1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/toolkit/components/passwordmgr/test/test_bug_360493_2.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,177 @@
1.4 +<!DOCTYPE HTML>
1.5 +<html>
1.6 +<head>
1.7 + <title>Test for Login Manager</title>
1.8 + <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
1.9 + <script type="text/javascript" src="pwmgr_common.js"></script>
1.10 + <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
1.11 +</head>
1.12 +<body>
1.13 +Login Manager test: 360493
1.14 +<p id="display"></p>
1.15 +<div id="content" style="display: none">
1.16 +
1.17 + <!-- The tests in this page exercise things that shouldn't work. -->
1.18 +
1.19 + <!-- Change port # of action URL from 8888 to 7777 -->
1.20 + <form id="form1" action="http://localhost:7777/tests/toolkit/components/passwordmgr/test/formtest.js">
1.21 + <input type="text" name="uname">
1.22 + <input type="password" name="pword">
1.23 +
1.24 + <button type="submit">Submit</button>
1.25 + <button type="reset"> Reset </button>
1.26 + </form>
1.27 +
1.28 + <!-- No port # in action URL -->
1.29 + <form id="form2" action="http://localhost/tests/toolkit/components/passwordmgr/test/formtest.js">
1.30 + <input type="text" name="uname">
1.31 + <input type="password" name="pword">
1.32 +
1.33 + <button type="submit">Submit</button>
1.34 + <button type="reset"> Reset </button>
1.35 + </form>
1.36 +
1.37 + <!-- Change protocol from http:// to ftp://, include the expected 8888 port # -->
1.38 + <form id="form3" action="ftp://localhost:8888/tests/toolkit/components/passwordmgr/test/formtest.js">
1.39 + <input type="text" name="uname">
1.40 + <input type="password" name="pword">
1.41 +
1.42 + <button type="submit">Submit</button>
1.43 + <button type="reset"> Reset </button>
1.44 + </form>
1.45 +
1.46 + <!-- Change protocol from http:// to ftp://, no port # specified -->
1.47 + <form id="form4" action="ftp://localhost/tests/toolkit/components/passwordmgr/test/formtest.js">
1.48 + <input type="text" name="uname">
1.49 + <input type="password" name="pword">
1.50 +
1.51 + <button type="submit">Submit</button>
1.52 + <button type="reset"> Reset </button>
1.53 + </form>
1.54 +
1.55 + <!-- Try a weird URL. -->
1.56 + <form id="form5" action="about:blank">
1.57 + <input type="text" name="uname">
1.58 + <input type="password" name="pword">
1.59 +
1.60 + <button type="submit">Submit</button>
1.61 + <button type="reset"> Reset </button>
1.62 + </form>
1.63 +
1.64 + <!-- Try a weird URL. (If the normal embedded action URL doesn't work, that should mean other URLs won't either) -->
1.65 + <form id="form6" action="view-source:http://localhost:8888/tests/toolkit/components/passwordmgr/test/formtest.js">
1.66 + <input type="text" name="uname">
1.67 + <input type="password" name="pword">
1.68 +
1.69 + <button type="submit">Submit</button>
1.70 + <button type="reset"> Reset </button>
1.71 + </form>
1.72 +
1.73 + <!-- Try a weird URL. -->
1.74 + <form id="form7" action="view-source:formtest.js">
1.75 + <input type="text" name="uname">
1.76 + <input type="password" name="pword">
1.77 +
1.78 + <button type="submit">Submit</button>
1.79 + <button type="reset"> Reset </button>
1.80 + </form>
1.81 +
1.82 + <!-- Action URL points to a different host (this is the archetypical exploit) -->
1.83 + <form id="form8" action="http://www.cnn.com/">
1.84 + <input type="text" name="uname">
1.85 + <input type="password" name="pword">
1.86 +
1.87 + <button type="submit">Submit</button>
1.88 + <button type="reset"> Reset </button>
1.89 + </form>
1.90 +
1.91 + <!-- Action URL points to a different host, user field prefilled -->
1.92 + <form id="form9" action="http://www.cnn.com/">
1.93 + <input type="text" name="uname" value="testuser">
1.94 + <input type="password" name="pword">
1.95 +
1.96 + <button type="submit">Submit</button>
1.97 + <button type="reset"> Reset </button>
1.98 + </form>
1.99 +
1.100 + <!-- Try wrapping a evil form around a good form, to see if we can confuse the parser. -->
1.101 + <form id="form10-A" action="http://www.cnn.com/">
1.102 + <form id="form10-B" action="formtest.js">
1.103 + <input type="text" name="uname">
1.104 + <input type="password" name="pword">
1.105 +
1.106 + <button type="submit">Submit (inner)</button>
1.107 + <button type="reset"> Reset (inner)</button>
1.108 + </form>
1.109 + <button type="submit" id="neutered_submit10">Submit (outer)</button>
1.110 + <button type="reset">Reset (outer)</button>
1.111 + </form>
1.112 +
1.113 + <!-- Try wrapping a good form around an evil form, to see if we can confuse the parser. -->
1.114 + <form id="form11-A" action="formtest.js">
1.115 + <form id="form11-B" action="http://www.cnn.com/">
1.116 + <input type="text" name="uname">
1.117 + <input type="password" name="pword">
1.118 +
1.119 + <button type="submit">Submit (inner)</button>
1.120 + <button type="reset"> Reset (inner)</button>
1.121 + </form>
1.122 + <button type="submit" id="neutered_submit11">Submit (outer)</button>
1.123 + <button type="reset">Reset (outer)</button>
1.124 + </form>
1.125 +
1.126 +<!-- TODO: probably should have some accounts which have no port # in the action url. JS too. And different host/proto. -->
1.127 +<!-- TODO: www.site.com vs. site.com? -->
1.128 +<!-- TODO: foo.site.com vs. bar.site.com? -->
1.129 +
1.130 +</div>
1.131 +<pre id="test">
1.132 +<script class="testbody" type="text/javascript">
1.133 +
1.134 +/** Test for Login Manager: 360493 (Cross-Site Forms + Password Manager = Security Failure) **/
1.135 +
1.136 +commonInit();
1.137 +
1.138 +function startTest() {
1.139 + for (var i = 1; i <= 8; i++) {
1.140 + // Check form i
1.141 + is($_(i, "uname").value, "", "Checking for unfilled username " + i);
1.142 + is($_(i, "pword").value, "", "Checking for unfilled password " + i);
1.143 + }
1.144 +
1.145 + is($_(9, "uname").value, "testuser", "Checking for unmodified username 9");
1.146 + is($_(9, "pword").value, "", "Checking for unfilled password 9");
1.147 +
1.148 + is($_("10-A", "uname").value, "", "Checking for unfilled username 10A");
1.149 + is($_("10-A", "pword").value, "", "Checking for unfilled password 10A");
1.150 + //is($_("10-B", "uname").value, "", "Checking for unfilled username 10B");
1.151 + //is($_("10-B", "pword").value, "", "Checking for unfilled password 10B");
1.152 +
1.153 + // The DOM indicates this form could be filled, as the evil inner form
1.154 + // is discarded. And yet pwmgr seems not to fill it. Not sure why.
1.155 + todo(false, "Mangled form combo not being filled when maybe it could be?");
1.156 + is($_("11-A", "uname").value, "testuser", "Checking filled username 11A");
1.157 + is($_("11-A", "pword").value, "testpass", "Checking filled password 11A");
1.158 + //is($_("11-B", "uname").value, "", "Checking for unfilled username 11B");
1.159 + //is($_("11-B", "pword").value, "", "Checking for unfilled password 11B");
1.160 +
1.161 + // Verify this by making sure there are no extra forms in the document, and
1.162 + // that the submit button for the neutered forms don't do anything.
1.163 + // If the test finds extra forms the submit() causes the test to timeout, then
1.164 + // there may be a security issue.
1.165 + is(document.forms.length, 11, "Checking for unexpected forms");
1.166 + $("neutered_submit10").click();
1.167 + $("neutered_submit11").click();
1.168 +
1.169 + SimpleTest.finish();
1.170 +}
1.171 +
1.172 +window.onload = startTest;
1.173 +
1.174 +SimpleTest.waitForExplicitFinish();
1.175 +
1.176 +</script>
1.177 +</pre>
1.178 +</body>
1.179 +</html>
1.180 +
