My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 39443: crash with form tag
2 people starred this issue and may be notified of changes. Back to list
Status:  Verified
Owner:  cev...@chromium.org
Closed:  Mar 2010
Cc:  darin@chromium.org

Restricted
  • Only users with Commit permission may comment.


Sign in to add a comment
 
Reported by kuz...@gmail.com, Mar 26, 2010
<form><form>

like this 
Mar 26, 2010
#1 kuz...@gmail.com
save it as 1.xhtml
Mar 28, 2010
#2 scarybea...@gmail.com
Great bug, kuzzcc! Don't forget to file these as "Security" or we may not see them.

My initial analysis is that this would appear to be serious.

Owner: secur...@chromium.org
Labels: Security Restrict-View-SecurityTeam SecSeverity-High
Mar 28, 2010
#3 scarybea...@gmail.com
Refreshing simply this XHTML seems to do it, too:
<html>
<form></form>
<form></form>
</html>

Looks like the password form detection code is assuming that any node with its tag 
named "form" can be cast to an HTMLFormElement -- which does not seem to be the case!
Mar 28, 2010
#4 scarybea...@gmail.com
(No comment was entered for this change.)
Cc: da...@chromium.org
Mar 29, 2010
#5 kuz...@gmail.com
Yes .When i post it i found forget select the Template .Defect report from user is 
default,I think you should give reporter permission to change the Template from "Defect 
report from user" to "Security"
Mar 29, 2010
#6 scarybea...@gmail.com
Fixed on trunk with WebKit r55346 and r56098... merging to 249 branch.
Owner: cev...@chromium.org
Labels: Mstone-4.1
Mar 29, 2010
#7 scarybea...@gmail.com
Committed Chromium r43027 and r43028.... syncing and testing 249 branch.
Mar 29, 2010
#8 scarybea...@gmail.com
(No comment was entered for this change.)
Status: FixUnreleased
Mar 30, 2010
#9 skylined@chromium.org
I've changed my HTML fuzzer to use "application/xhtml+xml" and "text/html" mime types. 
That should make sure I find similar issues in the future.
Mar 30, 2010
#10 kuz...@gmail.com
yes i fuzz it out some days ago and report it 
Mar 30, 2010
#11 scarybea...@gmail.com
Congrats - subject to responsible disclosure, this bug qualifies for a $500 reward! We 
will get the fix out shortly and credit you appropriately.
Labels: Reward-500
Mar 30, 2010
#12 scarybea...@gmail.com
Issue 39832 has been merged into this issue.
Mar 30, 2010
#13 scarybea...@gmail.com
 Issue 39920  has been merged into this issue.
May 18, 2010
#14 scarybea...@gmail.com
Was fixed in 4.1.249.1059
Status: Fixed
Labels: -Restrict-View-SecurityTeam
Mar 21, 2011
#15 jschuh@chromium.org
(No comment was entered for this change.)
Labels: Type-Security
Mar 21, 2011
#16 l...@chromium.org

Google Chrome	11.0.696.11 (Official Build 77963)
Status: Verified
Oct 4, 2011
#17 jschuh@chromium.org
Batch update.
Labels: SecImpacts-Stable
Oct 13, 2012
#18 bugdro...@chromium.org
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Labels: Restrict-AddIssueComment-Commit
Mar 9, 2013
#19 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -SecSeverity-High -Type-Security -SecImpacts-Stable Security-Impact-Stable Security-Severity-High Type-Bug-Security
Mar 10, 2013
#20 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Area-Undefined
Mar 21, 2013
#21 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Severity-High Security_Severity-High
Mar 21, 2013
#22 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Impact-Stable Security_Impact-Stable
Sign in to add a comment

Powered by Google Project Hosting