Closed
Bug 862309
Opened 11 years ago
Closed 11 years ago
"ASSERTION: Trying to compute style without PresShell" with editor, cross-document selection
Categories
(Core :: DOM: Editor, defect)
Tracking
()
People
(Reporter: jruderman, Assigned: smaug)
References
Details
(Keywords: assertion, sec-critical, testcase, Whiteboard: [adv-main22+][adv-esr1707+])
Attachments
(5 files)
|
556 bytes,
text/html
|
Details | |
|
27.13 KB,
text/plain
|
Details | |
|
1.64 KB,
patch
|
MatsPalmgren_bugz
:
review+
|
Details | Diff | Splinter Review |
|
860 bytes,
patch
|
Details | Diff | Splinter Review | |
|
1.49 KB,
patch
|
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
akeybl
:
approval-mozilla-esr17+
akeybl
:
approval-mozilla-b2g18+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
###!!! ASSERTION: Trying to compute style without PresShell: 'presShell', file /Users/jruderman/trees/mozilla-central/editor/libeditor/html/nsHTMLCSSUtils.cpp, line 592 ###!!! ASSERTION: wrong shell: '!doc || doc->GetShell() == this', file /Users/jruderman/trees/mozilla-central/layout/base/nsPresShell.cpp, line 6582 The "wrong shell" assertion was added in a security bug (bug 635852). I'm guessing this will be fixed by not allowing selections to be in other documents. That's part of the plan in bug 671152 and bug 768756, right?
|
Reporter | |
Comment 1•11 years ago
|
||
|
||
Comment 2•11 years ago
|
||
(In reply to Jesse Ruderman from comment #0) > I'm guessing this will be fixed by not allowing selections to be in other > documents. That's part of the plan in bug 671152 and bug 768756, right? Both unassigned :/
|
|
||
Comment 4•11 years ago
|
||
Mats can you help figure out the way forward here?
Flags: needinfo?(matspal)
|
|
||
Updated•11 years ago
|
Group: layout-core-security
|
||
Updated•11 years ago
|
Group: layout-core-security
|
||
Comment 5•11 years ago
|
||
Sorry, I don't have time to work on this. BTW, Core/Editor security bugs (and Range/Selection too) belongs to the DOM security group, not Layout.
Flags: needinfo?(matspal)
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → bugs
|
|
Assignee | |
Comment 7•11 years ago
|
||
This
Summary: "ASSERTION: wrong shell" with editor, cross-iframe selection → "ASSERTION: wrong shell" with editor, cross-document selection
|
|
Assignee | |
Comment 8•11 years ago
|
||
This is bad. sg-crit
|
|
||
Updated•11 years ago
|
Keywords: sec-critical
|
|
Assignee | |
Comment 9•11 years ago
|
||
(In reply to Jesse Ruderman from comment #0)> > ###!!! ASSERTION: Trying to compute style without PresShell: 'presShell', > file > /Users/jruderman/trees/mozilla-central/editor/libeditor/html/nsHTMLCSSUtils. > cpp, line 592 In other words, this is bogus > > ###!!! ASSERTION: wrong shell: '!doc || doc->GetShell() == this', file > /Users/jruderman/trees/mozilla-central/layout/base/nsPresShell.cpp, line 6582 But this is bad
|
|
Assignee | |
Comment 10•11 years ago
|
||
Bug 671152 should be fixed, but that isn't something for branches. So perhaps we should just add a simple if check for this case. Mats, what do you think?
Attachment #746610 -
Flags: review?(matspal)
|
|
||
Comment 11•11 years ago
|
||
Comment on attachment 746610 [details] [diff] [review] patch Yes, this is a good precaution. It's still caused by bug(s) in our code though so I'd like to keep the assertions in PresShell, so please add the NS_ENSURE_STATE after the DEBUG block. r=mats
Attachment #746610 -
Flags: review?(matspal) → review+
|
|
||
Comment 12•11 years ago
|
||
Fwiw, I wonder if we could something like this to reject nodes not in the same document as the Selection owner. It would throw ERROR_FAILURE which is probably wrong -- WRONG_DOCUMENT seems more appropriate. BTW, is this the authoritative spec for selectAllChildren ? https://dvcs.w3.org/hg/editing/raw-file/tip/editing.html#selections
|
|
Assignee | |
Comment 13•11 years ago
|
||
[Security approval request comment] How easily could an exploit be constructed based on the patch? Not easily Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No really Which older supported branches are affected by this flaw? All, and looks like Bug 635852 landed everywhere so this patch could also. The bug itself is old, not a recent regression. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? The patch should apply everywhere. How likely is this patch to cause regressions; how much testing does it need? Should be reasonable safe, but not risk free. Some testing is needed.
Attachment #746657 -
Flags: sec-approval?
Attachment #746657 -
Flags: approval-mozilla-esr17?
Attachment #746657 -
Flags: approval-mozilla-beta?
Attachment #746657 -
Flags: approval-mozilla-b2g18?
Attachment #746657 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 14•11 years ago
|
||
(In reply to Mats Palmgren [:mats] from comment #12) > Fwiw, I wonder if we could something like this to reject nodes not in > the same document as the Selection owner. It would throw ERROR_FAILURE > which is probably wrong -- WRONG_DOCUMENT seems more appropriate. I was thinking something similar but I think we just need bug 671152 fixed, and make sure the spec is sane. > BTW, is this the authoritative spec for selectAllChildren ? > https://dvcs.w3.org/hg/editing/raw-file/tip/editing.html#selections Kind of
|
||
Comment 15•11 years ago
|
||
Comment on attachment 746657 [details] [diff] [review] patch sec-approval+ (for m-c) after 5/14. Please make and nominate patches for affected branches.
Attachment #746657 -
Flags: sec-approval? → sec-approval+
|
|
||
Updated•11 years ago
|
Whiteboard: [checkin after 5/14]
|
||
Comment 16•11 years ago
|
||
(In reply to Mats Palmgren [:mats] from comment #12) > BTW, is this the authoritative spec for selectAllChildren ? > https://dvcs.w3.org/hg/editing/raw-file/tip/editing.html#selections It's the only spec I know of, but I sure wouldn't view it as authoritative. More like, some research went into it and it's a good starting point for discussion.
|
|
||
Updated•11 years ago
|
status-b2g18:
--- → affected
status-firefox21:
--- → wontfix
status-firefox22:
--- → affected
status-firefox23:
--- → affected
status-firefox-esr17:
--- → affected
tracking-b2g18:
--- → ?
tracking-firefox22:
--- → ?
tracking-firefox23:
--- → ?
tracking-firefox-esr17:
--- → ?
|
||
Updated•11 years ago
|
|
|
||
Updated•11 years ago
|
|
|
||
Updated•11 years ago
|
|
|
Assignee | |
Comment 17•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a8f45cb70707
|
|
||
Updated•11 years ago
|
Attachment #746657 -
Flags: approval-mozilla-esr17?
Attachment #746657 -
Flags: approval-mozilla-esr17+
Attachment #746657 -
Flags: approval-mozilla-beta?
Attachment #746657 -
Flags: approval-mozilla-beta+
Attachment #746657 -
Flags: approval-mozilla-b2g18?
Attachment #746657 -
Flags: approval-mozilla-b2g18+
Attachment #746657 -
Flags: approval-mozilla-aurora?
Attachment #746657 -
Flags: approval-mozilla-aurora+
|
||
Comment 18•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a8f45cb70707
Status: NEW → RESOLVED
Closed: 11 years ago
status-b2g18-v1.0.1:
--- → affected
status-firefox24:
--- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
|
|
||
Comment 19•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g18/rev/ddef037b226b https://hg.mozilla.org/releases/mozilla-esr17/rev/ef7a8f39085e
status-b2g18-v1.0.0:
--- → wontfix
Whiteboard: [checkin after 5/14]
|
|
||
Comment 20•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/ef0168b5cf1c https://hg.mozilla.org/releases/mozilla-beta/rev/5a4e14b433bc
|
||
Comment 21•11 years ago
|
||
I tested this fix on Mac OSX 10.7 with Firefox 22 beta 2 debug and the testcase in this bug. The first assertion in comment 0 has disappeared, but the second one is still there, just on another line: ###!!! ASSERTION: wrong shell: '!doc || doc->GetShell() == this', file ../../../layout/base/nsPresShell.cpp, line 6604. Would you rather I filed a followup bug for that, or just reopen this one?
|
|
Assignee | |
Comment 22•11 years ago
|
||
That second one is there on purpose. See comment 11. But we'll need to fix the code to not trigger that assertion.
|
|
||
Updated•11 years ago
|
|
|
Reporter | |
Comment 23•11 years ago
|
||
Filed bug 876826. Thanks for keeping that from slipping through the cracks, Ioana.
Summary: "ASSERTION: wrong shell" with editor, cross-document selection → "ASSERTION: Trying to compute style without PresShell" with editor, cross-document selection
Whiteboard: [Unhide with bug 876826]
|
|
||
Updated•11 years ago
|
Whiteboard: [Unhide with bug 876826] → [Unhide with bug 876826][adv-main22+][adv-esr1707+]
|
|
||
Comment 24•11 years ago
|
||
Verified as fixed on Firefox 17.0.7 ESR with the same results as in comment 21. Marking as verified...
|
||
Updated•10 years ago
|
Group: core-security
|
|
Reporter | |
Updated•9 years ago
|
Whiteboard: [Unhide with bug 876826][adv-main22+][adv-esr1707+] → [adv-main22+][adv-esr1707+]
You need to log in
before you can comment on or make changes to this bug.
Description
•