The Tor Browser / file comparison
comparison: toolkit/components/passwordmgr/test/test_bug_360493_2.html
toolkit/components/passwordmgr/test/test_bug_360493_2.html
- changeset 0
- 6474c204b198
equal
deleted
inserted
replaced
| -1:000000000000 | 0:79e672077b8d |
|---|---|
| 1 <!DOCTYPE HTML> | |
| 2 <html> | |
| 3 <head> | |
| 4 <title>Test for Login Manager</title> | |
| 5 <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> | |
| 6 <script type="text/javascript" src="pwmgr_common.js"></script> | |
| 7 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> | |
| 8 </head> | |
| 9 <body> | |
| 10 Login Manager test: 360493 | |
| 11 <p id="display"></p> | |
| 12 <div id="content" style="display: none"> | |
| 13 | |
| 14 <!-- The tests in this page exercise things that shouldn't work. --> | |
| 15 | |
| 16 <!-- Change port # of action URL from 8888 to 7777 --> | |
| 17 <form id="form1" action="http://localhost:7777/tests/toolkit/components/passwordmgr/test/formtest.js"> | |
| 18 <input type="text" name="uname"> | |
| 19 <input type="password" name="pword"> | |
| 20 | |
| 21 <button type="submit">Submit</button> | |
| 22 <button type="reset"> Reset </button> | |
| 23 </form> | |
| 24 | |
| 25 <!-- No port # in action URL --> | |
| 26 <form id="form2" action="http://localhost/tests/toolkit/components/passwordmgr/test/formtest.js"> | |
| 27 <input type="text" name="uname"> | |
| 28 <input type="password" name="pword"> | |
| 29 | |
| 30 <button type="submit">Submit</button> | |
| 31 <button type="reset"> Reset </button> | |
| 32 </form> | |
| 33 | |
| 34 <!-- Change protocol from http:// to ftp://, include the expected 8888 port # --> | |
| 35 <form id="form3" action="ftp://localhost:8888/tests/toolkit/components/passwordmgr/test/formtest.js"> | |
| 36 <input type="text" name="uname"> | |
| 37 <input type="password" name="pword"> | |
| 38 | |
| 39 <button type="submit">Submit</button> | |
| 40 <button type="reset"> Reset </button> | |
| 41 </form> | |
| 42 | |
| 43 <!-- Change protocol from http:// to ftp://, no port # specified --> | |
| 44 <form id="form4" action="ftp://localhost/tests/toolkit/components/passwordmgr/test/formtest.js"> | |
| 45 <input type="text" name="uname"> | |
| 46 <input type="password" name="pword"> | |
| 47 | |
| 48 <button type="submit">Submit</button> | |
| 49 <button type="reset"> Reset </button> | |
| 50 </form> | |
| 51 | |
| 52 <!-- Try a weird URL. --> | |
| 53 <form id="form5" action="about:blank"> | |
| 54 <input type="text" name="uname"> | |
| 55 <input type="password" name="pword"> | |
| 56 | |
| 57 <button type="submit">Submit</button> | |
| 58 <button type="reset"> Reset </button> | |
| 59 </form> | |
| 60 | |
| 61 <!-- Try a weird URL. (If the normal embedded action URL doesn't work, that should mean other URLs won't either) --> | |
| 62 <form id="form6" action="view-source:http://localhost:8888/tests/toolkit/components/passwordmgr/test/formtest.js"> | |
| 63 <input type="text" name="uname"> | |
| 64 <input type="password" name="pword"> | |
| 65 | |
| 66 <button type="submit">Submit</button> | |
| 67 <button type="reset"> Reset </button> | |
| 68 </form> | |
| 69 | |
| 70 <!-- Try a weird URL. --> | |
| 71 <form id="form7" action="view-source:formtest.js"> | |
| 72 <input type="text" name="uname"> | |
| 73 <input type="password" name="pword"> | |
| 74 | |
| 75 <button type="submit">Submit</button> | |
| 76 <button type="reset"> Reset </button> | |
| 77 </form> | |
| 78 | |
| 79 <!-- Action URL points to a different host (this is the archetypical exploit) --> | |
| 80 <form id="form8" action="http://www.cnn.com/"> | |
| 81 <input type="text" name="uname"> | |
| 82 <input type="password" name="pword"> | |
| 83 | |
| 84 <button type="submit">Submit</button> | |
| 85 <button type="reset"> Reset </button> | |
| 86 </form> | |
| 87 | |
| 88 <!-- Action URL points to a different host, user field prefilled --> | |
| 89 <form id="form9" action="http://www.cnn.com/"> | |
| 90 <input type="text" name="uname" value="testuser"> | |
| 91 <input type="password" name="pword"> | |
| 92 | |
| 93 <button type="submit">Submit</button> | |
| 94 <button type="reset"> Reset </button> | |
| 95 </form> | |
| 96 | |
| 97 <!-- Try wrapping a evil form around a good form, to see if we can confuse the parser. --> | |
| 98 <form id="form10-A" action="http://www.cnn.com/"> | |
| 99 <form id="form10-B" action="formtest.js"> | |
| 100 <input type="text" name="uname"> | |
| 101 <input type="password" name="pword"> | |
| 102 | |
| 103 <button type="submit">Submit (inner)</button> | |
| 104 <button type="reset"> Reset (inner)</button> | |
| 105 </form> | |
| 106 <button type="submit" id="neutered_submit10">Submit (outer)</button> | |
| 107 <button type="reset">Reset (outer)</button> | |
| 108 </form> | |
| 109 | |
| 110 <!-- Try wrapping a good form around an evil form, to see if we can confuse the parser. --> | |
| 111 <form id="form11-A" action="formtest.js"> | |
| 112 <form id="form11-B" action="http://www.cnn.com/"> | |
| 113 <input type="text" name="uname"> | |
| 114 <input type="password" name="pword"> | |
| 115 | |
| 116 <button type="submit">Submit (inner)</button> | |
| 117 <button type="reset"> Reset (inner)</button> | |
| 118 </form> | |
| 119 <button type="submit" id="neutered_submit11">Submit (outer)</button> | |
| 120 <button type="reset">Reset (outer)</button> | |
| 121 </form> | |
| 122 | |
| 123 <!-- TODO: probably should have some accounts which have no port # in the action url. JS too. And different host/proto. --> | |
| 124 <!-- TODO: www.site.com vs. site.com? --> | |
| 125 <!-- TODO: foo.site.com vs. bar.site.com? --> | |
| 126 | |
| 127 </div> | |
| 128 <pre id="test"> | |
| 129 <script class="testbody" type="text/javascript"> | |
| 130 | |
| 131 /** Test for Login Manager: 360493 (Cross-Site Forms + Password Manager = Security Failure) **/ | |
| 132 | |
| 133 commonInit(); | |
| 134 | |
| 135 function startTest() { | |
| 136 for (var i = 1; i <= 8; i++) { | |
| 137 // Check form i | |
| 138 is($_(i, "uname").value, "", "Checking for unfilled username " + i); | |
| 139 is($_(i, "pword").value, "", "Checking for unfilled password " + i); | |
| 140 } | |
| 141 | |
| 142 is($_(9, "uname").value, "testuser", "Checking for unmodified username 9"); | |
| 143 is($_(9, "pword").value, "", "Checking for unfilled password 9"); | |
| 144 | |
| 145 is($_("10-A", "uname").value, "", "Checking for unfilled username 10A"); | |
| 146 is($_("10-A", "pword").value, "", "Checking for unfilled password 10A"); | |
| 147 //is($_("10-B", "uname").value, "", "Checking for unfilled username 10B"); | |
| 148 //is($_("10-B", "pword").value, "", "Checking for unfilled password 10B"); | |
| 149 | |
| 150 // The DOM indicates this form could be filled, as the evil inner form | |
| 151 // is discarded. And yet pwmgr seems not to fill it. Not sure why. | |
| 152 todo(false, "Mangled form combo not being filled when maybe it could be?"); | |
| 153 is($_("11-A", "uname").value, "testuser", "Checking filled username 11A"); | |
| 154 is($_("11-A", "pword").value, "testpass", "Checking filled password 11A"); | |
| 155 //is($_("11-B", "uname").value, "", "Checking for unfilled username 11B"); | |
| 156 //is($_("11-B", "pword").value, "", "Checking for unfilled password 11B"); | |
| 157 | |
| 158 // Verify this by making sure there are no extra forms in the document, and | |
| 159 // that the submit button for the neutered forms don't do anything. | |
| 160 // If the test finds extra forms the submit() causes the test to timeout, then | |
| 161 // there may be a security issue. | |
| 162 is(document.forms.length, 11, "Checking for unexpected forms"); | |
| 163 $("neutered_submit10").click(); | |
| 164 $("neutered_submit11").click(); | |
| 165 | |
| 166 SimpleTest.finish(); | |
| 167 } | |
| 168 | |
| 169 window.onload = startTest; | |
| 170 | |
| 171 SimpleTest.waitForExplicitFinish(); | |
| 172 | |
| 173 </script> | |
| 174 </pre> | |
| 175 </body> | |
| 176 </html> | |
| 177 |
