Closed Bug 594999 Opened 14 years ago Closed 13 years ago

"Security Manager vetoed action" exception when accessing any property of InstallTrigger

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: tdale, Assigned: gal)

References

Details

(Whiteboard: [softblocker], fixed-in-tracemonkey [fx4-fixed-bugday])

Attachments

(4 files, 4 obsolete files)

Test case demonstrating the problem
171 bytes, text/html
Details
Merged patch
24.09 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review
Test fixes
13.50 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review
patch
24.12 KB, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-us) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.1 Safari/533.17.8
Build Identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b5) Gecko/20100101 Firefox/4.0b5

When accessing any undefined property of the window.InstallTrigger object, an exception is thrown.

Reproducible: Always

Steps to Reproduce:
1. Open the included test case in Firefox 4 Beta 5
2. Open the Error Console
Actual Results:  
Firefox throws an exception:
Error: uncaught exception: [Exception... "Security Manager vetoed action"  nsresult: "0x80570027 (NS_ERROR_XPC_SECURITY_MANAGER_VETO)"  location: "JS frame :: file:///Users/tomdale/Desktop/install_trigger_exception.html :: onclick :: line 1"  data: no]

Expected Results:  
Attempts to retrieve undefined properties do not create a security problem and should not throw an exception. I would expect undefined to be returned.

We consider this a high-priority bug because it causes almost all SproutCore applications to cease working. We generate string representations of classes partly by iterating over the window object and checking for a certain property on each object.

Because this happens at application initialization, this exception being thrown causes existing applications immediately cease functioning on page load. And any web application that iterates over the window object will likely be impacted by this as well.
Blocks: 550936
Severity: major → minor
Component: Installer: XPInstall Engine → Add-ons Manager
Product: Core → Toolkit
QA Contact: xpi-engine → add-ons.manager
Version: unspecified → Trunk

    
    

    
  
Looks like an xpconnect issue, specifically with __exposedProps__.
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
  
Component: Add-ons Manager → XPConnect
Product: Toolkit → Core
QA Contact: add-ons.manager → xpconnect

    
    

    
  
I tested the test case with the latest nightly Trunk load and the error message generated is currently:

Error: Permission denied to access property 'unknownProperty'
Source file: https://bug594999.bugzilla.mozilla.org/attachment.cgi?id=473805
Line: 4


That's pretty much the same error I'm seeing at me.com, which is broken in Firefox 4 beta and presumably what triggered this bug to be filed.
blocking2.0: --- → ?

    
    

    
  
This is I guess sort of intentional, you aren't allowed to access anything other than the exposed properties. What is me.com expecting to be able to access that it can't?

    
    

    
  
The file is minified so it's hard to tell, but maybe they enumerate over all properties, |for (x in obj)|, maybe looking for some property they care about.

In any case, if we returned |undefined| instead of throwing a security exception, this would probably be fixed. But I don't know enough about the security manager to know if that doesn't introduce some other problem.

    
    

    
  
Blake, is there a way to have the __exposedProps__ thing just claim undefined for anything except that in the list?

    
    

    
  
We should probably block on this.
blocking2.0: ? → betaN+

    
    

    
  
Alon is right.

We basically iterate through the window object using for (x in window). Then it finds the "InstallTrigger" property which I assume shouldn't be enumerable if it's not supposed to be accessed.

    
    

    
  
No owner? Stealing.

    
  
QA Contact: xpconnect → gal

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch (obsolete)
        — Splinter Review
      

    


  
Assignee: nobody → gal

    
  
QA Contact: gal → xpconnect

    
  

        Attachment #507787 -
        Flags: review?(mrbkap)

    
    

    
  
It appears that the "in" operator doesn't work with this patch.

I.e., for an object like:

x = {
  foo: 5,
  __exposedProps__: {},
};

|"foo" in x| returns true. Still writing tests.

    
    

    
  
Comment on attachment 507787 [details] [diff] [review]
patch

It appears that with this patch, if a property is *not* exposed using __exposedProps__ the "in" operator always claims that the property exists. However in that case it should claim that the property does not exist, right?

If a property is listed in __exposedProps__, then the "in" operator works fine and properly reflects the existence of the property in the underlying object, whether it exists or not.


Enumeration appears to be working fine though.

        Attachment #507787 -
        Flags: review?(mrbkap) → review-

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Tests (obsolete)
        — Splinter Review
      

    


  
These were the tests I used to find the "in" bug.

The patch as-is should be passing with just the patch in this bug. The commented out tests test the behavior in the patch in bug 628410, hence they are commented out.

    
    

    
  
Trivial fix. Uploading a new patch. Thanks for writing the tests! Andreas

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch (obsolete)
        — Splinter Review
      

    


  

        Attachment #507787 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Merged patchSplinter Review
      

    


  
This merges on top of bug 628410

        Attachment #508049 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Test fixesSplinter Review
      

    


  
Tests for this bug and bug 628410

        Attachment #507992 -
        Attachment is obsolete: true

        Attachment #508068 -
        Flags: review?(mrbkap)

    
    

    
  
Comment on attachment 508067 [details] [diff] [review]
Merged patch

>+    desc->obj= NULL; // default result if we refuse to perform this action

Nit: (here and below). Need a space before the = sign.

        Attachment #508067 -
        Flags: review?(mrbkap) → review+

        Attachment #508068 -
        Flags: review?(mrbkap) → review+

    
    

    
  
This is breaking Mochitests :(

Specifically

js/src/xpconnect/tests/mochitest/test_bug428021.html is failing with

Permission denied to access property 'document' at http://mochi.test:8888/tests/js/src/xpconnect/tests/mochitest/test_bug396851.html:17


Though it's really weird that the test files aren't lining up here...

    
    

    
  
How do I run that one test only? I can try to reproduce.

    
    

    
  
Even weirder is that that line is *supposed* to throw! But there's a try/catch around it.

Are we somehow resurfacing an old exception?

    
    

    
  
go to objdir/_test/testing/mochitest
run: python runtests.py --test-path=js/src/xpconnect/tests/mochitest/ --autorun

There seems to be some weird interaction between tests here, so you likely need to run the whole directory.

    
    

    
  
Make that

python runtests.py --test-path=js/src/xpconnect/tests/mochitest/ --autorun --debugger=gdb

if you want to run inside gdb.

    
    

    
  
Its not failing for me.

    
    

    
  
(In reply to comment #25)
> Make that
> 
> python runtests.py --test-path=js/src/xpconnect/tests/mochitest/ --autorun
> --debugger=gdb
> 
> if you want to run inside gdb.

FWIW, `TEST_PATH="js/src/xpconnect/tests/mochitest/test_bug396851.html" make mochitest-plain` (to run in $OBJDIR) is probably an easier way. And add EXTRA_TEST_ARGS='--debugger=gdb' to run in in a debugger.

    
    

    
  
The patch is failing in all sorts of weird ways, and it's not consistent across platforms. Even some of the trivial tests in test_cows are failing in some runs. Maybe there's some uninitialized variable in there?

http://tbpl.mozilla.org/?tree=MozillaTry&rev=ab66e36aa42c

    
    

    
  
Yeah, I think I found something. New patch in a sec.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch (obsolete)
        — Splinter Review
      

    


  

    
  

        Attachment #508173 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  

    
    

    
  
I pushed this to try again, with the uninitialized variable fix.

    
    

    
  
With the fix we seem to pass try.

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/2fb3475b3036
Whiteboard: [softblocker], fixed-in-tracemonkey

    
    

    
  
Does this fix Bug 627305? 
(I don't have access to me.com, so can't test)
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
    

    
  
Verified fixed on Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b12pre) Gecko/20110204 Firefox/4.0b12pre

    
  
Status: RESOLVED → VERIFIED
Whiteboard: [softblocker], fixed-in-tracemonkey → [softblocker], fixed-in-tracemonkey [fx4-fixed-bugday]
Depends on: 631725

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: