The Tor Browser: toolkit/components/passwordmgr/test/test_bug_360493

toolkit/components/passwordmgr/test/test_bug_360493_2.html@6474c204b198 (annotated)

toolkit/components/passwordmgr/test/test_bug_360493_2.html

Wed, 31 Dec 2014 06:09:35 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Wed, 31 Dec 2014 06:09:35 +0100
changeset 0: 6474c204b198
permissions: -rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

 <!DOCTYPE HTML>
 <html>
 <head>
   <title>Test for Login Manager</title>
   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
   <script type="text/javascript" src="pwmgr_common.js"></script>
   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
 </head>
 <body>
 Login Manager test: 360493
 <p id="display"></p>
 <div id="content" style="display: none">
   <!-- The tests in this page exercise things that shouldn't work. -->
   <!-- Change port # of action URL from 8888 to 7777 -->
   <form id="form1" action="http://localhost:7777/tests/toolkit/components/passwordmgr/test/formtest.js">
     <input  type="text"       name="uname">
     <input  type="password"   name="pword">
     <button type="submit">Submit</button>
     <button type="reset"> Reset </button>
   </form>
   <!-- No port # in action URL -->
   <form id="form2" action="http://localhost/tests/toolkit/components/passwordmgr/test/formtest.js">
     <input  type="text"       name="uname">
     <input  type="password"   name="pword">
     <button type="submit">Submit</button>
     <button type="reset"> Reset </button>
   </form>
   <!-- Change protocol from http:// to ftp://, include the expected 8888 port # -->
   <form id="form3" action="ftp://localhost:8888/tests/toolkit/components/passwordmgr/test/formtest.js">
     <input  type="text"       name="uname">
     <input  type="password"   name="pword">
     <button type="submit">Submit</button>
     <button type="reset"> Reset </button>
   </form>
   <!-- Change protocol from http:// to ftp://, no port # specified -->
   <form id="form4" action="ftp://localhost/tests/toolkit/components/passwordmgr/test/formtest.js">
     <input  type="text"       name="uname">
     <input  type="password"   name="pword">
     <button type="submit">Submit</button>
     <button type="reset"> Reset </button>
   </form>
   <!-- Try a weird URL. -->
   <form id="form5" action="about:blank">
     <input  type="text"       name="uname">
     <input  type="password"   name="pword">
     <button type="submit">Submit</button>
     <button type="reset"> Reset </button>
   </form>
   <!-- Try a weird URL. (If the normal embedded action URL doesn't work, that should mean other URLs won't either) -->
   <form id="form6" action="view-source:http://localhost:8888/tests/toolkit/components/passwordmgr/test/formtest.js">
     <input  type="text"       name="uname">
     <input  type="password"   name="pword">
     <button type="submit">Submit</button>
     <button type="reset"> Reset </button>
   </form>
   <!-- Try a weird URL. -->
   <form id="form7" action="view-source:formtest.js">
     <input  type="text"       name="uname">
     <input  type="password"   name="pword">
     <button type="submit">Submit</button>
     <button type="reset"> Reset </button>
   </form>
   <!-- Action URL points to a different host (this is the archetypical exploit) -->
   <form id="form8" action="http://www.cnn.com/">
     <input  type="text"       name="uname">
     <input  type="password"   name="pword">
     <button type="submit">Submit</button>
     <button type="reset"> Reset </button>
   </form>
   <!-- Action URL points to a different host, user field prefilled -->
   <form id="form9" action="http://www.cnn.com/">
     <input  type="text"       name="uname" value="testuser">
     <input  type="password"   name="pword">
     <button type="submit">Submit</button>
     <button type="reset"> Reset </button>
   </form>
   <!-- Try wrapping a evil form around a good form, to see if we can confuse the parser. -->
   <form id="form10-A" action="http://www.cnn.com/">
    <form id="form10-B" action="formtest.js">
     <input  type="text"       name="uname">
     <input  type="password"   name="pword">
     <button type="submit">Submit (inner)</button>
     <button type="reset"> Reset  (inner)</button>
    </form>
    <button type="submit" id="neutered_submit10">Submit (outer)</button>
    <button type="reset">Reset (outer)</button>
   </form>
   <!-- Try wrapping a good form around an evil form, to see if we can confuse the parser. -->
   <form id="form11-A" action="formtest.js">
    <form id="form11-B" action="http://www.cnn.com/">
     <input  type="text"       name="uname">
     <input  type="password"   name="pword">
     <button type="submit">Submit (inner)</button>
     <button type="reset"> Reset  (inner)</button>
    </form>
    <button type="submit" id="neutered_submit11">Submit (outer)</button>
    <button type="reset">Reset (outer)</button>
   </form>
 <!-- TODO: probably should have some accounts which have no port # in the action url. JS too. And different host/proto. -->
 <!-- TODO: www.site.com vs. site.com? -->
 <!-- TODO: foo.site.com vs. bar.site.com? -->
 </div>
 <pre id="test">
 <script class="testbody" type="text/javascript">
 /** Test for Login Manager: 360493 (Cross-Site Forms + Password Manager = Security Failure) **/
 commonInit();
 function startTest() {
   for (var i = 1; i <= 8; i++) {
     // Check form i
     is($_(i, "uname").value, "", "Checking for unfilled username " + i);
     is($_(i, "pword").value, "", "Checking for unfilled password " + i);
   }
   is($_(9, "uname").value, "testuser", "Checking for unmodified username 9");
   is($_(9, "pword").value, "",         "Checking for unfilled password 9");
   is($_("10-A", "uname").value, "", "Checking for unfilled username 10A");
   is($_("10-A", "pword").value, "", "Checking for unfilled password 10A");
   //is($_("10-B", "uname").value, "", "Checking for unfilled username 10B");
   //is($_("10-B", "pword").value, "", "Checking for unfilled password 10B");
   // The DOM indicates this form could be filled, as the evil inner form
   // is discarded. And yet pwmgr seems not to fill it. Not sure why.
   todo(false, "Mangled form combo not being filled when maybe it could be?");
   is($_("11-A", "uname").value, "testuser", "Checking filled username 11A");
   is($_("11-A", "pword").value, "testpass", "Checking filled password 11A");
   //is($_("11-B", "uname").value, "", "Checking for unfilled username 11B");
   //is($_("11-B", "pword").value, "", "Checking for unfilled password 11B");
   // Verify this by making sure there are no extra forms in the document, and
   // that the submit button for the neutered forms don't do anything.
   // If the test finds extra forms the submit() causes the test to timeout, then
   // there may be a security issue.
   is(document.forms.length,  11,  "Checking for unexpected forms");
   $("neutered_submit10").click();
   $("neutered_submit11").click();
   SimpleTest.finish();
 }
 window.onload = startTest;
 SimpleTest.waitForExplicitFinish();
 </script>
 </pre>
 </body>
 </html>

The Tor Browser / annotate

toolkit/components/passwordmgr/test/test_bug_360493_2.html@6474c204b198 (annotated)

toolkit/components/passwordmgr/test/test_bug_360493_2.html