Closed
Bug 195030
Opened 22 years ago
Closed 12 years ago
no protection against recursive plugin loading via EMBED/OBJECT tag
Categories
(Core Graveyard :: Plug-ins, defect, P3)
Core Graveyard
Plug-ins
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: miquelfire, Assigned: johns)
References
(Blocks 1 open bug, )
Details
Attachments
(1 file)
(deleted),
text/html
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130 On this one page at http://www.geocities.com/jeffreychanff8/, a new window with the page pops open every time the page is opened (which results the browser just reopening the page in a new window over and voer again until you can click the close button befoer the page loads up on a new window) because of a possible bug with the embed tag. The tag reads like this: <embed SRC="http://www.geocities.com/jeffreychanff8/" AUTOSTART=TRUE HIDDEN=TRUE> I'm not sure how Mozilla is supposed to handle code like this, but something like this will make it possible to bypass the setting for javascript's unrequested window option. Reproducible: Always Steps to Reproduce: 1. Open page in Mozilla. Actual Results: A new window will open with the page, in this case the same which results in what appears to be malicious javascript.
as annoying as this is, this is not a security bug
Assignee: harishd → peterlubczynski
Group: security
Component: Parser → Plug-ins
QA Contact: dsirnapalli → shrir
Comment 2•22 years ago
|
||
Um...here's the problem: This URL feeds an HTML document with text/html: http://www.geocities.com/jeffreychanff8/ Then has an EMBED tag like: <EMBED src=http://www.geocities.com/jeffreychanff8/ ..which takes us for a loop... This is partly blocked by handling relative urls that hand back text/html in bug 157554.
Status: UNCONFIRMED → NEW
Depends on: 157554
Ever confirmed: true
Priority: -- → P3
Summary: Web page in EMBED tag creates a new window. → no protection against recursive plugin loading via EMBED/OBJECT tag
Target Milestone: --- → Future
Comment 4•22 years ago
|
||
From my comment of dupe bug 199631: It has to do with an embed. The lines in question seem to be <embed SRC="http://www.upholdfreedom.com/" AUTOSTART=TRUE HIDDEN=TRUE> <noembed><bgsound SRC="http://www.upholdfreedom.com/"></noembed> </embed> Where it recursively calls itself. If you go to the URL with javascript off it gives you a "Plug-in Not Loaded" window: Information on this page requires a plugin for: text/html Navigator can retrieve... blah blah blah... The testcase pops up a new window going to google (so you won't crash your browser doing testing). It is just one line: <embed SRC="http://www.google.com" AUTOSTART=TRUE HIDDEN=TRUE></embed>
Updated•15 years ago
|
QA Contact: shrir → plugins
Assignee | ||
Comment 5•13 years ago
|
||
I believe this has long since been fixed, documents are only allowed in <objects> now, which check against recursive loads. Keeping this open to ensure bug 745030 doesn't regress, and to add tests.
Assignee | ||
Updated•12 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•