Closed
Bug 451938
Opened 16 years ago
Closed 16 years ago
stealing frames from <video> via canvas
Categories
(Core :: Graphics: Canvas2D, defect, P1)
Tracking
()
RESOLVED
FIXED
People
(Reporter: guninski, Assigned: vlad)
Details
(Keywords: fixed1.9.1, Whiteboard: [sg:low?])
Attachments
(2 files, 1 obsolete file)
(deleted),
text/html
|
Details | |
(deleted),
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
it is possible to steal frames from arbitrary videos that the luser can load via
canvas + drawImage or fillRect
as of now works directly - no need for http redirects
Reporter | ||
Updated•16 years ago
|
Whiteboard: [sg:low?]
Reporter | ||
Updated•16 years ago
|
Component: General → Video/Audio
Product: Firefox → Core
Reporter | ||
Updated•16 years ago
|
Component: Video/Audio → Layout: Canvas
Reporter | ||
Comment 1•16 years ago
|
||
this seems to works with "file:///" uris, basically allowing stealing homemade pron with known filename
Comment 2•16 years ago
|
||
<video> being able to refer to file:/// URLs might be a separate bug.
Reporter | ||
Comment 3•16 years ago
|
||
> <video> being able to refer to file:/// URLs might be a separate bug.
sure, it allows checking for existence of local files. soon to file a new bug + testcase
Reporter | ||
Comment 4•16 years ago
|
||
checking for file existence via <video> is Bug 451958
Updated•16 years ago
|
Flags: blocking1.9.1?
Assignee | ||
Comment 5•16 years ago
|
||
Indeed, the wrong principal is being used here -- http://hg.mozilla.org/mozilla-central/index.cgi/file/tip/content/canvas/src/nsCanvasRenderingContext2D.cpp#l2826 . How do I get the principal of the actual video stream, e.g. what happens at http://hg.mozilla.org/mozilla-central/index.cgi/file/tip/content/canvas/src/nsCanvasRenderingContext2D.cpp#l2854 ?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
Comment 6•16 years ago
|
||
You can get the actual URI of the video being played (ie. the one that was selected from the multiple sources to play) with GetCurrentSrc on the media element.
Assignee | ||
Comment 7•16 years ago
|
||
I don't want the URI though, I want the principal -- or can I turn that URI into a principal?
Assignee | ||
Comment 8•16 years ago
|
||
Here's a fix -- this passes the principal down the chain so that canvas can get at it.
Assignee: nobody → vladimir
Attachment #336699 -
Flags: superreview?
Attachment #336699 -
Flags: review?(chris.double)
Assignee | ||
Updated•16 years ago
|
Attachment #336699 -
Flags: superreview? → superreview?(bzbarsky)
Comment 9•16 years ago
|
||
Comment on attachment 336699 [details] [diff] [review]
pass the principal down the relay line...
I wish -p -U 8 worked for these diffs....
>+++ b/content/canvas/src/nsCanvasRenderingContext2D.cpp
>@@ -2823,7 +2823,8 @@
>+ video->GetCurrentPrincipal(prinOut);
>+
So... right now now callers of this method assume the principal is never null. In particular, DoDrawImageSecurityCheck certainly does. Your newly added code looks like it might return null sometimes. So we either need to add null-checks in various places or make ThebesSurfaceFromElement throw on a null principal. The latter is probably better.
The rest looks fine, though I'd just have the methods return nsIPrincipal* instead of doing the COM-like dance.
Assignee | ||
Comment 10•16 years ago
|
||
Updated; note that this depends on bug 417836 which I'll land shortly. I changed the interface to just return a nsIPrincipal*, and explicitly check for null (and throw an error in that case).
Attachment #336699 -
Attachment is obsolete: true
Attachment #336933 -
Flags: superreview?(bzbarsky)
Attachment #336933 -
Flags: review?(bzbarsky)
Attachment #336699 -
Flags: superreview?(bzbarsky)
Attachment #336699 -
Flags: review?(chris.double)
Comment 11•16 years ago
|
||
Comment on attachment 336933 [details] [diff] [review]
updated
>+++ b/content/canvas/src/nsCanvasRenderingContext2D.cpp
>+ *prinOut = principal.forget().get();
principal.forget(prinOut);
r+sr=bzbarsky with that.
Attachment #336933 -
Flags: superreview?(bzbarsky)
Attachment #336933 -
Flags: superreview+
Attachment #336933 -
Flags: review?(bzbarsky)
Attachment #336933 -
Flags: review+
Assignee | ||
Comment 12•16 years ago
|
||
Fix checked in:
18910[tip] ad53051ebd43 2008-09-06 16:47 -0700 vladimir
b=451938; ensure correct principal is used in case of <video> and drawImage; r=bz
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 13•16 years ago
|
||
seems fixed on trunk according to my tests.
tried fillRect and http redirects - both seem fixed
Reporter | ||
Comment 14•16 years ago
|
||
do some svg filters or similar stuff alter images so they can be stolen?
some tests with filter feImage show the image yet when drawn to canvas the original image is drawn, i.e. no theft.
Updated•16 years ago
|
Keywords: fixed1.9.1
Updated•16 years ago
|
Flags: wanted1.9.0.x-
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•