Open Bug 637895 Opened 10 years ago Updated 2 years ago

A double-click on a word can select invisible text, including newline characters

Categories

(Core :: DOM: Selection, defect)

Product:
Core
Component:
DOM: Selection
Version:
1.9.2 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: vincent-moz, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-GB; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-GB; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14

A double-click on a word can select invisible text, including newline characters, while the user thinks that only the word is selected.

This means that if the user pastes the selection, much more text will be pasted. This can be very harmful under some conditions, where a newline character may validate something. This is the case in a text terminal, in particular when running a shell. With such a method, an attacker (by fooling the user, who isn't aware of this bug) could run any command in the user's shell to destroy data (e.g. with \rm -rf ~) or retrieve private data (e.g. with the mail command).

Reproducible: Always

Steps to Reproduce:
1. Open the URL https://bugzilla.mozilla.org/show_bug.cgi?id=274712 and make sure you do not have edition permissions on the summary of the bug.
2. Double-click on the last word of the bug summary ("Dialog").
3. Paste the selection in a text terminal.

Actual Results:  
I get the following two lines (each one ending with a newline character):

Dialog
Summary:        New Options Dialog


Expected Results:  
One should get only the word "Dialog".
With Mozilla/5.0 (X11; Linux x86_64; rv:2.0) Gecko/20100101 Firefox/4.0, I get only “Dialog ” copied (with a space after the word “Dialog”).
Same with Mozilla/5.0 (X11; Linux x86_64; rv:2.0b13pre) Gecko/20110315 Firefox/4.0b13pre. Is that enough to consider it fixed there?

Reproduced with 3.5.17 and 3.6.14.

Probably duplicate of bug 464789 (haven't tried to reproduce), maybe even bug 461605?
Version: unspecified → 1.9.2 Branch
The space selection might be bug 452948.
I forgot... since the summary appears several times: the problem occurs only with the summary over a gray background.

I cannot reproduce bug 464789, so that it is not a duplicate (perhaps it is a MS Windows only behavior, if it is bug 452948 as suggested by Comment 3). Anyway there's much more than a trailing space here.

Bug 461605 concerns Thunderbird, and I wonder what the equivalent would be for Firefox.
Actually any selection can include invisible text, not just a double-click on a word. This is a similar problem, except that the one with a double-click on a word is worse, since even when one knows that text can be hidden with CSS, one doesn't expect more than a word to be selected in the case of a double-click on a word. However I think that the more general problem should be fixed too because it is too easy to be fooled, and fixing it would fix this particular bug as a consequence, IMHO.

FYI, about the more general problem:
  http://www.ush.it/team/ascii/hack-tricks_253C_CCC2008/wysinwyc/what_you_see_is_not_what_you_copy.txt
  http://thejh.net/misc/website-terminal-copy-paste
This bug still occurs with Firefox 39.0 under Linux, but I just get a space as in Comment 1.
Bugzilla has changed, so that the above steps to reproduce are no longer valid. This bug may actually be a combination of 2 bugs:
1. More text can be selected than the double-clicked word. See bug 1232322 (with Firefox up to 52.9.0 at least, newlines could also be selected, just as noticed above).
2. Invisible text can also be selected (with a double-click, this could partly be a consequence of the first issue, but this is also a more general problem).
You need to log in before you can comment on or make changes to this bug.