Open Bug 637895 Opened 13 years ago Updated 1 month ago

A double-click on a word can select invisible text, including newline characters

Categories

(Core :: DOM: Selection, defect)

Product:
Core
Component:
DOM: Selection
Version:
1.9.2 Branch
Type:
defect

Tracking

()

Status:
REOPENED

People

(Reporter: vincent-moz, Unassigned, NeedInfo)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-GB; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-GB; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14

A double-click on a word can select invisible text, including newline characters, while the user thinks that only the word is selected.

This means that if the user pastes the selection, much more text will be pasted. This can be very harmful under some conditions, where a newline character may validate something. This is the case in a text terminal, in particular when running a shell. With such a method, an attacker (by fooling the user, who isn't aware of this bug) could run any command in the user's shell to destroy data (e.g. with \rm -rf ~) or retrieve private data (e.g. with the mail command).

Reproducible: Always

Steps to Reproduce:
1. Open the URL https://bugzilla.mozilla.org/show_bug.cgi?id=274712 and make sure you do not have edition permissions on the summary of the bug.
2. Double-click on the last word of the bug summary ("Dialog").
3. Paste the selection in a text terminal.

Actual Results:  
I get the following two lines (each one ending with a newline character):

Dialog
Summary:        New Options Dialog


Expected Results:  
One should get only the word "Dialog".
With Mozilla/5.0 (X11; Linux x86_64; rv:2.0) Gecko/20100101 Firefox/4.0, I get only “Dialog ” copied (with a space after the word “Dialog”).
Same with Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110315 Firefox/4.0b13pre. Is that enough to consider it fixed there?

Reproduced with 3.5.17 and 3.6.14.

Probably duplicate of bug 464789 (haven't tried to reproduce), maybe even bug 461605?
Version: unspecified → 1.9.2 Branch
The space selection might be bug 452948.
I forgot... since the summary appears several times: the problem occurs only with the summary over a gray background.

I cannot reproduce bug 464789, so that it is not a duplicate (perhaps it is a MS Windows only behavior, if it is bug 452948 as suggested by Comment 3). Anyway there's much more than a trailing space here.

Bug 461605 concerns Thunderbird, and I wonder what the equivalent would be for Firefox.
Actually any selection can include invisible text, not just a double-click on a word. This is a similar problem, except that the one with a double-click on a word is worse, since even when one knows that text can be hidden with CSS, one doesn't expect more than a word to be selected in the case of a double-click on a word. However I think that the more general problem should be fixed too because it is too easy to be fooled, and fixing it would fix this particular bug as a consequence, IMHO.

FYI, about the more general problem:
  http://www.ush.it/team/ascii/hack-tricks_253C_CCC2008/wysinwyc/what_you_see_is_not_what_you_copy.txt
  http://thejh.net/misc/website-terminal-copy-paste
This bug still occurs with Firefox 39.0 under Linux, but I just get a space as in Comment 1.
Bugzilla has changed, so that the above steps to reproduce are no longer valid. This bug may actually be a combination of 2 bugs:
1. More text can be selected than the double-clicked word. See bug 1232322 (with Firefox up to 52.9.0 at least, newlines could also be selected, just as noticed above).
2. Invisible text can also be selected (with a double-click, this could partly be a consequence of the first issue, but this is also a more general problem).

Hey Vincent,
Can you still reproduce this or should we close it?
It only selects one word for me when I double click.

Flags: needinfo?(vincent-moz)

It still occurs with 94.0. Example: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85957
Double-click on "equal" in the title text below "Home | New | Browse | Search" and just above "Status:". Pasting it gives "equal " (i.e. the word "equal" followed by a normal space).

A double-click shouldn't include blanks before or after the word.

Flags: needinfo?(vincent-moz)

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Severity: major → --

I believe this issue is fixed.
"layout.word_select.eat_space_to_next_word" is the preference to control the behavior.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED

For newline characters, it seems fixed, but a double-click on a word may add spaces before or after the word, even though layout.word_select.eat_space_to_next_word is false (default). For instance:

  • In this bug, double-click on "Opened" near the top (right of "Bug 637895"). When pasting the selection, I get " Opened", with a space before the word, even though there is no selectable space before.
  • At https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85957 as in comment 9, after a double-click on "equal" in the title, when pasting the selection, I still get "equal ", with a space after the word.

A minimal way to reproduce both issues at the same time:

<p><span></span> <span>foo</span> <span></span></p>

Double-clicking on "foo" gives " foo ", with a space before and after the word.

(In reply to Vincent Lefevre from comment #12)

For newline characters, it seems fixed, but a double-click on a word may add spaces before or after the word, even though layout.word_select.eat_space_to_next_word is false (default). For instance:

  • In this bug, double-click on "Opened" near the top (right of "Bug 637895"). When pasting the selection, I get " Opened", with a space before the word, even though there is no selectable space before.
  • At https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85957 as in comment 9, after a double-click on "equal" in the title, when pasting the selection, I still get "equal ", with a space after the word.

A minimal way to reproduce both issues at the same time:

<p><span></span> <span>foo</span> <span></span></p>

Double-clicking on "foo" gives " foo ", with a space before and after the word.

Thanks for the details. I closed this per STR on comment #9.
Let me reopen this and loop Jan here, he has been looking at similar areas recently.

Status: RESOLVED → REOPENED
Ever confirmed: true
Flags: needinfo?(jjaschke)
Resolution: FIXED → ---
Severity: -- → S3
Flags: needinfo?(jjaschke)
Flags: needinfo?(jjaschke)

I've replaced the obsolete testcase URL by the example from comment #12 (as a "data:" URL).

URL: https://bugzilla.mozilla.org/show_bug...data:text/html,<p><span></span> <span...
You need to log in before you can comment on or make changes to this bug.