Closed Bug 97044 Opened 24 years ago Closed 24 years ago

PSM is passing null string to preferences [@ nsPrefBranch::QueryObserver]

Categories

(Core Graveyard :: Security: UI, defect, P1)

Product:
Core Graveyard
Component:
Security: UI
Version:
Other Branch
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
psm2.1

People

(Reporter: dbaron, Assigned: inactive-mailbox)

References

Details

(Keywords: crash, topcrash, Whiteboard: critical for 0.9.4)

Crash Data

Attachments

(4 files)

Patch v.1
1.08 KB, patch
Details | Diff | Splinter Review
Patch v.2
3.02 KB, patch
Details | Diff | Splinter Review
Patch v. 3
3.94 KB, patch
Details | Diff | Splinter Review
Patch rev. 1b
2.92 KB, patch
Details | Diff | Splinter Review
The fix for bug 44042, specifically, the change to the beginning of nsNSSDialogs::ConfirmDialog, caused a topcrash with the following stack: nsPrefBranch::QueryObserver [d:\builds\seamonkey\mozilla\modules\libpref\src\nsPrefBranch.cpp line 697] nsPrefBranch::GetBoolPref [d:\builds\seamonkey\mozilla\modules\libpref\src\nsPrefBranch.cpp line 174] nsPrefService::GetBoolPref [d:\builds\seamonkey\mozilla\modules\libpref\src\nsPrefService.h line 42] nsPref::GetBoolPref [d:\builds\seamonkey\mozilla\modules\libpref\src\nsPref.cpp line 194] nsNSSDialogs::ConfirmDialog [d:\builds\seamonkey\mozilla\security\manager\pki\src\nsNSSDialogs.cpp line 578] nsNSSDialogs::ConfirmPostToInsecureFromSecure [d:\builds\seamonkey\mozilla\security\manager\pki\src\nsNSSDialogs.cpp line 563] nsSecureBrowserUIImpl::ConfirmPostToInsecureFromSecure [d:\builds\seamonkey\mozilla\security\manager\ssl\src\nsSecureBrowserUIImpl.cpp line 819] nsSecureBrowserUIImpl::CheckPost [d:\builds\seamonkey\mozilla\security\manager\ssl\src\nsSecureBrowserUIImpl.cpp line 611] nsSecureBrowserUIImpl::Notify [d:\builds\seamonkey\mozilla\security\manager\ssl\src\nsSecureBrowserUIImpl.cpp line 261] nsFormFrame::OnSubmit [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsFormFrame.cpp line 874] ... The null check for prefName was needed because of ConfirmPostToInsecureFromSecure, which passes a pref name of |nsnull| with the comment "No preference for this one - it's too important". I think the simple fix for this would be to revert that +5/-5 change. This is the #1 not-yet-fixed topcrash on the trunk for the period 8-22 to 8-24.
Keywords: topcrash
Whiteboard: critical for 0.9.4
Target -> 2.1 Assigning to Kai to see what he makes of it.
Assignee: javi → kai.engert
Priority: -- → P1
Target Milestone: --- → 2.1
Attached patch Patch v.1Splinter Review
This is my fault. :-( I assumed the preferences would do something sensible with a null string. On reflection, though, exactly what is sensible isn't entirely obvious. The above patch should fix it - I'm currently building it, but a URL where you submit secure_to_insecure would be very useful for testing. Feedback on whether it's the _right_ fix also welcome. Gerv
Assignee: kai.engert → gerv
Seems right to me. r=dbaron
Attached patch Patch v.2Splinter Review
Hmm, I did some work on this, too, in the same time. I basically agree, but have additional comments. Gervase obviously assumed that GetBoolPref will simply fail (but not abort or crash) if the passed prefName is null, because program flow is intended to continue in that case. However, this assumption about GetBoolPref's behaviour is wrong, as we learn from the crash. To fix this, we need to prevent the call to GetBoolPref with a nsnull prefName parameter. As the same code appears twice in the same source file, I changed both locations, which only can add safety. I suggest the patch that I'll attach after this comment. Something else I'd just like to make sure, please advice: Gervase commented that "showAgainName" may now be null, too. Whether there is another possibility for a crash depends on the behaviour nsAutoString. Question: Is it safe to do nsAutoString str(nsnull); i.e. will this be a valid empty string? Ok, but even if it is, nsPromptServer::ConfirmEx will receive a valid checkMsg parameter, although the passed string is of zero length. And this causes the prompt dialog to contain a ghost checkbox, i.e. a checkbox the user can click, but no text will be displayed to the right of the checkbox. I've actually seen this sometimes in the past, but was never able to (or really tried) to reproduce it. I'm suggesting code to ConfirmDialog that cares for the !showAgainName scenario. It will pass a real nsnull to ConfirmEx, preventing a ghost checkbox. ... For later discussion: Should we add the logic to prevent a ghost checkbox directly to nsPromptService::ConfirmEx, by adding a test for a non-zero length of checkMsg ? dbaron, can you please review?
Status: NEW → ASSIGNED
Regarding the requested test case: You can use https://www.kuix.de/misc/test5/ which always posts to http, regardless whether this page was accessed with https or http.
-> Kai
Assignee: gerv → kai.engert
Status: ASSIGNED → NEW
This still won't work because of a typo in security.properties: PostToInsecurefromSecureMessage should be PostToInsecureFromSecureMessage That needs fixing as well. But I'll give up now and leave kai on the case :-) Gerv
It doesn't really make sense to change AlertDialog to support a null prefName but not a null showAgainName if neither are ever passed to it. I think it would be better to either leave it as is, or add support for both to keep it in parallel with ConfirmDialog. Other than that, and what Gerv mentioned, it looks fine.
I don't want to change nsNSSDialogs::AlertDialog without changing nsPromptService::AlertCheck, because AlertCheck doesn't check for a null checkMsg. ConfirmEx makes this check. To avoid making bigger changes, I take your recommandation and leave AlertCheck/AlertDialog as it is. I'm creating a new patch, where I add in Gerv's typo fix.
Status: NEW → ASSIGNED
I don't think there's any need to have |actualAlertMsg| -- |alertMe.get()| should return null if the nsXPIDLString wasn't initialized (I think). Otherwise r=dbaron.
dbaron, you are right, I just tested this. I assumed it to return a non-null pointer to a zero length area. But it indeed returns null and actualCheckMsg ist therefore not required. That means, Gerv's suggestions will be sufficient.
But I thought you did want that null check for showAgainName, just not the extra string?
I tried what happens if const PRUnichar *showAgainName = 0; nsXPIDLString alertMe; mStringBundle->GetStringFromName(showAgainName, getter_Copies(alertMe)); is executed. After the call to GetStringFromName, alertMe.get() is nil. GetStringFromName already behaves safe. But if you prefer, I'll add the check back.
ok, r=dbaron either way, although I'd slightly prefer having the check
a=asa on behalf of drivers.
Patch checked in, including the additional safety check.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Keywords: crash
*** Bug 97210 has been marked as a duplicate of this bug. ***
*** Bug 97316 has been marked as a duplicate of this bug. ***
Verified on 2001-08-30-Trunk build on WinNT The test case https://www.kuix.de/misc/test5/ did posts to http. Verified bugs 97210 and 97316 and they also work fine.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Crash Signature: [@ nsPrefBranch::QueryObserver]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: