Closed Bug 797677 Opened 12 years ago Closed 12 years ago

getPluginInfo indexes into navigator.mimeTypes unsafely

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
18 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 18
Tracking Flags:
Tracking Status
firefox17 --- affected

People

(Reporter: jruderman, Assigned: jruderman)

References

Details

(Keywords: regression, testcase)

Attachments

(2 files, 1 obsolete file)

suggested fix
(deleted), patch
jaws
: review+
keeler
: feedback+
Details | Diff | Splinter Review
testcase
(deleted), text/html
Details
Attached file testcase (obsolete) (deleted) —
Loading the testcase triggers: JavaScript error: chrome://browser/content/browser.js, line 3019: NS_ERROR_FAILURE: Failure This corresponds to line 40 of browser-plugins.js: 40 let navMimeType = navigator.mimeTypes[tagMimetype]; This line does the wrong thing if tagMimeType is a number, or any property that exists on navigator.mimeTypes ("__proto__", "watch", "length", etc).
Attached patch suggested fix (deleted) — Splinter Review
(untested)
Attachment #667798 - Flags: review?(dkeeler)
Attached file testcase (deleted) —
Attachment #667797 - Attachment is obsolete: true
status-firefox17: --- → affected
OS: Mac OS X → All
Hardware: x86_64 → All
Version: Trunk → 18 Branch
Comment on attachment 667798 [details] [diff] [review] suggested fix Review of attachment 667798 [details] [diff] [review]: ----------------------------------------------------------------- Looks good to me. I think Jared will have to give the actual r+.
Attachment #667798 - Flags: review?(jaws)
Attachment #667798 - Flags: review?(dkeeler)
Attachment #667798 - Flags: feedback+
Comment on attachment 667798 [details] [diff] [review] suggested fix Review of attachment 667798 [details] [diff] [review]: ----------------------------------------------------------------- This looks good. As discussed in person, please push it to try server.
Attachment #667798 - Flags: review?(jaws) → review+
Assignee: nobody → jruderman
Status: NEW → ASSIGNED
David, can you write a browser-chrome test for this to make sure that an invalid mimetype doesn't generate a chrome error? I believe devtools has a test that checks for error counts in a webpage.
Flags: in-testsuite?
Filed bug 798237 so we don't forget to add a test.
https://hg.mozilla.org/mozilla-central/rev/ca5f40f6edc6
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 18
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: