Closed
Bug 16858
Opened 25 years ago
Closed 25 years ago
Shouldn't be able to check for local file existence
Categories
(Core :: Security, defect, P3)
Tracking
()
VERIFIED
FIXED
M16
People
(Reporter: joro, Assigned: security-bugs)
References
()
Details
(Whiteboard: [nsbeta2+])
Attachments
(2 files)
(deleted),
text/html
|
Details | |
(deleted),
patch
|
Details | Diff | Splinter Review |
It is possible to check for local file existence in Mozilla 5.0.
The problem is LINK REL=STYLESHEET TYPE="text/css" HREF="file:///C|/test.html"
returns "null" in document.styleSheets[0] if the file does not exist, otherwise
it returns an object.
The code is:
-------------------------------------------------------
<SCRIPT>
function f()
{
a.document.open();
s="<HTML><HEAD><LINK REL=STYLESHEET TYPE='text/css' HREF='"+
document.forms[0].elements[0].value+"'></HEAD><SCRIPT>function exist() "+
"{alert( document.styleSheets[0] ? 'File exists' : 'File does not exist ');};"+
"setTimeout('exist()',2000);</"+"SCRIPT></HTML>";
a.document.write(s);
a.document.close();
}
function main()
{
a=window.open("about:blank");
setTimeout("f()",2000);
}
</SCRIPT>
Updated•25 years ago
|
Status: NEW → ASSIGNED
Target Milestone: M14
Updated•25 years ago
|
Target Milestone: M14 → M15
Comment 1•25 years ago
|
||
Not required for beta.
Bulk moving all Browser Security bugs to new Security: General component. The
previous Security component for Browser will be deleted.
Component: Security → Security: General
Comment 3•25 years ago
|
||
We shouldn't require PSM if people want to use codebase principals.
Assignee: norris → mstoltz
Status: ASSIGNED → NEW
Comment 4•25 years ago
|
||
Disregard my last comments and reassign back to me. I applied the changes to the
wrong bug.
Assignee: mstoltz → norris
Updated•25 years ago
|
Status: NEW → ASSIGNED
Target Milestone: M15 → M16
Assignee | ||
Comment 6•25 years ago
|
||
Bulk reassigning most of norris's bugs to mstoltz.
Assignee: norris → mstoltz
Status: ASSIGNED → NEW
Assignee | ||
Comment 7•25 years ago
|
||
Putting on [nsbeta2+] radar for beta2 fix.
Summary: Checking for local file existence → Shouldn't be able to check for local file existence
Whiteboard: [nsbeta2+]
Comment 10•25 years ago
|
||
the bug is still there
Assignee | ||
Comment 11•25 years ago
|
||
The CSS code needs to call nsScriptSecurityManager::CheckLoadURI() at every
entry point for a URL coming from a <STYLE HREF=> or other varieties of STYLE
tag. I need help in finding where these points are. Pierre, can we talk about
this? Or is there someone else I should ask?
What I need to know is a) where to check the URL, and b) how to exit gracefully
if the check fails.
Status: NEW → ASSIGNED
Comment 12•25 years ago
|
||
The place to put such a check is CSSLoaderImpl::LoadStyleLink().
If the check fails, returning NS_ERROR_FAILURE should be sufficient.
Assignee | ||
Comment 13•25 years ago
|
||
Pierre,
I've got a patch which fixes this bug, could you please review it? I'll
attach it here. Also, are there any other functions in nsCSSLoader.cpp that
should be protected? I noticed LoadChildSheet() and LoadAgentSheet() both take a
URL parameter - do any of these come from URL's in the HTML?
Assignee | ||
Comment 14•25 years ago
|
||
Assignee | ||
Comment 15•25 years ago
|
||
Fix checked in. Added URL security check to STYLE tags. Can be turned off with
the security.checkloaduri pref.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Comment 16•25 years ago
|
||
document.styleSheets[] is returning NULL no matter local file exists or not, so
no security problem here, it is fixed.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•