"ASSERTION: This is unsafe" with <iframe>, XBL

RESOLVED FIXED

Status

()

Core
DOM
RESOLVED FIXED
8 years ago
7 years ago

People

(Reporter: Jesse Ruderman, Assigned: smaug)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Mac OS X
assertion, fixed1.9.0.20, testcase, verified1.9.2
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(blocking2.0 beta1+, blocking1.9.2 .7+, status1.9.2 .7-fixed, blocking1.9.1 .11+, status1.9.1 .11-fixed)

Details

(Whiteboard: [sg:critical?])

Attachments

(4 attachments, 2 obsolete attachments)

(Reporter)

Description

8 years ago
Created attachment 418470 [details]
testcase

###!!! ASSERTION: This is unsafe!: 'Error', file /Users/jruderman/mozilla-central/content/events/src/nsEventDispatcher.cpp, line 485

This is the assertion just added in bug 531176.

I'm not sure why I need the setTimeout.
(Reporter)

Comment 1

8 years ago
Created attachment 418471 [details]
stack trace
(Assignee)

Comment 2

8 years ago
So nsBrowserStatusFilter::OnStateChange calls some JS code which end up to
progressmeter.xml which dispatches ValueChange.

In this particular case I wonder why we even call OnStateChange.
I believe the document is already loaded but
#21 0x00007f82d1f3e2ec in nsDocument::BlockOnload (this=0x261b070) at /home/smaug/mozilla/mozilla_cvs/hg/src/content/base/src/nsDocument.cpp:7037
#22 0x00007f82d20e85c8 in nsBindingManager::AddToAttachedQueue (this=0x2158530, aBinding=0x226a5e0)
    at /home/smaug/mozilla/mozilla_cvs/hg/src/content/xbl/src/nsBindingManager.cpp:955
adds new request to load group which triggers the method call.

Investigating...
(Assignee)

Comment 3

8 years ago
But still, I think we can't easily prevent progress listeners to dispatch
events.
Hmm.  We should avoid calling progress listeners for BlockOnload calls if we can do it...

Maybe we should stop faking the loadgroup thing and just directly have BlockOnload/UnblockOnload poke the docloader or something?

Comment 5

8 years ago
An example of this assertion can be seen on Windows 1.9.3 at least at http://www.slacker.com/
(Reporter)

Updated

8 years ago
Whiteboard: [sg:critical?]
(Assignee)

Comment 6

8 years ago
Not sure if this is sg:critical (at least when using the testcase).
That is happening in chrome, and during time we might get dom modifications anyway.
(Assignee)

Comment 7

8 years ago
I wonder if, at least for now, the assertion should fire only if the
target of the event is in content.
(Assignee)

Comment 8

8 years ago
Repeating this:
> Not sure if this is sg:critical (at least when using the testcase).
> That is happening in chrome, and during time we might get dom modifications
> anyway.

What in this bug makes this sg:critical ?
(Reporter)

Comment 9

8 years ago
I only marked it as sg:critical because the assertion was added in an sg:critical bug.  If this bug isn't a security bug, let's unmark the whiteboard and make it public.
(Assignee)

Comment 10

8 years ago
Well, I wouldn't remove the security flag from this bug, but
this just may not be sg:critical.

Updated

8 years ago
Assignee: nobody → jonas
blocking2.0: --- → beta1
Olli, if this only results in events being fired at chrome windows, then why not remove the security flag?
Olli, any more thoughts on whether this needs to be sg:critical, or if it's even a security bug any more?
(Assignee)

Comment 13

7 years ago
comment 4 says what should be done here, I think.

I think this doesn't need to be sg:critical, since there is no clear evidence
that content can trigger anything bad - unless ff ui or some extension starts
to handle status updates in a different way.
But this is still a security bug.
Looks like we should probably remove the sg:crit rating here, but there's ongoing discussion of what the ration should be.  Thoughts?
If this is a critical vulnerability only exposed to extension code presently, we should lower the severity to sg:high.  If we think it's likely that FF UI code would add changes triggering this vuln, then sg:critical severity is appropriate.
(Assignee)

Comment 16

7 years ago
Or we can just fix this and not care too much about sg:*. :)

Taking. I'll try to write the patch on Thursday.
Assignee: jonas → Olli.Pettay
(Assignee)

Comment 17

7 years ago
Um, I can't reproduce this atm.
I've tried on Linux and OSX, with and without html5 parser.

The assertion in this case was changed to a warning, but I can't see that either.

I wonder if bug 557398 changed something here.
Testing...
(Assignee)

Comment 18

7 years ago
Backing out bug 557398 doesn't seem to affect to this bug.
(Assignee)

Comment 19

7 years ago
Ah, perhaps LazyFrameCtor changed timing here. Which means this would still
need to be fixed in 1.9.2.
(Assignee)

Comment 20

7 years ago
Not LazyFrameCtor. Still trying to find a build where I get the error
(Assignee)

Comment 21

7 years ago
I can reproduce this at least on 1.9.2, when I added the same assertion/warning
what trunk has.
But patch needs to wait at least til tomorrow.
(Assignee)

Comment 22

7 years ago
Created attachment 441281 [details] [diff] [review]
patch

I posted this to tryserver
(Assignee)

Comment 23

7 years ago
Comment on attachment 441281 [details] [diff] [review]
patch

Passed tests on tryserver.

Boris, what do you think about this approach?
A bit ugly, but since I think we want this to 1.9.2 too, I didn't
want to make huge changes. And I'm not even sure what would be
the best way to change nsDocLoader or something.
It would be quite hackish to add onloadblocker-type-of-requests
and handle them specially in docloader.
 
This relies on script blockers to be on stack and 
PostUnblockOnloadEvent to handle things truly async.
Attachment #441281 - Flags: review?(bzbarsky)
(Assignee)

Updated

7 years ago
Status: NEW → ASSIGNED
Would it make sense to do:

  if (!nsContentUtils::IsSafeToRunScript()) {
    ++mAsyncOnloadBlockCount;
    if (mAsyncOnloadBlockCount == 1) {
      nsContentUtils::AddScriptRunner(
         NS_NEW_RUNNABLE_METHOD(nsDocument, this, AsyncBlockOnload));
    }
    return;
  }

and have AsyncBlockOnload call BlockOnload mAsyncOnLoadBlockCount times, so as not to thrash things with lots of scriptrunners?

Having an API on docloader (whose job it is to keep track of when onload should fire) to block onload would be a lot less hacky than having this fake request, btw.  But making it work right might be a pain...

Why is the new block in DoUnblockOnload needed?  How can we get there with mAsyncOnloadBlockCount != 0?
(Assignee)

Comment 25

7 years ago
(In reply to comment #24)

> Would it make sense to do:
> ...
> and have AsyncBlockOnload call BlockOnload mAsyncOnLoadBlockCount times, so as
> not to thrash things with lots of scriptrunners?
That should work.


> Why is the new block in DoUnblockOnload needed?  How can we get there with
> mAsyncOnloadBlockCount != 0?
If some script runner (which is added before the AsyncBlockOnload script runner, so it runs before it) processes event loop.
Ah, ok.  Do you want to post a patch with my suggestion from the beginning of comment 24?
(Assignee)

Comment 27

7 years ago
Yeah, I will, in a minute.
(Assignee)

Comment 28

7 years ago
Created attachment 441519 [details] [diff] [review]
v2

Like this?
Attachment #441281 - Attachment is obsolete: true
Attachment #441519 - Flags: review?(bzbarsky)
Attachment #441281 - Flags: review?(bzbarsky)
Comment on attachment 441519 [details] [diff] [review]
v2

Space after "while", please.
Attachment #441519 - Flags: review?(bzbarsky) → review+
(Assignee)

Comment 30

7 years ago
Created attachment 441526 [details] [diff] [review]
+space

uh, how did I miss the space :/

Anyway, this is a security bug, so sr is needed.
Attachment #441519 - Attachment is obsolete: true
Attachment #441526 - Flags: superreview?(jonas)
Attachment #441526 - Flags: superreview?(jonas) → superreview+
Comment on attachment 441526 [details] [diff] [review]
+space

Please add documentation on the member describing how it works. Took reading this a few times to figure it out.

And add a comment to ::BlockOnload describing *why* we're entering the if-statement.
(Assignee)

Comment 32

7 years ago
Created attachment 441743 [details] [diff] [review]
+some comments
(Assignee)

Comment 33

7 years ago
http://hg.mozilla.org/mozilla-central/rev/6f7405a55a48
http://hg.mozilla.org/mozilla-central/rev/e5a075d4e5ba
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Just wanting to get this on the wanted/blocking list for future 1.9.2 release, as per earlier comments stating that this also affects 1.9.2.
blocking1.9.2: --- → ?
status1.9.2: --- → ?

Comment 35

7 years ago
Does this affect 1.9.1 as well?

Updated

7 years ago
blocking1.9.2: ? → .5+
status1.9.2: ? → wanted
blocking1.9.2: .5+ → .6+
Bug 569674 is another regression from this, we need to figure that out before landing this on branches. Sorry I didn't mark it sooner.
Blocks: 569674
No longer blocks: 569674
URL: 569674
Disregard comment 36, I was thinking this was a different bug.
URL: 569674
(Assignee)

Updated

7 years ago
Attachment #441743 - Flags: approval1.9.2.6?
Attachment #441743 - Flags: approval1.9.1.11?

Comment 38

7 years ago
Comment on attachment 441743 [details] [diff] [review]
+some comments

a=LegNeato for 1.9.2.6 and 1.9.1.11. Please land this on mozilla-1.9.2 default and mozilla-1.9.1 default.

Code freeze is this Friday @ 11:59 pm PST.
Attachment #441743 - Flags: approval1.9.2.6?
Attachment #441743 - Flags: approval1.9.2.6+
Attachment #441743 - Flags: approval1.9.1.11?
Attachment #441743 - Flags: approval1.9.1.11+
blocking1.9.1: --- → .11+
status1.9.1: --- → wanted
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/336a77f067c8
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/866db4f8b8f3
status1.9.1: wanted → .11-fixed
status1.9.2: wanted → .6-fixed
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/2c5245d56edb
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/e2498d527265
Verified for 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7pre) Gecko/20100630 Namoroka/3.6.7pre ( .NET CLR 3.5.30729) using the attached testcase.
Keywords: verified1.9.2
Comment on attachment 441743 [details] [diff] [review]
+some comments

Requesting approval1.9.0.next on this patch so that we can take it in upcoming Camino 2.0.x security and stability updates.  If approved, I'll handle the checkins, unless the patch author requests otherwise.
Attachment #441743 - Flags: approval1.9.0.next?
Comment on attachment 441743 [details] [diff] [review]
+some comments

Approved for 1.9.0.20, a=dveditz
Attachment #441743 - Flags: approval1.9.0.next? → approval1.9.0.next+
Checking in content/base/src/nsDocument.cpp;
/cvsroot/mozilla/content/base/src/nsDocument.cpp,v  <--  nsDocument.cpp
new revision: 3.837; previous revision: 3.836
done
Checking in content/base/src/nsDocument.h;
/cvsroot/mozilla/content/base/src/nsDocument.h,v  <--  nsDocument.h
new revision: 3.381; previous revision: 3.380
done
Keywords: fixed1.9.0.20
Group: core-security
(Reporter)

Comment 45

7 years ago
Crashtest: http://hg.mozilla.org/mozilla-central/rev/524a5670133b
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.