Closed Bug 531176 Opened 10 years ago Closed 10 years ago

Add assertion that it's safe to run scripts before dispatching any events (and fix the cases when events are dispatched at unsafe time)

Categories

(Core :: DOM: Events, defect, minor)

defect
Not set
minor

Tracking

()

RESOLVED FIXED
Tracking Status
blocking1.9.2 --- .4+
status1.9.2 --- .4-fixed
blocking1.9.1 --- .10+
status1.9.1 --- .10-fixed

People

(Reporter: justin.lebar+bug, Assigned: smaug)

References

Details

(Keywords: fixed1.9.0.20, verified1.9.1, verified1.9.2, Whiteboard: [sg:critical?])

Attachments

(3 files, 4 obsolete files)

It doesn't appear that we check nsContentUtils::IsSafeToRunScripts() before running the event dispatch code.  We probably should add an assertion to this effect to help catch unsafe event dispatches.
Assignee: nobody → Olli.Pettay
Group: core-security
Attached patch patch (obsolete) — Splinter Review
Posted this to tryserver.
Passes at least mochitest locally.
Attachment #414740 - Flags: review?(jonas)
The problematic cases I found weren't common while running mochitest.
Comment on attachment 414740 [details] [diff] [review]
patch

> #ifdef DEBUG
>+    nsresult rv = NS_ERROR_FAILURE;
>+    if (target->GetContextForEventHandlers(&rv) ||
>+        NS_FAILED(rv)) {
>+      NS_ERROR("This is unsafe!");
>+    }

It is ok to dispatch events to non-scriptable, data-only documents, which
don't have context for script event handlers. This is basically XBL documents, where
load event is used to detect that they are loaded.
Attached patch patch (obsolete) — Splinter Review
This should compile even on scratchbox
Attachment #414740 - Attachment is obsolete: true
Attachment #414746 - Flags: review?(jonas)
Attachment #414740 - Flags: review?(jonas)
Attached patch +script errorSplinter Review
I found yet another event; error event from scripts.
This contains some tests for error event.
Attachment #414746 - Attachment is obsolete: true
Attachment #414850 - Flags: superreview?(jst)
Attachment #414850 - Flags: review?(jonas)
Attachment #414746 - Flags: review?(jonas)
Does the bug summary need to be updated? Seems like you've gone beyond adding a helpful assert to fixing security vulns uncovered by the assert.
Whiteboard: [sg:critical?]
Summary: Add assertion that it's safe to run scripts before dispatching any events → Add assertion that it's safe to run scripts before dispatching any events (and fix the cases when events are dispatched at unsafe time)
> +      NS_ERROR("This is unsafe!");

Please use a more descriptive assertion message, such as "dispatching an event when it is not safe to run script".
Please consider using separate, public bugs for the changes other than adding the assertion.  If they cause regressions, having a public bug will make tracking easier, draw less attention to the security aspect, and make life less painful if we have to back something out.
Comment on attachment 414850 [details] [diff] [review]
+script error

So this wouldn't fire assertions if the event is dispatched against chrome documents?

I wonder if we ideally would like to assert event then, just to avoid having to teach developers which events are unsafe to do what from.

Do you know which events fire at chrome while there are script blockers?

r=me to land this for now anyhow.
Attachment #414850 - Flags: review?(jonas) → review+
(In reply to comment #9)
> (From update of attachment 414850 [details] [diff] [review])
> So this wouldn't fire assertions if the event is dispatched against chrome
> documents?

Yes it does fire the assertion. It doesn't fire assertion with
non-scriptable documents. Basically data documents which don't have
script handling object.
Blocks: 515190
No longer blocks: 515190
Um...did adding a blocking item just un-secure this bug?  I really didn't mean to do that.
(In reply to comment #10)
> (In reply to comment #9)
> > (From update of attachment 414850 [details] [diff] [review] [details])
> > So this wouldn't fire assertions if the event is dispatched against chrome
> > documents?
> 
> Yes it does fire the assertion. It doesn't fire assertion with
> non-scriptable documents. Basically data documents which don't have
> script handling object.

Why do you need that distinction? Is this related to loading of XBL-documents by any chance?
(In reply to comment #12)
> Why do you need that distinction? Is this related to loading of XBL-documents
> by any chance?
Yes. We load XBL documents which don't have script handling object but still
use (C++) event listener to get the load event.
(In reply to comment #11)
> Um...did adding a blocking item just un-secure this bug?  I really didn't mean
> to do that.

Anyone that doesn't have access to this bug won't be able to see any sensitive information about the bug. Just the bug number and if it's resolved or not IIRC.
Blocks: 515190
That's what I recall from adding this assertion synchronously...

It's annoying to add an exception just for this one case. Though I guess its ok since we won't ever run any scripted event handlers, is that correct? Also, ideally the sync loading of XBL should go away eventually.
Another thing that would be good to do is to add assertions is to the mutation events code. Currently we'll only trigger the assertion added in your patch if there actually are mutation event listeners since we won't attempt to fire the event otherwise.

I think this can be accomplished by adding an assertion to nsContentUtils::HasMutationListeners that checks if all current blockers are removable.

IIRC I found one case in the cssframeconstructor that triggered such an assertion, which was easily fixable by setting aNotify to false or some such.

Do you want a separate bug for this?
I'll do that in a separate bug.
jst, want to sr? This is a security sensitive bug, so needs r and sr.
Comment on attachment 414850 [details] [diff] [review]
+script error

Looks good. sr=jst
Attachment #414850 - Flags: superreview?(jst) → superreview+
http://hg.mozilla.org/mozilla-central/rev/e58c2ef1d65b
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Depends on: 535926
Depends on: 535887
Have you considered taking this on branches?  It appears to fix bug 496366.
Yeah, we should probably take this to branches. Not sure about the assertion, 
but the other parts of the patch. I'll update the patch for branches.
(3.5 will need significant changes)
Attached patch for 1.9.2 (obsolete) — Splinter Review
I'll upload this to tryserver
Attached patch for 1.9.2 without the assertion (obsolete) — Splinter Review
I think we may not want to add the assertion to branches.
Attachment #432835 - Attachment is obsolete: true
Attachment #432907 - Flags: approval1.9.2.3?
a merge problem fixed; ValueChange should bubble.
Attachment #432907 - Attachment is obsolete: true
Attachment #432914 - Flags: approval1.9.2.3?
Attachment #432907 - Flags: approval1.9.2.3?
I'm posting this to tryserver.

Since 1.9.1 doesn't have the focusmanager, the FocusBlurEvent part doesn't really
apply to that branch.

Otherwise only minor changes to trunk patch.

Fixes Bug 496366.
Attachment #432918 - Flags: review?(jst)
Attachment #432918 - Flags: review?(jst) → review+
Attachment #432918 - Flags: approval1.9.1.10?
blocking1.9.1: --- → .10+
blocking1.9.2: --- → .3+
Comment on attachment 432914 [details] [diff] [review]
for 1.9.2 without the assertion

Are bug 535887 and bug 535926 from the "depends on" field regressions that need to be fixed before taking this on branches?
Whiteboard: [sg:critical?] → [sg:critical?][needs answer to comment 27 from Olli]
Those aren't regressions. They are cases where the assertion fires, but the
assertion itself doesn't change behavior.

The patch did change other behavior, but I haven't heard of regressions
related to those changes.
Duplicate of this bug: 496366
Comment on attachment 432914 [details] [diff] [review]
for 1.9.2 without the assertion

a=beltzner for 1.9.2.3 and 1.9.1.10
Attachment #432914 - Flags: approval1.9.2.3? → approval1.9.2.3+
Attachment #432918 - Flags: approval1.9.1.10? → approval1.9.1.10+
Depends on: 553808
Depends on: 557398
Is there a way to easily test this fix?

It looks like bug 496366 can be used, per comment 21. Are we sure it is this checkin that fixed that bug?
(In reply to comment #32)
> Is there a way to easily test this fix?
> 
> It looks like bug 496366 can be used, per comment 21.
Yeah, there is a testcase in that bug.

> Are we sure it is this
> checkin that fixed that bug?
Yes.
Verified for 1.9.2 via the testcase in bug 496366 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4pre) Gecko/20100408 Lorentz/3.6.4pre (.NET CLR 3.5.30729). 

Verified for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.10pre) Gecko/20100407 Shiretoko/3.5.10pre (.NET CLR 3.5.30729).
Group: core-security
Comment on attachment 432918 [details] [diff] [review]
for 1.9.1 without the assertion and  without the FocusBlurEvent

Requesting approval1.9.0.next on this patch so that we can take it in upcoming Camino 2.0.x security and stability updates.  If approved, I'll handle the checkins, unless the patch author requests otherwise.
Attachment #432918 - Flags: approval1.9.0.next?
Comment on attachment 432918 [details] [diff] [review]
for 1.9.1 without the assertion and  without the FocusBlurEvent

Approved for 1.9.0.20, a=dveditz
Attachment #432918 - Flags: approval1.9.0.next? → approval1.9.0.next+
Checking in dom/src/base/nsGlobalWindow.cpp;
/cvsroot/mozilla/dom/src/base/nsGlobalWindow.cpp,v  <--  nsGlobalWindow.cpp
new revision: 1.1027; previous revision: 1.1026
done
Checking in dom/src/base/nsJSEnvironment.cpp;
/cvsroot/mozilla/dom/src/base/nsJSEnvironment.cpp,v  <--  nsJSEnvironment.cpp
new revision: 1.401; previous revision: 1.400
done
Checking in dom/tests/mochitest/bugs/Makefile.in;
/cvsroot/mozilla/dom/tests/mochitest/bugs/Makefile.in,v  <--  Makefile.in
new revision: 1.32; previous revision: 1.31
done
RCS file: /cvsroot/mozilla/dom/tests/mochitest/bugs/test_bug531176.html,v
done
Checking in dom/tests/mochitest/bugs/test_bug531176.html;
/cvsroot/mozilla/dom/tests/mochitest/bugs/test_bug531176.html,v  <--  test_bug531176.html
initial revision: 1.1
done
Checking in layout/forms/nsComboboxControlFrame.cpp;
/cvsroot/mozilla/layout/forms/nsComboboxControlFrame.cpp,v  <--  nsComboboxControlFrame.cpp
new revision: 1.432; previous revision: 1.431
done
Keywords: fixed1.9.0.20
You need to log in before you can comment on or make changes to this bug.