Closed Bug 64539 Opened 24 years ago Closed 18 years ago

ftp dir listing can't give about:blank permission to access it

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows 98
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Milestone:
Future

People

(Reporter: jruderman, Assigned: dveditz)

References

(
URL
)

Details

Steps to reproduce: 1. Go to ftp://ftp.mozilla.org. 2. javascript:void(window.open("about:blank").document.write("foo")) . 3. javascript:alert(opener.document) in the new window. Result: NS_ERROR_DOM_PROP_ACCESS_DENIED on console. Expected result: alert with "[object HTMLDocument]" or something similar. This breaks my proptree bookmarklet <http://www.cs.hmc.edu/~jruderma/mozilla/proptree/> on ftp sites. This doesn't happen with text files (such as README) served over ftp. I don't know whether it happens with html files served over ftp.
Does this code work as expected on an http:// site? There is a known problem with Mozilla returning unedfined as a result of document.open() ....
Yes, the code works fine on http:// sites (at least for html files served over http).
The problem is that directory listing screens are chrome documents; they actually have the system principal rather than the site's principal. I'm guessing the bookmarklet is being given the site's principal, which is being refused access. Maybe we can insert the correct principal...if that doesn't break the directory listing.
Status: NEW → ASSIGNED
Mass changing milestones to Moz0.9.1. Many of these bugs are dependent on the XPConnected DOM and its associated security UI changes.
Target Milestone: --- → mozilla0.9.1
Target Milestone: mozilla0.9.1 → mozilla0.9.2
I don't think this is necessary for RTM, but the fact that directory listings are chrome URLs may cause other failures or exploits. Reassigning to Jesse for more exploration. Jesse, could you see if it's possible to run JS code in a directory listing page, or similar weirdness?
Assignee: mstoltz → jesse
Status: ASSIGNED → NEW
Target Milestone: mozilla0.9.2 → mozilla0.9.3
Priority: -- → P2
Priority: P2 → P3
Target Milestone: mozilla0.9.3 → mozilla0.9.4
Target Milestone: mozilla0.9.4 → mozilla0.9.6
I'm not going to have much time to do Mozilla development this semester, so giving back to Mitch.
Assignee: jruderman → mstoltz
QA Contact: ckritzer → bsharma
Future.
Status: NEW → ASSIGNED
Target Milestone: mozilla0.9.6 → Future
I retried the 3 steps as documented in the description. Step 1 works, Step 2 opens a second window "foo", Step 3 doesn't do anything... Is this normal? Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050514
Thomas, check your JS console and compare your result to the "expected result" in comment 0. Sounds to me like you're reproducing this bug quite nicely, which shouldn't be too surprising, since nothing has happened to fix it.
Assignee: security-bugs → dveditz
Status: ASSIGNED → NEW
QA Contact: bsharma → toolkit
WFM in Firefox trunk, which doesn't use XUL trees for FTP directory listings.
This bug might be related to bug 332182.
Worth retesting, but I'm probably going to have some special checks for chrome principals in that patch. On the other hand, are ftp:// results really chrome? If so, we should fix that ASAP.
Depends on: 332182
> are ftp:// results really chrome? If so, we should fix that ASAP. They may be chrome documents (I'll go check) but they definitely no longer have chrome permission -- javascript:alert(Components.stack); fails correctly. That comment was specifically about the generated directory listing, an HTML file loaded over ftp always had the correct principal.
Ah, ok. In that case yes, bug 332182 may help here. If I ever get time to finish it. :(
Bug 332182 landed... we should retest this, if I can figure out how to turn on the XUL viewer...
This works for me, both before and after patch for bug 332182.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.