[tor-bugs] #15794 [Tor Browser]: crash on some SVG pages when svg.in-content.enabled=false

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Apr 25 02:13:11 UTC 2015 

#15794: crash on some SVG pages when svg.in-content.enabled=false
-------------------------+-------------------------------------------------
     Reporter:  mcs      |      Owner:  tbb-team
         Type:  defect   |     Status:  closed
     Priority:           |  Milestone:
  critical               |    Version:
    Component:  Tor      |   Keywords:  tbb-4.5-alpha,
  Browser                |  TorBrowserTeam201504R
   Resolution:  fixed    |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by mcs):

 Replying to [comment:3 mikeperry]:
 > Ok, this looks good as a fix. I merged it and Georg and I started a
 rebuild.
 >
 > However, this issue makes me a bit more nervous about the namespace-
 based solution in general. Can we be reasonably sure that there are no
 other potential issues with this namespace change either allowing scripts
 to execute when they shouldn't, or allowing strange codepaths?

 Thanks for reviewing the fix.  I am reasonably confident that scripts will
 not execute, etc. but the codepaths are complicated enough that it is
 difficult to be 100% certain.  This specific problem occurred because
 Kathy and I did not consider the fact that the HTML parser would do
 special things with some elements such as <style> and <script> when
 enclosed within <svg> blocks.  In fact, it does not seem to be doing too
 much, e.g., just recording line numbers (presumably so that it can report
 the correct one in the inspector tool).  And the crash occurred because
 when SVG is disabled the elements are not created the same way (which is
 good, because that prevents special behavior when the pages are rendered
 but bad because we had not looked at this codepath).

 > If not, we may want to create a pile of test cases for this type of
 stuff when we do the ff38-esr rebase and patch submission to Mozilla.

 I agree and I opened #15802 to track adding test cases.  I will also take
 another look at <script> right now and test to ensure that JS is not
 executed when svg.in-content.enabled=false

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15794#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list