Closed Bug 195030 Opened 22 years ago Closed 12 years ago

no protection against recursive plugin loading via EMBED/OBJECT tag

Categories

(Core Graveyard :: Plug-ins, defect, P3)

Product:
Core Graveyard
Component:
Plug-ins
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: miquelfire, Assigned: johns)

References

(Blocks 1 open bug,
URL
)

Details

Attachments

(1 file)

testcase
(deleted), text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130

On this one page at http://www.geocities.com/jeffreychanff8/, a new window with
the page pops open every time the page is opened (which results the browser just
reopening the page in a new window over and voer again until you can click the
close button befoer the page loads up on a new window) because of a possible bug
with the embed tag. The tag reads like this:
<embed SRC="http://www.geocities.com/jeffreychanff8/" AUTOSTART=TRUE HIDDEN=TRUE>
I'm not sure how Mozilla is supposed to handle code like this, but something
like this will make it possible to bypass the setting for javascript's
unrequested window option.

Reproducible: Always

Steps to Reproduce:
1. Open page in Mozilla.
Actual Results:  
A new window will open with the page, in this case the same which results in
what appears to be malicious javascript.
as annoying as this is, this is not a security bug
Assignee: harishd → peterlubczynski
Group: security
Component: Parser → Plug-ins
QA Contact: dsirnapalli → shrir
Um...here's the problem:

This URL feeds an HTML document with text/html:
http://www.geocities.com/jeffreychanff8/

Then has an EMBED tag like:
<EMBED src=http://www.geocities.com/jeffreychanff8/

..which takes us for a loop...

This is partly blocked by handling relative urls that hand back text/html in bug
157554.
Status: UNCONFIRMED → NEW
Depends on: 157554
Ever confirmed: true
Priority: -- → P3
Summary: Web page in EMBED tag creates a new window. → no protection against recursive plugin loading via EMBED/OBJECT tag
Target Milestone: --- → Future
*** Bug 199631 has been marked as a duplicate of this bug. ***
Attached file testcase (deleted) — 
From my comment of dupe bug 199631:

It has to do with an embed.  The lines in question seem to be 

<embed SRC="http://www.upholdfreedom.com/" AUTOSTART=TRUE HIDDEN=TRUE>
<noembed><bgsound SRC="http://www.upholdfreedom.com/"></noembed>
</embed>

Where it recursively calls itself.  If you go to the URL with javascript off it

gives you a "Plug-in Not Loaded" window:

Information on this page requires a plugin for:
			    text/html
Navigator can retrieve... blah blah blah...

The testcase pops up a new window going to google (so you won't crash your
browser doing testing).  It is just one line:

<embed SRC="http://www.google.com" AUTOSTART=TRUE HIDDEN=TRUE></embed>
Blocks: popups
QA Contact: shrir → plugins
I believe this has long since been fixed, documents are only allowed in <objects> now, which check against recursive loads.

Keeping this open to ensure bug 745030 doesn't regress, and to add tests.
Assignee: peterlubczynski-bugs → jschoenick
Status: NEW → ASSIGNED
Depends on: 745030
No longer depends on: 157554
OS: Windows XP → All
Hardware: x86 → All
Target Milestone: Future → ---
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: