Closed
Bug 812744
Opened 12 years ago
Closed 12 years ago
Compartment mismatch with onevent attribute
Categories
(Core :: DOM: Events, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
Tracking | Status | |
---|---|---|
firefox18 | --- | unaffected |
firefox19 | + | fixed |
firefox20 | --- | fixed |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
People
(Reporter: jruderman, Assigned: bzbarsky)
References
Details
(Keywords: assertion, sec-critical, testcase, Whiteboard: [adv-main19-])
Attachments
(4 files, 3 obsolete files)
416 bytes,
text/html
|
Details | |
17.70 KB,
text/plain
|
Details | |
4.11 KB,
patch
|
smaug
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
14.38 KB,
patch
|
sicking
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
Assertion failure: false (compartment mismatched), at js/src/jscntxtinlines.h:204
Reporter | ||
Comment 1•12 years ago
|
||
Assignee | ||
Comment 3•12 years ago
|
||
Hrm. So the issue here is that we're doing the setAttribute after the subframe has finished loading. And we're doing it on the default compartment of the script context... but the script context is now attached to the new page that's been loaded. So we get a handler compiled that's not same-compartment with the node it's on.
Assignee | ||
Updated•12 years ago
|
tracking-firefox19:
--- → ?
Assignee | ||
Comment 4•12 years ago
|
||
So in a build from before bug 807226, what happens is that we call the onmouseleave getter, go to compile the handler, compile it in the compartment of the new web page in the subframe (I think that's a pretty bad bug!) then go to call nsJSContext::BindCompiledEventHandler. In this function we wrap the target (which is the about:blank <html> element), and we wrap it into the correct about:blank compartment, as expected. So the bound function ends up in the right compartment and we don't get the assert.
Of course we still compiled the function in the wrong compartment, which is really really scary to me. :(
Assignee | ||
Comment 5•12 years ago
|
||
So in a current build, at first things go the same way. We compile an event handler, then we go to bind it. At this point the aScope we're passing in is a proxy and the aHandler is compiled in the compartment of the new subframe page. The proxy is also from that post-load subframe compartment, note. And the reason for that is that in nsEventListenerManager::SetEventHandler (the one that takes a string) we got the scope from doc->GetScriptGlobalObject(), which claims to return the inner window... but will return the _outer_ window for unloaded documents.
In any case, we call the event handler constructor, and pass it the scope thing as aOwner. But event handlers make sure to wrap their callable into the owner compartment, so we take our cloned-into-the-right-compartment function and wrap it into the aOwner compartment, which is not the compartment we want here.
So I guess the fact that we compile initially in the new-page compartment is not really necessarily a huge problem, since we never actually run that function, and binding clones into a different compartment, instead of just proxying.
But we should definitely stop using GetScriptGlobalObject here and use GetScopeObject instead, as far as I can tell. I'll do that tomorrow.
Assignee: nobody → bzbarsky
Assignee | ||
Comment 6•12 years ago
|
||
Try run for that change: https://tbpl.mozilla.org/?tree=Try&rev=975a85b3f758
Assignee | ||
Comment 7•12 years ago
|
||
OK, using the scope object makes us fail the test for bug 379120. Presumably because the transformed document has a non-null scope object or something? I'll poke at it a bit more... Maybe the right answer is to get the script global, and if non-null _then_ use the scope object.
Assignee | ||
Comment 8•12 years ago
|
||
Please let me know if you want me to not check in the comments or the testcase for some reason. I see no reason to, since this is a pure-trunk issue.
Attachment #682815 -
Flags: review?(bugs)
Updated•12 years ago
|
status-firefox18:
--- → unaffected
status-firefox19:
--- → affected
Assignee | ||
Updated•12 years ago
|
Whiteboard: [need review]
Comment 9•12 years ago
|
||
Comment on attachment 682815 [details] [diff] [review]
Use the document scope object, not the script global, to find the JSObject to use as a scope when creating event handlers. option would be to just explicitly wrap the node and use that, for what it's worth. That wouldn't give us an nsIScriptContext, th
># HG changeset patch
># User Boris Zbarsky <bzbarsky@mit.edu>
># Date 1353180302 28800
># Node ID a8b024b7df554daacd5d64f0230f51a72008e605
># Parent 750cb3a1d08fdb3e71a5c2c52399f09a3a384a96
>Bug 812744. Use the document scope object, not the script global, to find the JSObject to use as a scope when creating event handlers. r=smaug
>
>Anoother option would be to just explicitly wrap the node and use that, for what it's worth. That wouldn't give us an nsIScriptContext, though.
>
>diff --git a/content/events/src/nsEventListenerManager.cpp b/content/events/src/nsEventListenerManager.cpp
>--- a/content/events/src/nsEventListenerManager.cpp
>+++ b/content/events/src/nsEventListenerManager.cpp
>@@ -599,17 +599,42 @@ nsEventListenerManager::SetEventHandler(
>
> nsCOMPtr<nsIScriptGlobalObject> global;
>
> if (node) {
> // Try to get context from doc
> // XXX sXBL/XBL2 issue -- do we really want the owner here? What
> // if that's the XBL document?
> doc = node->OwnerDoc();
>- global = doc->GetScriptGlobalObject();
>+ // This is all a bit of a mess:
>+ // 1) GetScriptGlobalObject usually returns the inner window, but after a
>+ // document has been unloaded it starts returning the outer window(!!.
>+ // 2) GetScriptHandlingObject will return the window of some random other
>+ // document for data documents (XHR, XSLT result documents).
Why random? XHR should pass its GetOwner() as the scripthandling object to the document.
IIRC also XSLT
>+ // 3) GetScopeObject will do the same as GetScriptHandlingObject, but
>+ // return null for non-data documents that have been unloaded.
>+ // 4) GetInnerWindow returns exactly the same thing as
>+ // GetScriptGlobalObject once mRemovedFromDocShell becomes true. In
>+ // particular, it starts returning the outer window(!!).
True, IIRC I just changed something to be inline in common case but didn't change the behavior that
mrbkap was fixing.
>+ // So the upshot is there is no way to get the real inner window... and even
>+ // no good way to know that you can't get it. Also, this is all way
>+ // over-complicated. :(
What is wrong with GetScriptHandlingObject?
Comment 10•12 years ago
|
||
Comment on attachment 682815 [details] [diff] [review]
Use the document scope object, not the script global, to find the JSObject to use as a scope when creating event handlers. option would be to just explicitly wrap the node and use that, for what it's worth. That wouldn't give us an nsIScriptContext, th
r- because I don't understand what is wrong with GetScriptHandlingObject
Attachment #682815 -
Flags: review?(bugs) → review-
Assignee | ||
Comment 11•12 years ago
|
||
> Why random? XHR should pass its GetOwner() as the scripthandling object to the document.
From the point of view of this code, I believe that's equivalent to "random"....
> What is wrong with GetScriptHandlingObject?
It makes us compile onfoo attributes in XHR documents and XSLT result documents. In addition to failing our test suite (see comment 7), that just seems wrong. It'd definitely freak out web developers to see syntax errors for event handlers in XHR result documents suddenly appear in their error consoles!
Comment 12•12 years ago
|
||
GetScriptHandlingObject should work here.
In case of non-browsing-context-documents it uses the slow path nsDocument::GetScriptHandlingObjectInternal()
That shouldn't return anything random.
Assignee | ||
Comment 13•12 years ago
|
||
OK. In that case, I need to flag XSLT result documents as data documents. I just tested Safari and Chrome, and in both the handler is not compiled. It _is_ compiled in Opera, but Opera also compiles event handlers in XHR result documents, so I'm not going to worry about its behavior here. IE doesn't seem to expose the same API for scripted XSLT, so no idea whether that's even possible there.
Comment 14•12 years ago
|
||
Oh, so I thought event handlers should be compiled (to not regress existing Gecko behavior) in
XSLT documents. But ok, I see GetScriptGlobalObject returns null for XSLT docs.
In that case making them data documents sounds ok.
Assignee | ||
Comment 15•12 years ago
|
||
Attachment #683445 -
Flags: review?(jonas)
Assignee | ||
Comment 16•12 years ago
|
||
Attachment #683446 -
Flags: review?(bugs)
Assignee | ||
Updated•12 years ago
|
Attachment #682815 -
Attachment is obsolete: true
Assignee | ||
Comment 17•12 years ago
|
||
Attachment #683460 -
Flags: review?(bugs)
Assignee | ||
Updated•12 years ago
|
Attachment #683446 -
Attachment is obsolete: true
Attachment #683446 -
Flags: review?(bugs)
Comment 18•12 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #17)
> Created attachment 683460 [details] [diff] [review]
> We really do need the scope object, not the script handling object!
Why? We shouldn't be handling events in unloaded documents (at least not with the current
setup where we do inner window checks.)
Assignee | ||
Comment 19•12 years ago
|
||
We shouldn't be _handling_ events, but we should still be compiling the handlers, imo, both to keep compat with what we do now and per spec.
Note that a document can go from unloaded to loaded with bfcache...
Comment 20•12 years ago
|
||
Comment on attachment 683460 [details] [diff] [review]
We really do need the scope object, not the script handling object!
Ok. I'm not quite happy with this setup but who can.
Need to sort out the scriptglobal/scopeobject/scripthandlingobject mess.
Attachment #683460 -
Flags: review?(bugs) → review+
The!! aResult test here isn't that great. It might very well break in the future. Could you pass an explicit flag to TransformToDoc instead?
Assignee | ||
Updated•12 years ago
|
Attachment #683445 -
Attachment is obsolete: true
Attachment #683445 -
Flags: review?(jonas)
Comment on attachment 683896 [details] [diff] [review]
XSLT patch with explicit boolean flag
Review of attachment 683896 [details] [diff] [review]:
-----------------------------------------------------------------
Thanks!
Attachment #683896 -
Flags: review?(jonas) → review+
Assignee | ||
Comment 24•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/288c74d7f87d
https://hg.mozilla.org/integration/mozilla-inbound/rev/26c59f23fd8f
Flags: in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla20
Assignee | ||
Comment 25•12 years ago
|
||
Comment on attachment 683460 [details] [diff] [review]
We really do need the scope object, not the script handling object!
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 807226, sort of
User impact if declined: Compartment mismatches, possible security bugs
Testing completed (on m-c, etc.): Passes automated tests
Risk to taking this patch (and alternatives if risky): Risk is medium. I'm not
sure there are great alternatives, unfortunately.
String or UUID changes made by this patch: None
Attachment #683460 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 26•12 years ago
|
||
Comment on attachment 683896 [details] [diff] [review]
XSLT patch with explicit boolean flag
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Needed so that the patch that fixes
this bug doesn't regress tests.
User impact if declined: Same as main patch.
Testing completed (on m-c, etc.): Same as main patch.
Risk to taking this patch (and alternatives if risky): Low risk.
String or UUID changes made by this patch: None.
Attachment #683896 -
Flags: approval-mozilla-aurora?
Updated•12 years ago
|
Keywords: sec-critical
Comment 27•12 years ago
|
||
Sorry, something in your push turned the mochitests orange. I had to back the entire thing out.
https://hg.mozilla.org/integration/mozilla-inbound/rev/461a2225b7ba
Target Milestone: mozilla20 → ---
Updated•12 years ago
|
Updated•12 years ago
|
Attachment #683460 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora-
Comment 28•12 years ago
|
||
Comment on attachment 683896 [details] [diff] [review]
XSLT patch with explicit boolean flag
Waiting for the regression fix before taking on Aurora.
Attachment #683896 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora-
Assignee | ||
Comment 29•12 years ago
|
||
The orange was from bug 812392. Repushed:
https://hg.mozilla.org/integration/mozilla-inbound/rev/4922fb9226a5
https://hg.mozilla.org/integration/mozilla-inbound/rev/33bbef69d5e0
Target Milestone: --- → mozilla20
Assignee | ||
Updated•12 years ago
|
Attachment #683896 -
Flags: approval-mozilla-aurora- → approval-mozilla-aurora?
Assignee | ||
Updated•12 years ago
|
Attachment #683460 -
Flags: approval-mozilla-aurora- → approval-mozilla-aurora?
Comment 30•12 years ago
|
||
Comment 31•12 years ago
|
||
Comment on attachment 683460 [details] [diff] [review]
We really do need the scope object, not the script handling object!
Fixing a medium risk sec-critical regression while it's still on Aurora is righteous. If there are specific things that QA can test manually, please add qawanted/verifyme here along with a description of requested testing.
Attachment #683460 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•12 years ago
|
Attachment #683896 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 32•12 years ago
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Updated•12 years ago
|
Whiteboard: [adv-main19-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•