The default bug view has changed. See this FAQ.

Add assertion that it's safe to run scripts before dispatching any events (and fix the cases when events are dispatched at unsafe time)

RESOLVED FIXED

Status

()

Core
DOM: Events
--
minor
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: Justin Lebar (not reading bugmail), Assigned: smaug)

Tracking

({fixed1.9.0.20, verified1.9.1, verified1.9.2})

Trunk
fixed1.9.0.20, verified1.9.1, verified1.9.2
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking1.9.2 .4+, status1.9.2 .4-fixed, blocking1.9.1 .10+, status1.9.1 .10-fixed)

Details

(Whiteboard: [sg:critical?])

Attachments

(3 attachments, 4 obsolete attachments)

(Reporter)

Description

7 years ago
It doesn't appear that we check nsContentUtils::IsSafeToRunScripts() before running the event dispatch code.  We probably should add an assertion to this effect to help catch unsafe event dispatches.
(Assignee)

Updated

7 years ago
Assignee: nobody → Olli.Pettay
(Assignee)

Updated

7 years ago
Group: core-security
(Assignee)

Comment 1

7 years ago
Created attachment 414740 [details] [diff] [review]
patch

Posted this to tryserver.
Passes at least mochitest locally.
Attachment #414740 - Flags: review?(jonas)
(Assignee)

Comment 2

7 years ago
The problematic cases I found weren't common while running mochitest.
(Assignee)

Comment 3

7 years ago
Comment on attachment 414740 [details] [diff] [review]
patch

> #ifdef DEBUG
>+    nsresult rv = NS_ERROR_FAILURE;
>+    if (target->GetContextForEventHandlers(&rv) ||
>+        NS_FAILED(rv)) {
>+      NS_ERROR("This is unsafe!");
>+    }

It is ok to dispatch events to non-scriptable, data-only documents, which
don't have context for script event handlers. This is basically XBL documents, where
load event is used to detect that they are loaded.
(Assignee)

Comment 4

7 years ago
Created attachment 414746 [details] [diff] [review]
patch

This should compile even on scratchbox
Attachment #414740 - Attachment is obsolete: true
Attachment #414746 - Flags: review?(jonas)
Attachment #414740 - Flags: review?(jonas)
(Assignee)

Comment 5

7 years ago
Created attachment 414850 [details] [diff] [review]
+script error

I found yet another event; error event from scripts.
This contains some tests for error event.
Attachment #414746 - Attachment is obsolete: true
Attachment #414850 - Flags: superreview?(jst)
Attachment #414850 - Flags: review?(jonas)
Attachment #414746 - Flags: review?(jonas)
Does the bug summary need to be updated? Seems like you've gone beyond adding a helpful assert to fixing security vulns uncovered by the assert.
Whiteboard: [sg:critical?]
(Assignee)

Updated

7 years ago
Summary: Add assertion that it's safe to run scripts before dispatching any events → Add assertion that it's safe to run scripts before dispatching any events (and fix the cases when events are dispatched at unsafe time)

Comment 7

7 years ago
> +      NS_ERROR("This is unsafe!");

Please use a more descriptive assertion message, such as "dispatching an event when it is not safe to run script".

Comment 8

7 years ago
Please consider using separate, public bugs for the changes other than adding the assertion.  If they cause regressions, having a public bug will make tracking easier, draw less attention to the security aspect, and make life less painful if we have to back something out.
Comment on attachment 414850 [details] [diff] [review]
+script error

So this wouldn't fire assertions if the event is dispatched against chrome documents?

I wonder if we ideally would like to assert event then, just to avoid having to teach developers which events are unsafe to do what from.

Do you know which events fire at chrome while there are script blockers?

r=me to land this for now anyhow.
Attachment #414850 - Flags: review?(jonas) → review+
(Assignee)

Comment 10

7 years ago
(In reply to comment #9)
> (From update of attachment 414850 [details] [diff] [review])
> So this wouldn't fire assertions if the event is dispatched against chrome
> documents?

Yes it does fire the assertion. It doesn't fire assertion with
non-scriptable documents. Basically data documents which don't have
script handling object.
(Reporter)

Updated

7 years ago
Blocks: 515190
(Reporter)

Updated

7 years ago
No longer blocks: 515190
(Reporter)

Comment 11

7 years ago
Um...did adding a blocking item just un-secure this bug?  I really didn't mean to do that.
(In reply to comment #10)
> (In reply to comment #9)
> > (From update of attachment 414850 [details] [diff] [review] [details])
> > So this wouldn't fire assertions if the event is dispatched against chrome
> > documents?
> 
> Yes it does fire the assertion. It doesn't fire assertion with
> non-scriptable documents. Basically data documents which don't have
> script handling object.

Why do you need that distinction? Is this related to loading of XBL-documents by any chance?
(Assignee)

Comment 13

7 years ago
(In reply to comment #12)
> Why do you need that distinction? Is this related to loading of XBL-documents
> by any chance?
Yes. We load XBL documents which don't have script handling object but still
use (C++) event listener to get the load event.
(In reply to comment #11)
> Um...did adding a blocking item just un-secure this bug?  I really didn't mean
> to do that.

Anyone that doesn't have access to this bug won't be able to see any sensitive information about the bug. Just the bug number and if it's resolved or not IIRC.
Blocks: 515190
That's what I recall from adding this assertion synchronously...

It's annoying to add an exception just for this one case. Though I guess its ok since we won't ever run any scripted event handlers, is that correct? Also, ideally the sync loading of XBL should go away eventually.
Another thing that would be good to do is to add assertions is to the mutation events code. Currently we'll only trigger the assertion added in your patch if there actually are mutation event listeners since we won't attempt to fire the event otherwise.

I think this can be accomplished by adding an assertion to nsContentUtils::HasMutationListeners that checks if all current blockers are removable.

IIRC I found one case in the cssframeconstructor that triggered such an assertion, which was easily fixable by setting aNotify to false or some such.

Do you want a separate bug for this?
(Assignee)

Comment 17

7 years ago
I'll do that in a separate bug.
(Assignee)

Comment 18

7 years ago
jst, want to sr? This is a security sensitive bug, so needs r and sr.
Comment on attachment 414850 [details] [diff] [review]
+script error

Looks good. sr=jst
Attachment #414850 - Flags: superreview?(jst) → superreview+
(Assignee)

Comment 20

7 years ago
http://hg.mozilla.org/mozilla-central/rev/e58c2ef1d65b
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED

Updated

7 years ago
Depends on: 535926

Updated

7 years ago
Depends on: 535887
Have you considered taking this on branches?  It appears to fix bug 496366.
(Assignee)

Comment 22

7 years ago
Yeah, we should probably take this to branches. Not sure about the assertion, 
but the other parts of the patch. I'll update the patch for branches.
(3.5 will need significant changes)
Blocks: 496366
(Assignee)

Comment 23

7 years ago
Created attachment 432835 [details] [diff] [review]
for 1.9.2

I'll upload this to tryserver
(Assignee)

Comment 24

7 years ago
Created attachment 432907 [details] [diff] [review]
for 1.9.2 without the assertion

I think we may not want to add the assertion to branches.
Attachment #432835 - Attachment is obsolete: true
Attachment #432907 - Flags: approval1.9.2.3?
(Assignee)

Comment 25

7 years ago
Created attachment 432914 [details] [diff] [review]
for 1.9.2 without the assertion

a merge problem fixed; ValueChange should bubble.
Attachment #432907 - Attachment is obsolete: true
Attachment #432914 - Flags: approval1.9.2.3?
Attachment #432907 - Flags: approval1.9.2.3?
(Assignee)

Comment 26

7 years ago
Created attachment 432918 [details] [diff] [review]
for 1.9.1 without the assertion and  without the FocusBlurEvent

I'm posting this to tryserver.

Since 1.9.1 doesn't have the focusmanager, the FocusBlurEvent part doesn't really
apply to that branch.

Otherwise only minor changes to trunk patch.

Fixes Bug 496366.
Attachment #432918 - Flags: review?(jst)

Updated

7 years ago
Attachment #432918 - Flags: review?(jst) → review+
(Assignee)

Updated

7 years ago
Attachment #432918 - Flags: approval1.9.1.10?
blocking1.9.1: --- → .10+
blocking1.9.2: --- → .3+
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Comment on attachment 432914 [details] [diff] [review]
for 1.9.2 without the assertion

Are bug 535887 and bug 535926 from the "depends on" field regressions that need to be fixed before taking this on branches?
Whiteboard: [sg:critical?] → [sg:critical?][needs answer to comment 27 from Olli]
(Assignee)

Comment 28

7 years ago
Those aren't regressions. They are cases where the assertion fires, but the
assertion itself doesn't change behavior.

The patch did change other behavior, but I haven't heard of regressions
related to those changes.
(Assignee)

Updated

7 years ago
Duplicate of this bug: 496366
Comment on attachment 432914 [details] [diff] [review]
for 1.9.2 without the assertion

a=beltzner for 1.9.2.3 and 1.9.1.10
Attachment #432914 - Flags: approval1.9.2.3? → approval1.9.2.3+
Attachment #432918 - Flags: approval1.9.1.10? → approval1.9.1.10+

Updated

7 years ago
Depends on: 553808

Updated

7 years ago
Depends on: 557398
(Assignee)

Comment 31

7 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/a4975fb9c048

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/8cbc449170d5
status1.9.1: wanted → .10-fixed
status1.9.2: wanted → .4-fixed
Whiteboard: [sg:critical?][needs answer to comment 27 from Olli] → [sg:critical?]
Is there a way to easily test this fix?

It looks like bug 496366 can be used, per comment 21. Are we sure it is this checkin that fixed that bug?
(Assignee)

Comment 33

7 years ago
(In reply to comment #32)
> Is there a way to easily test this fix?
> 
> It looks like bug 496366 can be used, per comment 21.
Yeah, there is a testcase in that bug.

> Are we sure it is this
> checkin that fixed that bug?
Yes.
Verified for 1.9.2 via the testcase in bug 496366 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4pre) Gecko/20100408 Lorentz/3.6.4pre (.NET CLR 3.5.30729). 

Verified for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.10pre) Gecko/20100407 Shiretoko/3.5.10pre (.NET CLR 3.5.30729).
Keywords: verified1.9.1, verified1.9.2
Group: core-security
Comment on attachment 432918 [details] [diff] [review]
for 1.9.1 without the assertion and  without the FocusBlurEvent

Requesting approval1.9.0.next on this patch so that we can take it in upcoming Camino 2.0.x security and stability updates.  If approved, I'll handle the checkins, unless the patch author requests otherwise.
Attachment #432918 - Flags: approval1.9.0.next?
Comment on attachment 432918 [details] [diff] [review]
for 1.9.1 without the assertion and  without the FocusBlurEvent

Approved for 1.9.0.20, a=dveditz
Attachment #432918 - Flags: approval1.9.0.next? → approval1.9.0.next+
Checking in dom/src/base/nsGlobalWindow.cpp;
/cvsroot/mozilla/dom/src/base/nsGlobalWindow.cpp,v  <--  nsGlobalWindow.cpp
new revision: 1.1027; previous revision: 1.1026
done
Checking in dom/src/base/nsJSEnvironment.cpp;
/cvsroot/mozilla/dom/src/base/nsJSEnvironment.cpp,v  <--  nsJSEnvironment.cpp
new revision: 1.401; previous revision: 1.400
done
Checking in dom/tests/mochitest/bugs/Makefile.in;
/cvsroot/mozilla/dom/tests/mochitest/bugs/Makefile.in,v  <--  Makefile.in
new revision: 1.32; previous revision: 1.31
done
RCS file: /cvsroot/mozilla/dom/tests/mochitest/bugs/test_bug531176.html,v
done
Checking in dom/tests/mochitest/bugs/test_bug531176.html;
/cvsroot/mozilla/dom/tests/mochitest/bugs/test_bug531176.html,v  <--  test_bug531176.html
initial revision: 1.1
done
Checking in layout/forms/nsComboboxControlFrame.cpp;
/cvsroot/mozilla/layout/forms/nsComboboxControlFrame.cpp,v  <--  nsComboboxControlFrame.cpp
new revision: 1.432; previous revision: 1.431
done
Keywords: fixed1.9.0.20
You need to log in before you can comment on or make changes to this bug.