Closed Bug 596232 Opened 14 years ago Closed 14 years ago

nsXULTemplateBuilder/nsXULTemplateQueryProcessorXML load new data sources at unsafe time

Categories

(Core :: XUL, defect)

Product:
Core
Component:
XUL
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- -
blocking1.9.2 --- .14+
status1.9.2 --- .14-fixed
blocking1.9.1 --- .17+
status1.9.1 --- .17-fixed

People

(Reporter: smaug, Assigned: enndeakin)

References

Details

(Whiteboard: [sg:critical?] for 1.9.2 and earlier)

Attachments

(3 files)

add checks
3.68 KB, patch
smaug
: review+
christian
: approval1.9.2.14+
Details | Diff | Splinter Review
trunk version
4.62 KB, patch
smaug
: review+
Details | Diff | Splinter Review
1.9.1 with extra include
4.18 KB, patch
christian
: approval1.9.1.17+
Details | Diff | Splinter Review
nsEventDispatcher::Dispatch [content/events/src/nsEventDispatcher.cpp:515] nsEventDispatcher::DispatchDOMEvent [content/events/src/nsEventDispatcher.cpp:691] nsDOMEventTargetHelper::DispatchDOMEvent [content/events/src/nsDOMEventTargetHelper.cpp:230] nsXMLHttpRequest::ChangeState [content/base/src/nsXMLHttpRequest.cpp:3000] nsXMLHttpRequest::OpenRequest [content/base/src/nsXMLHttpRequest.cpp:1793] nsXULTemplateQueryProcessorXML::GetDatasource [content/xul/templates/src/nsXULTemplateQueryProcessorXML.cpp:221] nsXULTemplateBuilder::LoadDataSourceUrls [content/xul/templates/src/nsXULTemplateBuilder.cpp:1365] nsXULTemplateBuilder::LoadDataSources [content/xul/templates/src/nsXULTemplateBuilder.cpp:1263] nsXULTemplateBuilder::AttributeChanged [content/xul/templates/src/nsXULTemplateBuilder.cpp:1140] nsXULContentBuilder::AttributeChanged [content/xul/templates/src/nsXULContentBuilder.cpp:1591] nsNodeUtils::AttributeChanged [content/base/src/nsNodeUtils.cpp:127] nsGenericElement::SetAttrAndNotify [content/base/src/nsGenericElement.cpp:4688] nsGenericElement::SetAttr [content/base/src/nsGenericElement.cpp:4622] nsGenericElement::SetAttribute [content/base/src/nsGenericElement.cpp:2400] nsXULElement::SetAttribute [content/xul/content/src/nsXULElement.h:561] nsIDOMElement_SetAttribute [dom_quickstubs.cpp:4918] This bug is basically a clone of bug 553808.
Not sure if web content can access this code on trunk, but on branches it should be able to. The following methods may have security problems nsXULTemplateBuilder::AttributeChanged nsXULTemplateBuilder::ContentRemoved nsXULTemplateBuilder::NodeWillBeDestroyed
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
Whiteboard: [sg:critical?] for 1.9.2 and earlier
blocking2.0: ? → -
blocking1.9.1: ? → needed
blocking1.9.2: ? → needed
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Bug 553808 was assigned to you Neil. Might be safer to fix it here. Sorry that I haven't fixed that bug, but the original tbox log hasif y long gone and there were no new reports about it for awhile. Anyway, Neil, you know this code a lot better than I do. But just say if you don't have time. I could try to look at this too. (But you'd have to review the patch carefully ;) )
Assignee: nobody → enndeakin
Attached patch add checksSplinter Review
Attachment #479407 - Flags: review?(Olli.Pettay)
Attachment #479407 - Flags: review?(Olli.Pettay) → review+
Attachment #479407 - Flags: approval1.9.2.11?
Comment on attachment 479407 [details] [diff] [review] add checks 1.9.2.11 is past code-freeze, moving request to next release.
Attachment #479407 - Flags: approval1.9.2.11? → approval1.9.2.12?
Comment on attachment 479407 [details] [diff] [review] add checks Approved for 1.9.2.12, a=dveditz for release-drivers
Attachment #479407 - Flags: approval1.9.2.12? → approval1.9.2.12+
So, this just needs to be landed and tested/confirmed.
Keywords: checkin-needed
Can we close this?
Do we want to fix this problem on trunk as well? It may no longer be a security worry, but presumably we--or an addon--could stumble across this as a stability problem. Does this patch work for trunk? Do we need a different patch for 1.9.1? Marking status1.9.2 as .12-fixed per comment 7
status1.9.2: wanted.12-fixed
Attached patch trunk versionSplinter Review
Attachment #485290 - Flags: review?(Olli.Pettay)
Attachment #485290 - Flags: review?(Olli.Pettay) → review+
http://hg.mozilla.org/mozilla-central/rev/3e08f8844f87
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Olli, is there anything for QA to do to verify this fix on 1.9.2?
You could ensure that loading test_tmpl_errors.xul in a debug build doesn't cause any assertions.
trunk has a regression 608687 which got attached to the clone bug 553808 rather than here.
Depends on: 608687
Comment on attachment 479407 [details] [diff] [review] add checks >+ nsCOMPtr<nsIDocument> doc = mRoot ? mRoot->GetDocument() : nsnull; Patch applies fine to 1.9.1 branch but fails to compile. The above results in ../../../../dist/include/xpcom/nsCOMPtr.h: In constructor ‘nsCOMPtr<T>::nsCOMPtr(T*) [with T = nsIDocument]’: /Users/daniel/dev/ffcentral/moz191/content/xul/templates/src/nsXULTemplateBuilder.h:159: instantiated from here ../../../../dist/include/xpcom/nsCOMPtr.h:554: error: invalid use of undefined type ‘struct nsIDocument’ ../../../../dist/include/content/nsNodeInfoManager.h:50: error: forward declaration of ‘struct nsIDocument’ ../../../../dist/include/xpcom/nsCOMPtr.h:555: error: invalid static_cast from type ‘nsIDocument*’ to type ‘nsISupports*’ ../../../../dist/include/xpcom/nsCOMPtr.h: In destructor ‘nsCOMPtr<T>::~nsCOMPtr() [with T = nsIDocument]’: /Users/daniel/dev/ffcentral/moz191/content/xul/templates/src/nsXULTemplateBuilder.h:159: instantiated from here ../../../../dist/include/xpcom/nsCOMPtr.h:508: error: invalid static_cast from type ‘nsIDocument*’ to type ‘nsISupports*’ ../../../../dist/include/xpcom/nsCOMPtr.h:510: error: invalid use of undefined type ‘struct nsIDocument’ ../../../../dist/include/content/nsNodeInfoManager.h:50: error: forward declaration of ‘struct nsIDocument’ ../../../../dist/include/xpcom/nsCOMPtr.h: In copy constructor ‘nsCOMPtr<T>::nsCOMPtr(const nsCOMPtr<T>&) [with T = nsIDocument]’: /Users/daniel/dev/ffcentral/moz191/content/xul/templates/src/nsXULTemplateBuilder.h:159: instantiated from here ../../../../dist/include/xpcom/nsCOMPtr.h:545: error: invalid use of undefined type ‘struct nsIDocument’ ../../../../dist/include/content/nsNodeInfoManager.h:50: error: forward declaration of ‘struct nsIDocument’ ../../../../dist/include/xpcom/nsCOMPtr.h:546: error: invalid static_cast from type ‘nsIDocument* const’ to type ‘nsISupports*’ ../../../../dist/include/xpcom/nsCOMPtr.h: In member function ‘void nsCOMPtr<T>::Assert_NoQueryNeeded() [with T = nsIDocument]’: ../../../../dist/include/xpcom/nsCOMPtr.h:556: instantiated from ‘nsCOMPtr<T>::nsCOMPtr(T*) [with T = nsIDocument]’ /Users/daniel/dev/ffcentral/moz191/content/xul/templates/src/nsXULTemplateBuilder.h:159: instantiated from here ../../../../dist/include/xpcom/nsCOMPtr.h:520: error: no matching function for call to ‘do_QueryInterface(nsIDocument*&)’ ../../../../dist/include/xpcom/nsCOMPtr.h:303: note: candidates are: nsQueryInterface do_QueryInterface(nsISupports*) ../../../../dist/include/xpcom/nsCOMPtr.h:310: note: nsQueryInterfaceWithError do_QueryInterface(nsISupports*, nsresult*) make[7]: *** [nsXULTemplateQueryProcessorStorage.o] Error 1
blocking1.9.1: needed → .17+
blocking1.9.2: needed → .14+
Attachment #479407 - Flags: approval1.9.2.14?
Comment on attachment 479407 [details] [diff] [review] add checks a=LegNeato for 1.9.2.14
Attachment #479407 - Flags: approval1.9.2.14?
Attachment #479407 - Flags: approval1.9.2.14+
Attachment #479407 - Flags: approval1.9.2.13+
We'll also need the fix for 1.9.1 as well...
status1.9.2: wanted.14-fixed
Attachment #505815 - Flags: approval1.9.1.17?
Comment on attachment 505815 [details] [diff] [review] 1.9.1 with extra include Approved for 1.9.1.17. Please land this as early as possible today so it makes the next release
Attachment #505815 - Flags: approval1.9.1.17? → approval1.9.1.17+
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: