Closed Bug 16858 Opened 25 years ago Closed 25 years ago

Shouldn't be able to check for local file existence

Categories

(Core :: Security, defect, P3)

x86
Windows 95
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: joro, Assigned: security-bugs)

References

()

Details

(Whiteboard: [nsbeta2+])

Attachments

(2 files)

It is possible to check for local file existence in Mozilla 5.0. The problem is LINK REL=STYLESHEET TYPE="text/css" HREF="file:///C|/test.html" returns "null" in document.styleSheets[0] if the file does not exist, otherwise it returns an object. The code is: ------------------------------------------------------- <SCRIPT> function f() { a.document.open(); s="<HTML><HEAD><LINK REL=STYLESHEET TYPE='text/css' HREF='"+ document.forms[0].elements[0].value+"'></HEAD><SCRIPT>function exist() "+ "{alert( document.styleSheets[0] ? 'File exists' : 'File does not exist ');};"+ "setTimeout('exist()',2000);</"+"SCRIPT></HTML>"; a.document.write(s); a.document.close(); } function main() { a=window.open("about:blank"); setTimeout("f()",2000); } </SCRIPT>
Status: NEW → ASSIGNED
Target Milestone: M14
Target Milestone: M14 → M15
Not required for beta.
Bulk moving all Browser Security bugs to new Security: General component. The previous Security component for Browser will be deleted.
Component: Security → Security: General
Keywords: beta2
We shouldn't require PSM if people want to use codebase principals.
Assignee: norris → mstoltz
Status: ASSIGNED → NEW
Disregard my last comments and reassign back to me. I applied the changes to the wrong bug.
Assignee: mstoltz → norris
Status: NEW → ASSIGNED
Target Milestone: M15 → M16
Changing Qa contact to myself.
QA Contact: dshea → junruh
Keywords: nsbeta2
Bulk reassigning most of norris's bugs to mstoltz.
Assignee: norris → mstoltz
Status: ASSIGNED → NEW
Putting on [nsbeta2+] radar for beta2 fix.
Summary: Checking for local file existence → Shouldn't be able to check for local file existence
Whiteboard: [nsbeta2+]
Changed QA contact to Cathy.
QA Contact: junruh → czhang
the bug is still there
The CSS code needs to call nsScriptSecurityManager::CheckLoadURI() at every entry point for a URL coming from a <STYLE HREF=> or other varieties of STYLE tag. I need help in finding where these points are. Pierre, can we talk about this? Or is there someone else I should ask? What I need to know is a) where to check the URL, and b) how to exit gracefully if the check fails.
Status: NEW → ASSIGNED
The place to put such a check is CSSLoaderImpl::LoadStyleLink(). If the check fails, returning NS_ERROR_FAILURE should be sufficient.
Pierre, I've got a patch which fixes this bug, could you please review it? I'll attach it here. Also, are there any other functions in nsCSSLoader.cpp that should be protected? I noticed LoadChildSheet() and LoadAgentSheet() both take a URL parameter - do any of these come from URL's in the HTML?
Fix checked in. Added URL security check to STYLE tags. Can be turned off with the security.checkloaduri pref.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
document.styleSheets[] is returning NULL no matter local file exists or not, so no security problem here, it is fixed.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: