Triggering from trigger page fails



19 years ago
4 years ago


(Reporter: jimmykenlee, Assigned: security-bugs)


Firefox Tracking Flags

(Not tracked)


(Whiteboard: [rtm++])


(2 attachments)

Build: 2000-10-16-09-MN6(WIN), 2000-10-16-08-MN6(MAC), 2000-10-16-09-MN6(MAC)

1. From http://jimbob/trigger3.html, attempt to trigger any xpi package

Nothing happens.  We are able to trigger xpis via mimetype support.

Confirm dialog appears indicating which xpi package will be downloaded and 

This broke during the weekend.  10/13/00 was working.
Nominating for rtm.

This needs to be fixed.  All websites will not be able to install any packages.  
Netscape 6 will not be able to upgraded.
Keywords: rtm
Ccing Sean, Samir, and Don. :-(
Investigating on Windows.
Looks like the problem might be in nsScriptSecurityManager.cpp's CheckLoadURI(). 
According to mstolz it's failing because we're using a chrom url for our style 
sheet which should be ok.  Adding him to the CC list and pasting the stack trace 
up to that point.
A little more information.  The problem shows up when we try to create our
confirm dialog.  The .xul file is in xpinstall/res/content/institems.xul.
Reassigning to mstoltz. Per discussion with him.  (Thanks for looking at this so
quickly Mitch!)
Assignee: dveditz → mstoltz
The SmartUpdate site and Theme Park are dead without this fix.
Priority: P3 → P1
Whiteboard: [rtm+ need info]
*** Bug 56729 has been marked as a duplicate of this bug. ***
Since this started happening on the 14th, I went back and tested win32 builds 
from that day.
2000-10-14-09-MN6 is the last "healthy" win32 build. This bug takes hold in 
the 2000-10-14-09-Mtrunk win32 build and persists through to today's nightly 
(2000101609). Hopefully this helps track down the misbehaving code.
*** Bug 56960 has been marked as a duplicate of this bug. ***
*** Bug 56996 has been marked as a duplicate of this bug. ***
I have a fix, but I'm a little worried about what the fix will do to our 
security, so I'm exploring alternatives.
ccing vidur and jst for review
Looks good to me, r=jst
Not knowing all the security issues I don't know what my review is worth but I
applied the patch to my local tree and XPInstall's confirm dialog is showing up
correctly when using triggers.  i.e. looks like the patch works.
Need a super-review, but I'll mark rtm+ in anticipation of getting it. This
patch fixes the XPInstall problem and we desperately need it.
Whiteboard: [rtm+ need info] → [rtm+]
This bug also happens to fix the crasher bug:

They are not the same bugs, but are somehow related.
*** Bug 57099 has been marked as a duplicate of this bug. ***
Bruce Whitaker says this is critical for Netcenter.
sr=vidur. As I mentioned to Mitch yesterday, I'm not as concerned about the
mechanism of enforcement (i.e. the pref that prevents scripts from calling
openDialog). The security prefs as a whole are an important part of our
enforcement and modification of any of them will open us to exploits. Assuming
window.alert/confirm/prompt are not broken (as they were by a prior security fix
in openDialog), this is good to go.
alert/confirm/prompt are not broken, I've tested this. We're good to go.
Mitch...Can you kindly check alerts/confirms called from an xpi package?

One of my regular tests is to run this package: 

I'm going to check this test anyway, but there can be differences.  Bug 55974 is 
evidence of one difference.  Thanks.
  How do I do that?
From your seamonkey browser, just open http://jimbob/jars/f_alertconfirm.xpi.  
When you accept the warning of XPInstall confirm dialog, instead of installing a 
file, directory, etc, an alert and then a confirm dialog should appear.  That's 
it.  It's just a test to verify that alerts/confirms can be generated from an 
xpi package.

*** Bug 56823 has been marked as a duplicate of this bug. ***
This patch works fine for me here on unix.

Anyone know when it is going to be checked into the truck?

The alert/confirm test works.
Whiteboard: [rtm+] → [rtm++]
Win NT 4.001381  using build 2000101904 downloaded this morning.

It still doesn't work, but action is actually worse than yesterday from a user 
standpoint.  The browser freezes and I had to use taskmanager to cancell it 
after trying each of the following URLs:
after "pressing/clicking" the button, it launched a second browser 
with the same content as the first.  yesterday this second browser had the
210 error message.  browser locked, cancelled via taskmanager
after press/click the error 210 small popup window appeared, 
just as yesterday.  however, again the browser froze & I was 
forced to use taskmanager to cancell it.

see: for details from yesterdays
W/out building w/ the provided patch, i have the exact same thing on unix.
link doesn't do anything, then she crashes upon any subsequent page load.

Looks like no change to me.

confirm ben's results on mtrunk 101904 for win98.

however, an interesting complication:  xpinstalling a new skin from
works just fine, both download and quick methods.  i don't believe it did on
earlier builds.

Another interesing addition to ben's comment: (PC/Linux 2000101908 here)

When it hangs, one of the threads is eating all the CPU. Probably an infinite
loop somewhere.

Also, I saw no popup. It hangs as soon as I click the 'Install' button in the
page (for both PSM and Java).

I'll try to use gdb to generate a stack trace.
OK, here it is.

~/mozilla$ gdb mozilla-bin 1739
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
(no debugging symbols found)...
/home/cesarb/mozilla/1739: No such file or directory.
Attaching to program: /home/cesarb/mozilla/mozilla-bin, Pid 1739
[...lots of spam removed...]
[New Thread 1024 (runnable)]
[New Thread 2049 (runnable)]
[New Thread 1026 (runnable)]
[New Thread 4101 (runnable)]
[...more spam removed...]
0x4012090c in js_MarkGCThing () from /home/cesarb/mozilla/
(gdb) where
#0  0x4012090c in js_MarkGCThing () from /home/cesarb/mozilla/
#1  0x40121064 in js_GC () from /home/cesarb/mozilla/

#2  0x40120a43 in js_ForceGC () from /home/cesarb/mozilla/
#3  0x4010694d in JS_GC () from /home/cesarb/mozilla/
#4  0x40106993 in JS_MaybeGC () from /home/cesarb/mozilla/
#5  0x40387915 in nsJSContext::ScriptEvaluated ()
   from /home/cesarb/mozilla/
#6  0x403868f4 in nsJSContext::ExecuteScript ()
   from /home/cesarb/mozilla/
#7  0x4080b6f8 in NSGetModule () from /home/cesarb/mozilla/components/
#8  0x4080b3a6 in NSGetModule () from /home/cesarb/mozilla/components/
#9  0x4080ab7e in NSGetModule () from /home/cesarb/mozilla/components/
#10 0x4080e1ab in NSGetModule () from /home/cesarb/mozilla/components/
#11 0x409558e1 in NSGetModule ()
   from /home/cesarb/mozilla/components/
#12 0x40aa4a07 in NSGetModule ()
   from /home/cesarb/mozilla/components/
#13 0x400c2983 in PL_HandleEvent () from /home/cesarb/mozilla/
#14 0x400c28a6 in PL_ProcessPendingEvents ()
   from /home/cesarb/mozilla/
#15 0x400c35fd in nsEventQueueImpl::ProcessPendingEvents ()
   from /home/cesarb/mozilla/
#16 0x40486ccf in NSGetModule ()
---Type <return> to continue, or q <return> to quit---
   from /home/cesarb/mozilla/components/
#17 0x40486a8d in NSGetModule ()
   from /home/cesarb/mozilla/components/
#18 0x4062ac10 in g_io_add_watch () from /usr/lib/
#19 0x4062c2d9 in g_get_current_time () from /usr/lib/
#20 0x4062c8e3 in g_get_current_time () from /usr/lib/
#21 0x4062c995 in g_main_iteration () from /usr/lib/
#22 0x4048722c in NSGetModule ()
   from /home/cesarb/mozilla/components/
#23 0x40432d8f in inflate_mask ()
   from /home/cesarb/mozilla/components/
#24 0x4043259a in inflate_mask ()
   from /home/cesarb/mozilla/components/
#25 0x4042ebfc in inflate_mask ()
   from /home/cesarb/mozilla/components/
#26 0x4039b287 in GlobalWindowImpl::OpenInternal ()
   from /home/cesarb/mozilla/
#27 0x403982f5 in GlobalWindowImpl::Open ()
   from /home/cesarb/mozilla/
#28 0x4038f120 in NS_CreateScriptContext ()
   from /home/cesarb/mozilla/
#29 0x401224fc in js_Invoke () from /home/cesarb/mozilla/
#30 0x40128d64 in js_Interpret () from /home/cesarb/mozilla/
---Type <return> to continue, or q <return> to quit---
#31 0x40122544 in js_Invoke () from /home/cesarb/mozilla/
#32 0x4012273c in js_InternalInvoke () from /home/cesarb/mozilla/
#33 0x4010906f in JS_CallFunctionValue () from /home/cesarb/mozilla/
#34 0x40340ab7 in NSGetModule ()
   from /home/cesarb/mozilla/components/
#35 0x400c2983 in PL_HandleEvent () from /home/cesarb/mozilla/
#36 0x400c28a6 in PL_ProcessPendingEvents ()
   from /home/cesarb/mozilla/
#37 0x400c35fd in nsEventQueueImpl::ProcessPendingEvents ()
   from /home/cesarb/mozilla/
#38 0x40486ccf in NSGetModule ()
   from /home/cesarb/mozilla/components/
#39 0x40486a8d in NSGetModule ()
   from /home/cesarb/mozilla/components/
#40 0x4062ac10 in g_io_add_watch () from /usr/lib/
#41 0x4062c2d9 in g_get_current_time () from /usr/lib/
#42 0x4062c8e3 in g_get_current_time () from /usr/lib/
#43 0x4062ca7c in g_main_run () from /usr/lib/
#44 0x405521e7 in gtk_main () from /usr/lib/
#45 0x404871bc in NSGetModule ()
   from /home/cesarb/mozilla/components/
#46 0x4043496a in inflate_mask ()
   from /home/cesarb/mozilla/components/
---Type <return> to continue, or q <return> to quit---
#47 0x804e1b5 in JS_PushArguments ()
#48 0x804e5d6 in JS_PushArguments ()
#49 0x4025da42 in __libc_start_main () from /lib/
(gdb) detach
Detaching from program: /home/cesarb/mozilla/mozilla-bin, process 1739
(gdb) q

Did that help? Or should I try to download something which showed the parameters
CC'ing self.
Although this bug got the rtm-double-plus, I would suspect that the patch has
not yet been checked in (trunk or branch)... and that is why it is still broken.

Mitch: Any ETA for the anxious onlookers?... or has this landed?


>however, an interesting complication:  xpinstalling a new skin from
>works just fine, both download and quick methods.  i don't believe it did on
>earlier builds.

  I've installed skins from prior to the 1019 nightly on Win98se.
I was able to install PSM today on Linux x86 Build ID: 2000102008
I was just able to install both the URLs I mentioned earlier using the 
latest nightly:  2000102004

OS is Win NT 4.001381

-  Ben
confirm as fixed in 2000102004 in win98.  progress bar still broken, but that's
a whole other bug.
I can confirm this works also. I am running a FreeBSD debug build off of the
works fine.

I can confirm that triggering now behaves as expected from the BRANCH.  It seems 
that this bug reports status needs to be marked FIXED unless there is still some 
unfinished business.  You fix'em, I verify'em. :-)
I applied the patch earlier today and got no errors -> it was not checked in. I
am using the trunk. Mitch, did you check this into the branch only, but not the
Closed: 19 years ago
Resolution: --- → FIXED
Wasn't there some concern about the fix compromising security? What was it?
Build: 2000-10-20-09-MN6(WIN), 2000-10-20-09-MN6(LINUX), 2000-10-20-08-MN6(MAC)

Verified for BRANCH.
Keywords: vtrunk
target, see the patch (should be readable for non-programmers. "!" means "not").
Build: 2000-11-07-08-Mtrunk(WIN), 2000-11-07-08-Mtrunk(MAC), 

Works fine from the TRUNK.  Marking Verified.  Removing vtrunk from Keywords.
Keywords: vtrunk
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.