Bugzilla@Mozilla – Bug 531176
Add assertion that it's safe to run scripts before dispatching any events (and fix the cases when events are dispatched at unsafe time)
Last modified: 2010-07-23 12:42:51 PDT
Summon comment box
It doesn't appear that we check nsContentUtils::IsSafeToRunScripts() before running the event dispatch code. We probably should add an assertion to this effect to help catch unsafe event dispatches.
Created attachment 414740 [details] [review] patch Posted this to tryserver. Passes at least mochitest locally.
The problematic cases I found weren't common while running mochitest.
Comment on attachment 414740 [details] [review] patch > #ifdef DEBUG >+ nsresult rv = NS_ERROR_FAILURE; >+ if (target->GetContextForEventHandlers(&rv) || >+ NS_FAILED(rv)) { >+ NS_ERROR("This is unsafe!"); >+ } It is ok to dispatch events to non-scriptable, data-only documents, which don't have context for script event handlers. This is basically XBL documents, where load event is used to detect that they are loaded.
Created attachment 414746 [details] [review] patch This should compile even on scratchbox
Created attachment 414850 [details] [review] +script error I found yet another event; error event from scripts. This contains some tests for error event.
Does the bug summary need to be updated? Seems like you've gone beyond adding a helpful assert to fixing security vulns uncovered by the assert.
> + NS_ERROR("This is unsafe!"); Please use a more descriptive assertion message, such as "dispatching an event when it is not safe to run script".
Please consider using separate, public bugs for the changes other than adding the assertion. If they cause regressions, having a public bug will make tracking easier, draw less attention to the security aspect, and make life less painful if we have to back something out.
Comment on attachment 414850 [details] [review] +script error So this wouldn't fire assertions if the event is dispatched against chrome documents? I wonder if we ideally would like to assert event then, just to avoid having to teach developers which events are unsafe to do what from. Do you know which events fire at chrome while there are script blockers? r=me to land this for now anyhow.
(In reply to comment #9) > (From update of attachment 414850 [details] [review]) > So this wouldn't fire assertions if the event is dispatched against chrome > documents? Yes it does fire the assertion. It doesn't fire assertion with non-scriptable documents. Basically data documents which don't have script handling object.
Um...did adding a blocking item just un-secure this bug? I really didn't mean to do that.
(In reply to comment #10) > (In reply to comment #9) > > (From update of attachment 414850 [details] [review] [details]) > > So this wouldn't fire assertions if the event is dispatched against chrome > > documents? > > Yes it does fire the assertion. It doesn't fire assertion with > non-scriptable documents. Basically data documents which don't have > script handling object. Why do you need that distinction? Is this related to loading of XBL-documents by any chance?
(In reply to comment #12) > Why do you need that distinction? Is this related to loading of XBL-documents > by any chance? Yes. We load XBL documents which don't have script handling object but still use (C++) event listener to get the load event.
(In reply to comment #11) > Um...did adding a blocking item just un-secure this bug? I really didn't mean > to do that. Anyone that doesn't have access to this bug won't be able to see any sensitive information about the bug. Just the bug number and if it's resolved or not IIRC.
That's what I recall from adding this assertion synchronously... It's annoying to add an exception just for this one case. Though I guess its ok since we won't ever run any scripted event handlers, is that correct? Also, ideally the sync loading of XBL should go away eventually.
Another thing that would be good to do is to add assertions is to the mutation events code. Currently we'll only trigger the assertion added in your patch if there actually are mutation event listeners since we won't attempt to fire the event otherwise. I think this can be accomplished by adding an assertion to nsContentUtils::HasMutationListeners that checks if all current blockers are removable. IIRC I found one case in the cssframeconstructor that triggered such an assertion, which was easily fixable by setting aNotify to false or some such. Do you want a separate bug for this?
I'll do that in a separate bug.
jst, want to sr? This is a security sensitive bug, so needs r and sr.
Comment on attachment 414850 [details] [review] +script error Looks good. sr=jst
http://hg.mozilla.org/mozilla-central/rev/e58c2ef1d65b
Have you considered taking this on branches? It appears to fix bug 496366.
Yeah, we should probably take this to branches. Not sure about the assertion, but the other parts of the patch. I'll update the patch for branches. (3.5 will need significant changes)
Created attachment 432835 [details] [review] for 1.9.2 I'll upload this to tryserver
Created attachment 432907 [details] [review] for 1.9.2 without the assertion I think we may not want to add the assertion to branches.
Created attachment 432914 [details] [review] for 1.9.2 without the assertion a merge problem fixed; ValueChange should bubble.
Created attachment 432918 [details] [review] for 1.9.1 without the assertion and without the FocusBlurEvent I'm posting this to tryserver. Since 1.9.1 doesn't have the focusmanager, the FocusBlurEvent part doesn't really apply to that branch. Otherwise only minor changes to trunk patch. Fixes Bug 496366.
Comment on attachment 432914 [details] [review] for 1.9.2 without the assertion Are bug 535887 and bug 535926 from the "depends on" field regressions that need to be fixed before taking this on branches?
Those aren't regressions. They are cases where the assertion fires, but the assertion itself doesn't change behavior. The patch did change other behavior, but I haven't heard of regressions related to those changes.
*** Bug 496366 has been marked as a duplicate of this bug. ***
Comment on attachment 432914 [details] [review] for 1.9.2 without the assertion a=beltzner for 1.9.2.3 and 1.9.1.10
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/a4975fb9c048 http://hg.mozilla.org/releases/mozilla-1.9.1/rev/8cbc449170d5
Is there a way to easily test this fix? It looks like bug 496366 can be used, per comment 21. Are we sure it is this checkin that fixed that bug?
(In reply to comment #32) > Is there a way to easily test this fix? > > It looks like bug 496366 can be used, per comment 21. Yeah, there is a testcase in that bug. > Are we sure it is this > checkin that fixed that bug? Yes.
Verified for 1.9.2 via the testcase in bug 496366 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4pre) Gecko/20100408 Lorentz/3.6.4pre (.NET CLR 3.5.30729). Verified for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.10pre) Gecko/20100407 Shiretoko/3.5.10pre (.NET CLR 3.5.30729).
Comment on attachment 432918 [details] [review] for 1.9.1 without the assertion and without the FocusBlurEvent Requesting approval1.9.0.next on this patch so that we can take it in upcoming Camino 2.0.x security and stability updates. If approved, I'll handle the checkins, unless the patch author requests otherwise.
Comment on attachment 432918 [details] [review] for 1.9.1 without the assertion and without the FocusBlurEvent Approved for 1.9.0.20, a=dveditz
Checking in dom/src/base/nsGlobalWindow.cpp; /cvsroot/mozilla/dom/src/base/nsGlobalWindow.cpp,v <-- nsGlobalWindow.cpp new revision: 1.1027; previous revision: 1.1026 done Checking in dom/src/base/nsJSEnvironment.cpp; /cvsroot/mozilla/dom/src/base/nsJSEnvironment.cpp,v <-- nsJSEnvironment.cpp new revision: 1.401; previous revision: 1.400 done Checking in dom/tests/mochitest/bugs/Makefile.in; /cvsroot/mozilla/dom/tests/mochitest/bugs/Makefile.in,v <-- Makefile.in new revision: 1.32; previous revision: 1.31 done RCS file: /cvsroot/mozilla/dom/tests/mochitest/bugs/test_bug531176.html,v done Checking in dom/tests/mochitest/bugs/test_bug531176.html; /cvsroot/mozilla/dom/tests/mochitest/bugs/test_bug531176.html,v <-- test_bug531176.html initial revision: 1.1 done Checking in layout/forms/nsComboboxControlFrame.cpp; /cvsroot/mozilla/layout/forms/nsComboboxControlFrame.cpp,v <-- nsComboboxControlFrame.cpp new revision: 1.432; previous revision: 1.431 done