range.createContextualFragment() crash when range node is DocType
Bug #69719 reported by
José Paulo Matafome Oleiro
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mozilla Firefox |
Fix Released
|
Critical
|
|||
firefox (Ubuntu) |
Fix Released
|
Critical
|
Mozilla Team |
Bug Description
I'm was openning the following address http://
CVE References
Changed in firefox: | |
status: | Unknown → Confirmed |
Changed in firefox: | |
status: | Confirmed → In Progress |
Changed in firefox: | |
status: | In Progress → Fix Released |
Changed in firefox: | |
assignee: | nobody → mozillateam |
importance: | Undecided → Critical |
Changed in firefox: | |
importance: | Unknown → Critical |
To post a comment you must log in.
This appears to have been fixed on trunk on Oct 20. bug 357445 is the only possibly relevant patch, and it's a biggie.
I initially suspected bug 336381 of fixing this since it added nsRange: :IsValidBoundar y that throws the right exception, but that was checked in May 2006 so clearly not. Looks like that's only called from SetStart/SetEnd but not selectNode.
selectNode does check for some bad node types, but doctype isn't one of those.
The existing validity checks only check the specified node itself, doesn't look like there are any "or ancestor" checks as mentioned in the DOM spec.
Would be simple to add nsIDOMNode: :DOCUMENT_ TYPE_NODE: at http:// bonsai. mozilla. org/cvsblame. cgi?file= mozilla/ content/ base/src/ nsRange. cpp&rev= 1.211&mark= 707#694
Would that be sufficient? Probably leaves all sorts of variants given the inconsistent checks (and some missing on the 1.8 branch)