further.
Comment 7•24 years ago
|
||
Need info on what this is about and how severe, and if it really is a side effect of bug 51338 as postulated by Steve. Infinite windows sounds like a P1, not a P3, or maybe P2 if it's only some people some of the time.
Whiteboard: [need info]
Comment 8•24 years ago
|
||
No, this bug has nothing to do with 51338. I mentioned that as a possible explanation of the repeated cookie warning box. But I have not been able to reproduce the repeated cookie warning boxes and, furthermore, this bug does not cover that situation (if that is still a problem, it should be opened as a separate bug). As far as the severity goes, this is basically a denial-of-service attack except that the attack is coming from the browser itself rather than from a website. Or, to be more specific, this particular website has something in it that exploits a bug in the browser to generate the denial-of-service. I'm investigating to find out what is unique about this site that it is resulting in this DOS.
Reporter | ||
Comment 9•24 years ago
|
||
I can verify the multiple-cookie-dialog part (and have a screenshot), but noticed that there was a checkin to fix 51338 today, so I'll wait for tomorrow's builds before filing another bug. The more-and-more-windows part always seems to crash in necko.dll. No idea if that is significant.
Comment 10•24 years ago
|
||
Point of crash is not significant -- it's just indicative of a low-memory situation. In fact, here's the stack trace. Obviously some bug in our memory-allocation/deallocation when low-memory is encountered. __sbh_free_block(tagHeader * 0x113e5b84, void * 0x166c2ea0) line 350 + 6 bytes _realloc_base(void * 0x166c2ea0, unsigned int 84) line 101 + 13 bytes realloc_help(void * 0x166c2ec0, unsigned int 48, int 1, const char * 0x00000000, int 0, int 1) line 636 + 16 bytes _realloc_dbg(void * 0x166c2ec0, unsigned int 48, int 1, const char * 0x00000000, int 0) line 806 + 27 bytes realloc(void * 0x166c2ec0, unsigned int 48) line 755 + 19 bytes JS_realloc(JSContext * 0x166226f0, void * 0x166c2ec0, unsigned int 48) line 1366 + 14 bytes js_AllocSlot(JSContext * 0x166226f0, JSObject * 0x11982ad8, unsigned long * 0x0012b6a0) line 1627 + 20 bytes js_NewScopeProperty(JSContext * 0x166226f0, JSScope * 0x166c1a50, long 37582864, int (JSContext *, JSObject *, long, long *)* 0x00281253 _JS_PropertyStub, int (JSContext *, JSObject *, long, long *)* 0x00281253 _JS_PropertyStub, unsigned int 1) line 477 + 20 bytes js_SetProperty(JSContext * 0x166226f0, JSObject * 0x11982ad8, long 37582864, long * 0x0012b818) line 2221 + 29 bytes nsXPCArbitraryScriptable::SetProperty(nsXPCArbitraryScriptable * const 0x01a3bba0, JSContext * 0x166226f0, JSObject * 0x11982ad8, long 37582864, long * 0x0012b818, nsIXPConnectWrappedNative * 0x166c1ce0, nsIXPCScriptable * 0x00000000, int * 0x0012b814) line 132 + 25 bytes nsXPCComponents_Classes::CacheDynaProp(JSContext * 0x166226f0, JSObject * 0x11982ad8, long 37582864, nsIXPConnectWrappedNative * 0x166c1ce0, nsIXPCScriptable * 0x01a3bba0) line 548 nsXPCComponents_Classes::GetProperty(nsXPCComponents_Classes * const 0x166c1d84, JSContext * 0x166226f0, JSObject * 0x11982ad8, long 37582864, long * 0x0012c0b0, nsIXPConnectWrappedNative * 0x166c1ce0, nsIXPCScriptable * 0x01a3bba0, int * 0x0012b8b4) line 420 WrappedNative_GetProperty(JSContext * 0x166226f0, JSObject * 0x11982ad8, long 37582864, long * 0x0012c0b0) line 325 + 40 bytes js_Interpret(JSContext * 0x166226f0, long * 0x0012c234) line 2404 + 1563 bytes js_Execute(JSContext * 0x166226f0, JSObject * 0x11348060, JSScript * 0x02851b20, JSFunction * 0x00000000, JSStackFrame * 0x00000000, unsigned int 0, long * 0x0012c234) line 903 + 13 bytes JS_ExecuteScript(JSContext * 0x166226f0, JSObject * 0x11348060, JSScript * 0x02851b20, long * 0x0012c234) line 3024 + 27 bytes nsJSContext::ExecuteScript(nsJSContext * const 0x166228a0, void * 0x00d717a8, void * 0x11348060, basic_nsAWritableString<unsigned short> * 0x00000000, int * 0x00000000) line 723 + 42 bytes nsXULDocument::ExecuteScript(JSObject * 0x00d717a8) line 5631 + 33 bytes nsXULDocument::LoadScript(nsXULPrototypeScript * 0x023a03b0, int * 0x0012c81c) line 5486 + 15 bytes nsXULDocument::ResumeWalk() line 5269 + 19 bytes nsXULDocument::CachedChromeStreamListener::OnStopRequest(nsXULDocument::CachedCh romeStreamListener * const 0x1660ed70, nsIChannel * 0x165fe630, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 6567 nsDocumentOpenInfo::OnStopRequest(nsDocumentOpenInfo * const 0x165fe4a0, nsIChannel * 0x165fe630, nsISupports * 0x00000000, unsigned int 0, const unsigned short * 0x00000000) line 269 nsCachedChromeChannel::HandleStopLoadEvent(PLEvent * 0x1669ed40) line 535 PL_HandleEvent(PLEvent * 0x1669ed40) line 575 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x165fb480) line 508 + 9 bytes _md_EventReceiverProc(HWND__ * 0x00010f9a, unsigned int 49426, unsigned int 0, long 375370880) line 1044 + 9 bytes USER32! 77e71268() 165fb480()
Comment 11•24 years ago
|
||
Approving nsbeta3+, giving P2. Until we find out what about this site causes the problem we don't know how exploitable this is. Has anyone thought to save the site somewhere (like an attachment to this bug) just in case they change it on us and "fix" the problem?
Priority: P3 → P2
Whiteboard: [need info] → [nsbeta3+]
Comment 12•24 years ago
|
||
Yes, I've already saved the site, modified it, and just finished doing a complete analysis. Here's the story. First, the bug is not at all in the cookie module. The reason that the failure occured when cookies were disabled is because the site tests for a cookie and if it doesn't find one it goes and opens a pop-up window. So if cookies are enabled, the window does not pop up even one time and there are no "infinite" windows. And "infinite" in this example is a slight exageration. In fact, the site will open up 186 of these pop-up windows when cookies are disabled. Here's why. The html on the page calls on javascript to open the pop-up window when the page finishes loading (by using an onload handler). The page itself consists of a bunch of images, each of which get loaded as well. The problem is that the loading of each image is also triggering the onload handler. And there are 186 images on the page so the handler gets called 186 times and opens 186 pop-up windows. The following html demonstrates the problem. It was obtained by greatly simplifying the content on the site (place any gif file in the same directory as the html and call it bug.gif). <html> <head> <title>Repeated calls to on-load hander</title> <script type="text/javascript" language="JavaScript"> var count = 1; function Loaded() { alert("count="+count++); } </script> </head> <body onload="Loaded()"> <img src="bug.gif" width="20" height="20" align="absbottom"> </body> </html> The above example brings up an alert box where the actual site was bringing up a pop-up window. In this example, the alert box is coming up twice, once for the page loading and once for the image loading. And if you add more images into the above example, you will get the same amount of more alerts. Now presumably this is a bug because the onload handler should only be called once (when the page itself finishes loading) and not when each image on the page finishes loading. At least that's the way it is in 4.x. If you run the above example in 4.x, you will get the alert only one time.
Comment 13•24 years ago
|
||
In rereading my above comment, I see that one paragraph is not very clear. Namely: The following html demonstrates the problem. It was obtained by greatly simplifying the content on the site (place any gif file in the same directory as the html and call it bug.gif). What I was trying to do was give instructions for running the sample html that I included. Specifically, you need to first obtain a gif file (any old gif will do) and put it into the same directory as the sample html file, and call it bug.gif. Then load the html file into the browser and you will see the problem.
Comment 14•24 years ago
|
||
So who is responsible for the onload handler? Dan Veditz suggested I try joki.
Assignee: morse → joki
Status: ASSIGNED → NEW
Assignee | ||
Comment 15•24 years ago
|
||
This is me. I made image load send load events. Currently load events bubble, and you should check event.target to know it was image that loaded, not the document. The specs state that load event should not bubble, so I am changing our implementation. A slight problem is that currently just about every event bubbles in Mozilla.
Assignee: joki → heikki
Assignee | ||
Comment 16•24 years ago
|
||
*** Bug 52585 has been marked as a duplicate of this bug. ***
Comment 17•24 years ago
|
||
I find it amazing as to how similar the two test cases are (the one presented in this report and the one in bug 52585), considering that the two tests were written independently by different people.
Assignee | ||
Comment 18•24 years ago
|
||
Assignee | ||
Comment 19•24 years ago
|
||
joki, can you review? I run into some difficulties with precheckin tests that I believe are unrelated... (AIM & view source crash on Linux, no AIM at all on NT). I have a pretty old tree so I am updating. I added a new parameter to nsIPresShell::HandleEventWithTarget so that we can pass in flags. The can't bubble flag is set when we call this for the image load event. Note that the event still bubbles, we just don't call the event handlers for it. This weirdness is because at least at some point in time XUL needed all events to bubble. This seems to fix the site in the URL as well as testcase in the duplicate bug. In the patch I also fixed GetBubbles and GetCancelable methods of DOM event. And I fixed all the cases of wrong event objects/types that I came across (like someone using nsMouseEvent with NS_FORM_SELECTED or something). I did not do a search for this so there are bound to be more.
Assignee | ||
Comment 20•24 years ago
|
||
The correct event class and event message combos can be seen in nsDOMEvent::SetEventType. http://lxr.mozilla.org/seamonkey/source/layout/events/src/nsDOMEvent.cpp#910
Assignee | ||
Comment 21•24 years ago
|
||
Fixed.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Keywords: review
Resolution: --- → FIXED
Whiteboard: [nsbeta3+][fixinhand] → [nsbeta3+]
Comment 22•24 years ago
|
||
verified: Win NT 2000092110 Linux rh6 2000092008
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•