Closed Bug 535926 Opened 10 years ago Closed 10 years ago

"ASSERTION: This is unsafe" with <iframe>, XBL

Categories

(Core :: DOM: Core & HTML, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- beta1+
blocking1.9.2 --- .7+
status1.9.2 --- .7-fixed
blocking1.9.1 --- .11+
status1.9.1 --- .11-fixed

People

(Reporter: jruderman, Assigned: smaug)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [sg:critical?])

Attachments

(4 files, 2 obsolete files)

Attached file testcase
###!!! ASSERTION: This is unsafe!: 'Error', file /Users/jruderman/mozilla-central/content/events/src/nsEventDispatcher.cpp, line 485

This is the assertion just added in bug 531176.

I'm not sure why I need the setTimeout.
Attached file stack trace
So nsBrowserStatusFilter::OnStateChange calls some JS code which end up to
progressmeter.xml which dispatches ValueChange.

In this particular case I wonder why we even call OnStateChange.
I believe the document is already loaded but
#21 0x00007f82d1f3e2ec in nsDocument::BlockOnload (this=0x261b070) at /home/smaug/mozilla/mozilla_cvs/hg/src/content/base/src/nsDocument.cpp:7037
#22 0x00007f82d20e85c8 in nsBindingManager::AddToAttachedQueue (this=0x2158530, aBinding=0x226a5e0)
    at /home/smaug/mozilla/mozilla_cvs/hg/src/content/xbl/src/nsBindingManager.cpp:955
adds new request to load group which triggers the method call.

Investigating...
But still, I think we can't easily prevent progress listeners to dispatch
events.
Hmm.  We should avoid calling progress listeners for BlockOnload calls if we can do it...

Maybe we should stop faking the loadgroup thing and just directly have BlockOnload/UnblockOnload poke the docloader or something?
An example of this assertion can be seen on Windows 1.9.3 at least at http://www.slacker.com/
Whiteboard: [sg:critical?]
Not sure if this is sg:critical (at least when using the testcase).
That is happening in chrome, and during time we might get dom modifications anyway.
I wonder if, at least for now, the assertion should fire only if the
target of the event is in content.
Repeating this:
> Not sure if this is sg:critical (at least when using the testcase).
> That is happening in chrome, and during time we might get dom modifications
> anyway.

What in this bug makes this sg:critical ?
I only marked it as sg:critical because the assertion was added in an sg:critical bug.  If this bug isn't a security bug, let's unmark the whiteboard and make it public.
Well, I wouldn't remove the security flag from this bug, but
this just may not be sg:critical.
Assignee: nobody → jonas
blocking2.0: --- → beta1
Olli, if this only results in events being fired at chrome windows, then why not remove the security flag?
Olli, any more thoughts on whether this needs to be sg:critical, or if it's even a security bug any more?
comment 4 says what should be done here, I think.

I think this doesn't need to be sg:critical, since there is no clear evidence
that content can trigger anything bad - unless ff ui or some extension starts
to handle status updates in a different way.
But this is still a security bug.
Looks like we should probably remove the sg:crit rating here, but there's ongoing discussion of what the ration should be.  Thoughts?
If this is a critical vulnerability only exposed to extension code presently, we should lower the severity to sg:high.  If we think it's likely that FF UI code would add changes triggering this vuln, then sg:critical severity is appropriate.
Or we can just fix this and not care too much about sg:*. :)

Taking. I'll try to write the patch on Thursday.
Assignee: jonas → Olli.Pettay
Um, I can't reproduce this atm.
I've tried on Linux and OSX, with and without html5 parser.

The assertion in this case was changed to a warning, but I can't see that either.

I wonder if bug 557398 changed something here.
Testing...
Backing out bug 557398 doesn't seem to affect to this bug.
Ah, perhaps LazyFrameCtor changed timing here. Which means this would still
need to be fixed in 1.9.2.
Not LazyFrameCtor. Still trying to find a build where I get the error
I can reproduce this at least on 1.9.2, when I added the same assertion/warning
what trunk has.
But patch needs to wait at least til tomorrow.
Attached patch patch (obsolete) — Splinter Review
I posted this to tryserver
Comment on attachment 441281 [details] [diff] [review]
patch

Passed tests on tryserver.

Boris, what do you think about this approach?
A bit ugly, but since I think we want this to 1.9.2 too, I didn't
want to make huge changes. And I'm not even sure what would be
the best way to change nsDocLoader or something.
It would be quite hackish to add onloadblocker-type-of-requests
and handle them specially in docloader.
 
This relies on script blockers to be on stack and 
PostUnblockOnloadEvent to handle things truly async.
Attachment #441281 - Flags: review?(bzbarsky)
Status: NEW → ASSIGNED
Would it make sense to do:

  if (!nsContentUtils::IsSafeToRunScript()) {
    ++mAsyncOnloadBlockCount;
    if (mAsyncOnloadBlockCount == 1) {
      nsContentUtils::AddScriptRunner(
         NS_NEW_RUNNABLE_METHOD(nsDocument, this, AsyncBlockOnload));
    }
    return;
  }

and have AsyncBlockOnload call BlockOnload mAsyncOnLoadBlockCount times, so as not to thrash things with lots of scriptrunners?

Having an API on docloader (whose job it is to keep track of when onload should fire) to block onload would be a lot less hacky than having this fake request, btw.  But making it work right might be a pain...

Why is the new block in DoUnblockOnload needed?  How can we get there with mAsyncOnloadBlockCount != 0?
(In reply to comment #24)

> Would it make sense to do:
> ...
> and have AsyncBlockOnload call BlockOnload mAsyncOnLoadBlockCount times, so as
> not to thrash things with lots of scriptrunners?
That should work.


> Why is the new block in DoUnblockOnload needed?  How can we get there with
> mAsyncOnloadBlockCount != 0?
If some script runner (which is added before the AsyncBlockOnload script runner, so it runs before it) processes event loop.
Ah, ok.  Do you want to post a patch with my suggestion from the beginning of comment 24?
Yeah, I will, in a minute.
Attached patch v2 (obsolete) — Splinter Review
Like this?
Attachment #441281 - Attachment is obsolete: true
Attachment #441519 - Flags: review?(bzbarsky)
Attachment #441281 - Flags: review?(bzbarsky)
Comment on attachment 441519 [details] [diff] [review]
v2

Space after "while", please.
Attachment #441519 - Flags: review?(bzbarsky) → review+
Attached patch +spaceSplinter Review
uh, how did I miss the space :/

Anyway, this is a security bug, so sr is needed.
Attachment #441519 - Attachment is obsolete: true
Attachment #441526 - Flags: superreview?(jonas)
Attachment #441526 - Flags: superreview?(jonas) → superreview+
Comment on attachment 441526 [details] [diff] [review]
+space

Please add documentation on the member describing how it works. Took reading this a few times to figure it out.

And add a comment to ::BlockOnload describing *why* we're entering the if-statement.
Attached patch +some commentsSplinter Review
http://hg.mozilla.org/mozilla-central/rev/6f7405a55a48
http://hg.mozilla.org/mozilla-central/rev/e5a075d4e5ba
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Just wanting to get this on the wanted/blocking list for future 1.9.2 release, as per earlier comments stating that this also affects 1.9.2.
blocking1.9.2: --- → ?
status1.9.2: --- → ?
Does this affect 1.9.1 as well?
blocking1.9.2: ? → .5+
blocking1.9.2: .5+ → .6+
Bug 569674 is another regression from this, we need to figure that out before landing this on branches. Sorry I didn't mark it sooner.
Blocks: 569674
No longer blocks: 569674
URL: 569674
Disregard comment 36, I was thinking this was a different bug.
URL: 569674
Attachment #441743 - Flags: approval1.9.2.6?
Attachment #441743 - Flags: approval1.9.1.11?
Comment on attachment 441743 [details] [diff] [review]
+some comments

a=LegNeato for 1.9.2.6 and 1.9.1.11. Please land this on mozilla-1.9.2 default and mozilla-1.9.1 default.

Code freeze is this Friday @ 11:59 pm PST.
Attachment #441743 - Flags: approval1.9.2.6?
Attachment #441743 - Flags: approval1.9.2.6+
Attachment #441743 - Flags: approval1.9.1.11?
Attachment #441743 - Flags: approval1.9.1.11+
blocking1.9.1: --- → .11+
Verified for 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7pre) Gecko/20100630 Namoroka/3.6.7pre ( .NET CLR 3.5.30729) using the attached testcase.
Keywords: verified1.9.2
Comment on attachment 441743 [details] [diff] [review]
+some comments

Requesting approval1.9.0.next on this patch so that we can take it in upcoming Camino 2.0.x security and stability updates.  If approved, I'll handle the checkins, unless the patch author requests otherwise.
Attachment #441743 - Flags: approval1.9.0.next?
Comment on attachment 441743 [details] [diff] [review]
+some comments

Approved for 1.9.0.20, a=dveditz
Attachment #441743 - Flags: approval1.9.0.next? → approval1.9.0.next+
Checking in content/base/src/nsDocument.cpp;
/cvsroot/mozilla/content/base/src/nsDocument.cpp,v  <--  nsDocument.cpp
new revision: 3.837; previous revision: 3.836
done
Checking in content/base/src/nsDocument.h;
/cvsroot/mozilla/content/base/src/nsDocument.h,v  <--  nsDocument.h
new revision: 3.381; previous revision: 3.380
done
Keywords: fixed1.9.0.20
Group: core-security
Crashtest: http://hg.mozilla.org/mozilla-central/rev/524a5670133b
Flags: in-testsuite+
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.