The Tor Browser: toolkit/components/passwordmgr/test/test_bug_360493

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

     1 <!DOCTYPE HTML>

     2 <html>

     3 <head>

     4   <title>Test for Login Manager</title>

     5   <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>

     6   <script type="text/javascript" src="pwmgr_common.js"></script>

     7   <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />

     8 </head>

     9 <body>

    10 Login Manager test: 360493

    11 <p id="display"></p>

    12 <div id="content" style="display: none">

    14   <!-- The tests in this page exercise things that shouldn't work. -->

    16   <!-- Change port # of action URL from 8888 to 7777 -->

    17   <form id="form1" action="http://localhost:7777/tests/toolkit/components/passwordmgr/test/formtest.js">

    18     <input  type="text"       name="uname">

    19     <input  type="password"   name="pword">

    21     <button type="submit">Submit</button>

    22     <button type="reset"> Reset </button>

    23   </form>

    25   <!-- No port # in action URL -->

    26   <form id="form2" action="http://localhost/tests/toolkit/components/passwordmgr/test/formtest.js">

    27     <input  type="text"       name="uname">

    28     <input  type="password"   name="pword">

    30     <button type="submit">Submit</button>

    31     <button type="reset"> Reset </button>

    32   </form>

    34   <!-- Change protocol from http:// to ftp://, include the expected 8888 port # -->

    35   <form id="form3" action="ftp://localhost:8888/tests/toolkit/components/passwordmgr/test/formtest.js">

    36     <input  type="text"       name="uname">

    37     <input  type="password"   name="pword">

    39     <button type="submit">Submit</button>

    40     <button type="reset"> Reset </button>

    41   </form>

    43   <!-- Change protocol from http:// to ftp://, no port # specified -->

    44   <form id="form4" action="ftp://localhost/tests/toolkit/components/passwordmgr/test/formtest.js">

    45     <input  type="text"       name="uname">

    46     <input  type="password"   name="pword">

    48     <button type="submit">Submit</button>

    49     <button type="reset"> Reset </button>

    50   </form>

    52   <!-- Try a weird URL. -->

    53   <form id="form5" action="about:blank">

    54     <input  type="text"       name="uname">

    55     <input  type="password"   name="pword">

    57     <button type="submit">Submit</button>

    58     <button type="reset"> Reset </button>

    59   </form>

    61   <!-- Try a weird URL. (If the normal embedded action URL doesn't work, that should mean other URLs won't either) -->

    62   <form id="form6" action="view-source:http://localhost:8888/tests/toolkit/components/passwordmgr/test/formtest.js">

    63     <input  type="text"       name="uname">

    64     <input  type="password"   name="pword">

    66     <button type="submit">Submit</button>

    67     <button type="reset"> Reset </button>

    68   </form>

    70   <!-- Try a weird URL. -->

    71   <form id="form7" action="view-source:formtest.js">

    72     <input  type="text"       name="uname">

    73     <input  type="password"   name="pword">

    75     <button type="submit">Submit</button>

    76     <button type="reset"> Reset </button>

    77   </form>

    79   <!-- Action URL points to a different host (this is the archetypical exploit) -->

    80   <form id="form8" action="http://www.cnn.com/">

    81     <input  type="text"       name="uname">

    82     <input  type="password"   name="pword">

    84     <button type="submit">Submit</button>

    85     <button type="reset"> Reset </button>

    86   </form>

    88   <!-- Action URL points to a different host, user field prefilled -->

    89   <form id="form9" action="http://www.cnn.com/">

    90     <input  type="text"       name="uname" value="testuser">

    91     <input  type="password"   name="pword">

    93     <button type="submit">Submit</button>

    94     <button type="reset"> Reset </button>

    95   </form>

    97   <!-- Try wrapping a evil form around a good form, to see if we can confuse the parser. -->

    98   <form id="form10-A" action="http://www.cnn.com/">

    99    <form id="form10-B" action="formtest.js">

   100     <input  type="text"       name="uname">

   101     <input  type="password"   name="pword">

   103     <button type="submit">Submit (inner)</button>

   104     <button type="reset"> Reset  (inner)</button>

   105    </form>

   106    <button type="submit" id="neutered_submit10">Submit (outer)</button>

   107    <button type="reset">Reset (outer)</button>

   108   </form>

   110   <!-- Try wrapping a good form around an evil form, to see if we can confuse the parser. -->

   111   <form id="form11-A" action="formtest.js">

   112    <form id="form11-B" action="http://www.cnn.com/">

   113     <input  type="text"       name="uname">

   114     <input  type="password"   name="pword">

   116     <button type="submit">Submit (inner)</button>

   117     <button type="reset"> Reset  (inner)</button>

   118    </form>

   119    <button type="submit" id="neutered_submit11">Submit (outer)</button>

   120    <button type="reset">Reset (outer)</button>

   121   </form>

   123 <!-- TODO: probably should have some accounts which have no port # in the action url. JS too. And different host/proto. -->

   124 <!-- TODO: www.site.com vs. site.com? -->

   125 <!-- TODO: foo.site.com vs. bar.site.com? -->

   127 </div>

   128 <pre id="test">

   129 <script class="testbody" type="text/javascript">

   131 /** Test for Login Manager: 360493 (Cross-Site Forms + Password Manager = Security Failure) **/

   133 commonInit();

   135 function startTest() {

   136   for (var i = 1; i <= 8; i++) {

   137     // Check form i

   138     is($_(i, "uname").value, "", "Checking for unfilled username " + i);

   139     is($_(i, "pword").value, "", "Checking for unfilled password " + i);

   140   }

   142   is($_(9, "uname").value, "testuser", "Checking for unmodified username 9");

   143   is($_(9, "pword").value, "",         "Checking for unfilled password 9");

   145   is($_("10-A", "uname").value, "", "Checking for unfilled username 10A");

   146   is($_("10-A", "pword").value, "", "Checking for unfilled password 10A");

   147   //is($_("10-B", "uname").value, "", "Checking for unfilled username 10B");

   148   //is($_("10-B", "pword").value, "", "Checking for unfilled password 10B");

   150   // The DOM indicates this form could be filled, as the evil inner form

   151   // is discarded. And yet pwmgr seems not to fill it. Not sure why.

   152   todo(false, "Mangled form combo not being filled when maybe it could be?");

   153   is($_("11-A", "uname").value, "testuser", "Checking filled username 11A");

   154   is($_("11-A", "pword").value, "testpass", "Checking filled password 11A");

   155   //is($_("11-B", "uname").value, "", "Checking for unfilled username 11B");

   156   //is($_("11-B", "pword").value, "", "Checking for unfilled password 11B");

   158   // Verify this by making sure there are no extra forms in the document, and

   159   // that the submit button for the neutered forms don't do anything.

   160   // If the test finds extra forms the submit() causes the test to timeout, then

   161   // there may be a security issue.

   162   is(document.forms.length,  11,  "Checking for unexpected forms");

   163   $("neutered_submit10").click();

   164   $("neutered_submit11").click();

   166   SimpleTest.finish();

   167 }

   169 window.onload = startTest;

   171 SimpleTest.waitForExplicitFinish();

   173 </script>

   174 </pre>

   175 </body>

   176 </html>

The Tor Browser / file revision