Closed
Bug 635776
Opened 14 years ago
Closed 14 years ago
When Javascript stack space is limited, window.open() returns a ChromeWindow
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla2.0
Tracking | Status | |
---|---|---|
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: zrhoffman, Assigned: smaug)
Details
(Keywords: regression, reporter-external, Whiteboard: [sg:high])
Attachments
(3 files)
1.15 KB,
text/html
|
Details | |
1.12 KB,
patch
|
Details | Diff | Splinter Review | |
635 bytes,
patch
|
bzbarsky
:
review+
jst
:
approval2.0+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0b11) Gecko/20100101 Firefox/4.0b11
Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0b11) Gecko/20100101 Firefox/4.0b11
If enough stack space is exhausted when window.open() is called, the new window's initialization fails in fundamental ways (it has no visual components besides the bare window and is not loaded as a tab), though the function manages to return a ChromeWindow reference. The opener window then has full read/write access to the ChromeWindow's document object, regardless of either's page location.
Reproducible: Always
Steps to Reproduce:
1. Open Firefox beta 11 (or possibly other beta versions)
2. Run either the testcase (attached), or the following code from the address bar:
(function g(){try{eval("g()")}catch(c){if(c!=2)throw c[0]?1:c+1;d=open('data:text/html,A page')}})()
After running the testcase, the error console contains new exceptions after subsequent pageloads, sometimes even after restarting the browser.
Reporter | ||
Comment 1•14 years ago
|
||
Assignee | ||
Comment 2•14 years ago
|
||
I can't reproduce on 64bit Linux, but "Open a ChromeWindow" does cause a crash.
Comment 3•14 years ago
|
||
Blake, care to have a look? We should never return the outer chrome window from window.open()...
Assignee: nobody → mrbkap
Whiteboard: [sg:high]
Comment 4•14 years ago
|
||
Tried injecting "try{alert(Components.stack)} catch(e){alert(e)}" and got a security exception, proving it's not Chrome-privileged despite being a "ChromeWindow".
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 6•14 years ago
|
||
When I try to inject "alert(Components.stack)" instead I get a security exception in the error console. This implies the window does not actually have chrome privileges. Still XSS though.
Assignee | ||
Comment 7•14 years ago
|
||
Is this a regression?
There were some changes to window handling for FF4.
Assignee | ||
Comment 8•14 years ago
|
||
Ok, at least on 64bit linux / debug build this is a regression from
1.9.2.
Keywords: regression
Assignee | ||
Comment 9•14 years ago
|
||
Both 1.9.2 and 1.9.1 give security error when trying to inject code.
Assignee | ||
Comment 10•14 years ago
|
||
Assignee: mrbkap → Olli.Pettay
Attachment #515915 -
Flags: review?(bzbarsky)
Assignee | ||
Updated•14 years ago
|
Attachment #515915 -
Flags: review?(jst)
Assignee | ||
Comment 11•14 years ago
|
||
I haven't run tests yet.
Comment 12•14 years ago
|
||
Hmm. So why does JS stack space matter? We fail to get newWindow because of OOM or something?
Assignee | ||
Comment 13•14 years ago
|
||
Well all sort of things start to fail if we're running out of
JS stack space when creating a new window. The js in the new window
just can't run properly.
But I can still debug some more to find the exact place which prevents
the created window to have primary content shell.
Assignee | ||
Comment 14•14 years ago
|
||
Actually, might be better to add a check to nsXULWindow::CreateNewContentWindow
that the primary content shell can be get from the result.
Comment 15•14 years ago
|
||
That seems like a good sanity-check, yes. I'm not that interested in where the window creation fails, as long as it fails. ;)
Assignee | ||
Comment 16•14 years ago
|
||
Apparently comment 14 isn't enough to fix this bug. Debugging...
Assignee | ||
Comment 17•14 years ago
|
||
Idiot me, I was checking mPrimaryContentShell of wrong XULWindow :)
This should work.
Posted to tryserver.
Attachment #516280 -
Flags: review?(bzbarsky)
Assignee | ||
Updated•14 years ago
|
Attachment #515915 -
Flags: review?(jst)
Attachment #515915 -
Flags: review?(bzbarsky)
Comment 18•14 years ago
|
||
Comment on attachment 516280 [details] [diff] [review]
patch
r=me
Attachment #516280 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Updated•14 years ago
|
Attachment #516280 -
Flags: approval2.0?
Updated•14 years ago
|
Attachment #516280 -
Flags: approval2.0? → approval2.0+
Comment 19•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Updated•12 years ago
|
Group: core-security
Updated•11 years ago
|
Flags: sec-bounty+
Updated•5 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•