GNOME Bugzilla – Bug 670489
Incorrect check in check_origin_and_protocol?
Last modified: 2012-02-21 16:03:07 UTC
It looks as though the check on line 107 should be for 'location', not 'document' (again). In principle, this lets the code proceed to line 110, calling get_string_property with an inappropriate argument. 90 error = funcs.getvalue (instance, NPNVWindowNPObject, &window); 91 if (error != NPERR_NO_ERROR) 92 goto out; 93 94 if (!funcs.getproperty (instance, window, 95 funcs.getstringidentifier ("document"), 96 &document)) 97 goto out; 98 99 if (!NPVARIANT_IS_OBJECT (document)) 100 goto out; 101 102 if (!funcs.getproperty (instance, NPVARIANT_TO_OBJECT (document), 103 funcs.getstringidentifier ("location"), 104 &location)) 105 goto out; 106 107 if (!NPVARIANT_IS_OBJECT (document)) 108 goto out; 109 110 hostname = get_string_property (instance, 111 NPVARIANT_TO_OBJECT (location), 112 "hostname"); This is gnome-shell 3.2.2.1 on debian testing, though I quickly verified that this block of code is the same in the master branch of gnome git: http://git.gnome.org/browse/gnome-shell/tree/browser-plugin/browser-plugin.c#n107
Created attachment 208069 [details] [review] browser-plugin: Correct check for checking the hostname/protocol While it's extremely unlikely that document.location would not be an object in the browser setting, this check is incorrect and we could possibly crash an NPAPI host if this is the case. Nice catch.
Review of attachment 208069 [details] [review]: Looks good (when I reviewed this code originally, I'm sure I checked that document.location isn't modifiable from JS, since that would allow a page to defeat the checks)
Attachment 208069 [details] pushed as 9400d8f - browser-plugin: Correct check for checking the hostname/protocol
Thank you for your attention to this matter.