Closed Bug 797677 Opened 12 years ago Closed 12 years ago

getPluginInfo indexes into navigator.mimeTypes unsafely

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
18 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 18
Tracking Flags:
Tracking Status
firefox17 --- affected

People

(Reporter: jruderman, Assigned: jruderman)

References

Details

(Keywords: regression, testcase)

Attachments

(2 files, 1 obsolete file)

suggested fix
(deleted), patch
jaws
: review+
keeler
: feedback+
Details | Diff | Splinter Review
testcase
(deleted), text/html
Details
Attached file testcase (obsolete) (deleted) — 
Loading the testcase triggers:

JavaScript error: chrome://browser/content/browser.js, line 3019: NS_ERROR_FAILURE: Failure

This corresponds to line 40 of browser-plugins.js:

40     let navMimeType = navigator.mimeTypes[tagMimetype];

This line does the wrong thing if tagMimeType is a number, or any property that exists on navigator.mimeTypes ("__proto__", "watch", "length", etc).
Attached patch suggested fix (deleted) — Splinter Review 
(untested)
Attachment #667798 - Flags: review?(dkeeler)
Attached file testcase (deleted) — 

        Attachment #667797 -
        Attachment is obsolete: true

          status-firefox17:
          --- → affected
OS: Mac OS X → All
Hardware: x86_64 → All
Version: Trunk → 18 Branch

    
    

    
  
Comment on attachment 667798 [details] [diff] [review]
suggested fix

Review of attachment 667798 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me. I think Jared will have to give the actual r+.

        Attachment #667798 -
        Flags: review?(jaws)

        Attachment #667798 -
        Flags: review?(dkeeler)

        Attachment #667798 -
        Flags: feedback+

    
    

    
  
Comment on attachment 667798 [details] [diff] [review]
suggested fix

Review of attachment 667798 [details] [diff] [review]:
-----------------------------------------------------------------

This looks good. As discussed in person, please push it to try server.

        Attachment #667798 -
        Flags: review?(jaws) → review+
Assignee: nobody → jruderman
Status: NEW → ASSIGNED

    
    

    
  
David, can you write a browser-chrome test for this to make sure that an invalid mimetype doesn't generate a chrome error? I believe devtools has a test that checks for error counts in a webpage.

    
  
Flags: in-testsuite?

    
    

    
  
Filed bug 798237 so we don't forget to add a test.

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/ca5f40f6edc6
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 18

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: