BatteryManager should initialize mScriptContext and mOwner

RESOLVED FIXED in Firefox 11

Status

()

Core
DOM
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: smaug, Assigned: mounir)

Tracking

({regression})

Trunk
mozilla10
regression
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox8- unaffected, firefox9- unaffected, firefox10- wontfix, firefox11+ fixed, firefox-esr10 wontfix, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical][needs branch][qa-])

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

6 years ago
BatteryManager should initialize mScriptContext and mOwner. Not having the right
context for event handlers has traditionally caused security problems.
(I'm not sure if that situation has changed, or whether we still need to make sure
that right JSContext gets pushed to stack.)

Also, BatteryManager should probably extend nsDOMEventTargetWrapperCache, not
nsDOMEventTargetHelper. (We're trying get those two merged once there are no
nsDOMEventTargetHelper users.)
(Assignee)

Updated

6 years ago
OS: Linux → All
Hardware: x86_64 → All
Version: unspecified → Trunk
This has led to security problems in the past so let's assume worst case. Either way should fix soon.
Keywords: regression
Whiteboard: [sg:critical]
Mounir, can you look into this one?
Assignee: nobody → mounir
status-firefox10: --- → affected
status-firefox11: --- → affected
status-firefox8: --- → unaffected
status-firefox9: --- → unaffected
tracking-firefox10: --- → +
tracking-firefox11: --- → +
tracking-firefox8: --- → -
tracking-firefox9: --- → -
(Assignee)

Comment 3

6 years ago
Created attachment 575437 [details] [diff] [review]
Patch v1
Attachment #575437 - Flags: review?(bugs)
(Assignee)

Updated

6 years ago
Whiteboard: [sg:critical] → [sg:critical][needs review]
(Reporter)

Comment 4

6 years ago
Comment on attachment 575437 [details] [diff] [review]
Patch v1

So if you call navigator.mozBattery twice, you may get an uninitialized BatteryManager.

Please assign some value to mBatteryManager only if the initialization succeeded.
Also, please make sure *aBattery is set to null if not to a valid BatteryManager.
Attachment #575437 - Flags: review?(bugs) → review-
(Assignee)

Comment 5

6 years ago
Created attachment 575452 [details] [diff] [review]
Patch v1.1 with a comment
Attachment #575452 - Flags: review?(bugs)
(Assignee)

Updated

6 years ago
Attachment #575437 - Attachment is obsolete: true
(Reporter)

Comment 6

6 years ago
Comment on attachment 575452 [details] [diff] [review]
Patch v1.1 with a comment


> class BatteryManager : public nsIDOMBatteryManager
>-                     , public nsDOMEventTargetHelper
>+                     , public nsDOMEventTargetWrapperCache
>                      , public BatteryObserver
As I said in some other bug, nsDOMEventTargetWrapperCache should be the first one to inherit.
Attachment #575452 - Flags: review?(bugs) → review+
(Assignee)

Updated

6 years ago
Flags: in-testsuite+
Whiteboard: [sg:critical][needs review] → [sg:critical]
Target Milestone: --- → mozilla11
(Assignee)

Updated

6 years ago
Target Milestone: mozilla11 → mozilla10
(Assignee)

Updated

6 years ago
Attachment #575452 - Flags: checkin+
(Assignee)

Updated

6 years ago
Attachment #575452 - Flags: approval-mozilla-aurora?
(Assignee)

Updated

6 years ago
Flags: in-testsuite+ → in-testsuite?
(Assignee)

Updated

6 years ago
Whiteboard: [sg:critical] → [sg:critical][needs branch]
(Assignee)

Comment 7

6 years ago
https://hg.mozilla.org/mozilla-central/rev/56bf0f8537fa
status-firefox11: affected → fixed
status1.9.2: --- → unaffected

Comment 8

6 years ago
Comment on attachment 575452 [details] [diff] [review]
Patch v1.1 with a comment

[triage comment]
We don't intend to take this feature on Firefox 10 / aurora so we don't need to take this. Denying approval.
Attachment #575452 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora-
(Assignee)

Comment 9

6 years ago
This feature *is* in Firefox 10...
(Assignee)

Updated

6 years ago
Attachment #575452 - Flags: approval-mozilla-aurora- → approval-mozilla-aurora?

Comment 10

6 years ago
Right, and the intention is to back it out / pref it off I believe.
(Assignee)

Comment 11

6 years ago
(In reply to Christian Legnitto [:LegNeato] from comment #10)
> Right, and the intention is to back it out / pref it off I believe.

It is indeed: there is a patch to pref it off but I believe it's better to have this security bug fixed even if the feature is hidden behind a pref. It doesn't hurt.
Comment on attachment 575452 [details] [diff] [review]
Patch v1.1 with a comment

[Triage Comment]
Per previous agreement, the battery API is pref'd off in 10 (see bug 703568). This bug is fixed in 11 and will therefore be corrected when the pref is on by default. We do not plan to take any further Battery API changes in 10.
Attachment #575452 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora-

Updated

6 years ago
tracking-firefox10: + → -
(Assignee)

Updated

6 years ago
status-firefox10: affected → wontfix
This is fixed everywhere where it needs to be fixed now, right? If so, can we close this bug?
(Assignee)

Comment 14

5 years ago
(In reply to Johnny Stenback (:jst, jst@mozilla.com) from comment #13)
> This is fixed everywhere where it needs to be fixed now, right? If so, can
> we close this bug?

This should have been fixed when I pushed the patch to m-c. Sorry about that.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
[Triage comment]

This bug is being tracked for landing on ESR branch.  Please land patches on http://hg.mozilla.org/releases/mozilla-esr10/by Thursday March 1, 2012 in order to be ready for go-to-build on Friday March 2, 2012.

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more information.
tracking-firefox-esr10: --- → 11+
(Assignee)

Comment 16

5 years ago
(In reply to Lukas Blakk [:lsblakk] from comment #15)
> [Triage comment]
> 
> This bug is being tracked for landing on ESR branch.  Please land patches on
> http://hg.mozilla.org/releases/mozilla-esr10/by Thursday March 1, 2012 in
> order to be ready for go-to-build on Friday March 2, 2012.
> 
> See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more
> information.

I do not understand why we want this to be in ESR given that ESR is using Gecko 10 and Gecko 10 doesn't have Battery API enabled by default. I've been told that I shouldn't push that patch to 10 because of that. Why is that different for ESR?
[Triage Comment]
Sorry, mass modify - closer examination, you're right we don't need this.
tracking-firefox-esr10: 11+ → ---
status-firefox-esr10: --- → unaffected
Does this affect Firefox Desktop? Is there anything QA can do to verify this fix?
Whiteboard: [sg:critical][needs branch] → [sg:critical][needs branch][qa?]
(Assignee)

Comment 19

5 years ago
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #18)
> Does this affect Firefox Desktop?

Yes.

> Is there anything QA can do to verify this fix?

That, I don't know. Olli, is there any way to reproduce this?
(Reporter)

Comment 20

5 years ago
Some über-tricky JS tests
qa- unless someone can find a simpler way to verify this fix. Otherwise, we will rely on someone who is already capable of reproducing the issue to verify the fix.
Whiteboard: [sg:critical][needs branch][qa?] → [sg:critical][needs branch][qa-]
Isn't this more of a "wontfix" for ESR? the feature is there like on 10, we're just relying on people not turning the pref on. For the actual Fx10 we only have to worry about that for 6 weeks, but for the ESR people could flip the pref anytime in the next year if some cool site insists they have a case for it.
status-firefox-esr10: unaffected → wontfix
Group: core-security
You need to log in before you can comment on or make changes to this bug.