Closed Bug 879537 Opened 11 years ago Closed 11 years ago

Contacts: Be more strict when setting date properties

Categories

(Core :: DOM: Device Interfaces, defect)

Product:
Core
Component:
DOM: Device Interfaces
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla24

People

(Reporter: reuben, Assigned: reuben)

References

Details

(Whiteboard: [fixed-in-birch][systemsfe])

Attachments

(1 file, 2 obsolete files)

Patch
1.22 KB, patch
gwagner
: review+
Details | Diff | Splinter Review 
Found by the fuzzer, if you pass an object as one of the Date properties you get 'JavaScript Error: "can't convert aBday to primitive type"'.
Attachment #758262 - Flags: review?(anygregor)
Comment on attachment 758262 [details] [diff] [review]
Only accept strings and Date instances for Date properties

Review of attachment 758262 [details] [diff] [review]:
-----------------------------------------------------------------

+testcase please.
thanks!
Attachment #758262 - Flags: review?(anygregor) → review+
Attached patch Slightly better version (obsolete) — Splinter Review 
I can't actually reduce the testcase… I know that specific value that's causing it, but I'm having a hard time replicating it in a reduced testcase. Apparently it even depends on the values in the blob's view.
Attachment #758262 - Attachment is obsolete: true
Attachment #759992 - Flags: review?(anygregor)
(In reply to Reuben Morais [:reuben] from comment #2)
> I can't actually reduce the testcase… I know that specific value that's
> causing it, but I'm having a hard time replicating it in a reduced testcase.
> Apparently it even depends on the values in the blob's view.

Ugh, I blame the deep fried sandwich, it's affecting my brain. Let's try that again:

I know the value that causes the error, it happens whenever I pass an object with a blob property as one of the Date attributes (bday, anniversary). The assertion comes from the Date constructor, since it tries to do ToPrimitive on the passed value, and fails. This patch worksaround that by only calling new Date() when the value is a string, or a number, and skips that entirely if it's already a Date instance. Can I land this without a test? :)
Comment on attachment 759992 [details] [diff] [review]
Slightly better version

Review of attachment 759992 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/contacts/ContactManager.js
@@ -423,5 @@
> -      // if (aBday instanceof Date) {
> -      //   this._bday = aBday;
> -      // } else if (typeof aBday === "string" || typeof aBday === "number") {
> -      //   this._bday = new Date(aBday);
> -      // }

Hm can you upload that again? I would like to see the original version :) I hope that's not the code that is checked in.
So now that WebIDL contacts is about to land, it'll only make sense to land this in b2g18… How should I proceed?
(In reply to Reuben Morais [:reuben] from comment #5)
> So now that WebIDL contacts is about to land, it'll only make sense to land
> this in b2g18… How should I proceed?

Still land it on birch first so we have the same code if the webidl patch gets backed out.
Attached patch PatchSplinter Review 

        Attachment #759992 -
        Attachment is obsolete: true

        Attachment #759992 -
        Flags: review?(anygregor)

        Attachment #761644 -
        Flags: review?(anygregor)

    
    

    
  
Also, I think the problem here is that XPConnect treats Dates as JSObjects under the hood, and doesn't filter out garbage that is not a date :(

        Attachment #761644 -
        Flags: review?(anygregor) → review+

    
    

    
  
Thanks!

https://hg.mozilla.org/projects/birch/rev/5d42d5a6a922
Whiteboard: [fixed-in-birch]

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/5d42d5a6a922
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla24

    
    

    
  
We don't want exceptions in our contactManager code that could completely break the contacts, sms, dialer.... app.
blocking-b2g: --- → leo?

    
    

    
  
:gwagner , Is this testable ?How sure can we be that they will be no fallouts and how risky is the patch?

    
    

    
  
needsinfo on :gwagner here.
Flags: needinfo?(anygregor)

    
    

    
  
ni? reporter: can you describe the user impact here so triage can decide on if this should block?
Flags: needinfo?(reuben.bmo)

    
    

    
  
(In reply to bhavana bajaj [:bajaj] from comment #12)
> :gwagner , Is this testable ?How sure can we be that they will be no
> fallouts and how risky is the patch?

Pretty sure. This patch only reduces the types of input we accept, making the chance of fallouts minimal.

(In reply to Wayne Chang [:wchang] from comment #14)
> ni? reporter: can you describe the user impact here so triage can decide on
> if this should block?

If a malicious or broken app uses the Contacts API incorrectly, we'll die inside chrome code, with no useful information to the user/developer of what went wrong. The app will very likely stop running correctly.
Flags: needinfo?(reuben.bmo)
Flags: needinfo?(anygregor)

    
    

    
  
This could be taken as an improvement on v1.2 but given comment 15 not a blocker as of today we are on par with 1.0.1 and this is an enhancement to the existing state but would not block.
blocking-b2g: leo? → koi?
Whiteboard: [fixed-in-birch] → [fixed-in-birch][systemsfe]
blocking-b2g: koi? → ---

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: