Closed
Bug 97044
Opened 23 years ago
Closed 23 years ago
PSM is passing null string to preferences [@ nsPrefBranch::QueryObserver]
Categories
(Core Graveyard :: Security: UI, defect, P1)
Tracking
(Not tracked)
VERIFIED
FIXED
psm2.1
People
(Reporter: dbaron, Assigned: inactive-mailbox)
References
Details
(Keywords: crash, topcrash, Whiteboard: critical for 0.9.4)
Crash Data
Attachments
(4 files)
1.08 KB,
patch
|
Details | Diff | Splinter Review | |
3.02 KB,
patch
|
Details | Diff | Splinter Review | |
3.94 KB,
patch
|
Details | Diff | Splinter Review | |
2.92 KB,
patch
|
Details | Diff | Splinter Review |
The fix for bug 44042, specifically, the change to the beginning of nsNSSDialogs::ConfirmDialog, caused a topcrash with the following stack: nsPrefBranch::QueryObserver [d:\builds\seamonkey\mozilla\modules\libpref\src\nsPrefBranch.cpp line 697] nsPrefBranch::GetBoolPref [d:\builds\seamonkey\mozilla\modules\libpref\src\nsPrefBranch.cpp line 174] nsPrefService::GetBoolPref [d:\builds\seamonkey\mozilla\modules\libpref\src\nsPrefService.h line 42] nsPref::GetBoolPref [d:\builds\seamonkey\mozilla\modules\libpref\src\nsPref.cpp line 194] nsNSSDialogs::ConfirmDialog [d:\builds\seamonkey\mozilla\security\manager\pki\src\nsNSSDialogs.cpp line 578] nsNSSDialogs::ConfirmPostToInsecureFromSecure [d:\builds\seamonkey\mozilla\security\manager\pki\src\nsNSSDialogs.cpp line 563] nsSecureBrowserUIImpl::ConfirmPostToInsecureFromSecure [d:\builds\seamonkey\mozilla\security\manager\ssl\src\nsSecureBrowserUIImpl.cpp line 819] nsSecureBrowserUIImpl::CheckPost [d:\builds\seamonkey\mozilla\security\manager\ssl\src\nsSecureBrowserUIImpl.cpp line 611] nsSecureBrowserUIImpl::Notify [d:\builds\seamonkey\mozilla\security\manager\ssl\src\nsSecureBrowserUIImpl.cpp line 261] nsFormFrame::OnSubmit [d:\builds\seamonkey\mozilla\layout\html\forms\src\nsFormFrame.cpp line 874] ... The null check for prefName was needed because of ConfirmPostToInsecureFromSecure, which passes a pref name of |nsnull| with the comment "No preference for this one - it's too important". I think the simple fix for this would be to revert that +5/-5 change. This is the #1 not-yet-fixed topcrash on the trunk for the period 8-22 to 8-24.
Target -> 2.1 Assigning to Kai to see what he makes of it.
Assignee: javi → kai.engert
Priority: -- → P1
Target Milestone: --- → 2.1
Comment 2•23 years ago
|
||
Comment 3•23 years ago
|
||
This is my fault. :-( I assumed the preferences would do something sensible with a null string. On reflection, though, exactly what is sensible isn't entirely obvious. The above patch should fix it - I'm currently building it, but a URL where you submit secure_to_insecure would be very useful for testing. Feedback on whether it's the _right_ fix also welcome. Gerv
Assignee: kai.engert → gerv
Reporter | ||
Comment 4•23 years ago
|
||
Seems right to me. r=dbaron
Assignee | ||
Comment 5•23 years ago
|
||
Assignee | ||
Comment 6•23 years ago
|
||
Hmm, I did some work on this, too, in the same time. I basically agree, but have additional comments. Gervase obviously assumed that GetBoolPref will simply fail (but not abort or crash) if the passed prefName is null, because program flow is intended to continue in that case. However, this assumption about GetBoolPref's behaviour is wrong, as we learn from the crash. To fix this, we need to prevent the call to GetBoolPref with a nsnull prefName parameter. As the same code appears twice in the same source file, I changed both locations, which only can add safety. I suggest the patch that I'll attach after this comment. Something else I'd just like to make sure, please advice: Gervase commented that "showAgainName" may now be null, too. Whether there is another possibility for a crash depends on the behaviour nsAutoString. Question: Is it safe to do nsAutoString str(nsnull); i.e. will this be a valid empty string? Ok, but even if it is, nsPromptServer::ConfirmEx will receive a valid checkMsg parameter, although the passed string is of zero length. And this causes the prompt dialog to contain a ghost checkbox, i.e. a checkbox the user can click, but no text will be displayed to the right of the checkbox. I've actually seen this sometimes in the past, but was never able to (or really tried) to reproduce it. I'm suggesting code to ConfirmDialog that cares for the !showAgainName scenario. It will pass a real nsnull to ConfirmEx, preventing a ghost checkbox. ... For later discussion: Should we add the logic to prevent a ghost checkbox directly to nsPromptService::ConfirmEx, by adding a test for a non-zero length of checkMsg ? dbaron, can you please review?
Status: NEW → ASSIGNED
Assignee | ||
Comment 7•23 years ago
|
||
Regarding the requested test case: You can use https://www.kuix.de/misc/test5/ which always posts to http, regardless whether this page was accessed with https or http.
Comment 9•23 years ago
|
||
This still won't work because of a typo in security.properties: PostToInsecurefromSecureMessage should be PostToInsecureFromSecureMessage That needs fixing as well. But I'll give up now and leave kai on the case :-) Gerv
Reporter | ||
Comment 10•23 years ago
|
||
It doesn't really make sense to change AlertDialog to support a null prefName but not a null showAgainName if neither are ever passed to it. I think it would be better to either leave it as is, or add support for both to keep it in parallel with ConfirmDialog. Other than that, and what Gerv mentioned, it looks fine.
Assignee | ||
Comment 11•23 years ago
|
||
I don't want to change nsNSSDialogs::AlertDialog without changing nsPromptService::AlertCheck, because AlertCheck doesn't check for a null checkMsg. ConfirmEx makes this check. To avoid making bigger changes, I take your recommandation and leave AlertCheck/AlertDialog as it is. I'm creating a new patch, where I add in Gerv's typo fix.
Status: NEW → ASSIGNED
Assignee | ||
Comment 12•23 years ago
|
||
Reporter | ||
Comment 13•23 years ago
|
||
I don't think there's any need to have |actualAlertMsg| -- |alertMe.get()| should return null if the nsXPIDLString wasn't initialized (I think). Otherwise r=dbaron.
Assignee | ||
Comment 14•23 years ago
|
||
dbaron, you are right, I just tested this. I assumed it to return a non-null pointer to a zero length area. But it indeed returns null and actualCheckMsg ist therefore not required. That means, Gerv's suggestions will be sufficient.
Assignee | ||
Comment 15•23 years ago
|
||
Reporter | ||
Comment 16•23 years ago
|
||
But I thought you did want that null check for showAgainName, just not the extra string?
Assignee | ||
Comment 17•23 years ago
|
||
I tried what happens if const PRUnichar *showAgainName = 0; nsXPIDLString alertMe; mStringBundle->GetStringFromName(showAgainName, getter_Copies(alertMe)); is executed. After the call to GetStringFromName, alertMe.get() is nil. GetStringFromName already behaves safe. But if you prefer, I'll add the check back.
Reporter | ||
Comment 18•23 years ago
|
||
ok, r=dbaron either way, although I'd slightly prefer having the check
Comment 20•23 years ago
|
||
a=asa on behalf of drivers.
Assignee | ||
Comment 21•23 years ago
|
||
Patch checked in, including the additional safety check.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 22•23 years ago
|
||
*** Bug 97210 has been marked as a duplicate of this bug. ***
Comment 23•23 years ago
|
||
*** Bug 97316 has been marked as a duplicate of this bug. ***
Comment 24•23 years ago
|
||
Verified on 2001-08-30-Trunk build on WinNT The test case https://www.kuix.de/misc/test5/ did posts to http. Verified bugs 97210 and 97316 and they also work fine.
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Crash Signature: [@ nsPrefBranch::QueryObserver]
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•