Opened 8 years ago

Closed 8 years ago

#2296 closed Bug (fixed)

Permission denied error when clicking on files in file browser under domain relaxation

Reported by: martinkou Owned by: martinkou
Priority: Normal Milestone: FCKeditor 2.6.2
Component: General Version: SVN (FCKeditor) - Retired
Keywords: Confirmed Firefox Review+ Cc:

Description

Reproduction procedure:

  1. Open sample01.html under domain relaxation mode.
  2. Open the image dialog.
  3. Click "Browse Server".
  4. Click on one of the uploaded image files.
  5. Permission denied error.

This bug affects both Firefox 2 and Firefox 3.

Attachments (2)

2296.patch (2.0 KB) - added by martinkou 8 years ago.
2296_2.patch (3.5 KB) - added by martinkou 8 years ago.

Download all attachments as: .zip

Change History (8)

Changed 8 years ago by martinkou

comment:1 Changed 8 years ago by martinkou

  • Keywords Review? added

comment:2 Changed 8 years ago by fredck

  • Keywords Review- added; Review? removed

I've tested the patch, as well as #2115 and #1919 with FF2, FF3, IE6, IE7 ans Safari, with and without document.domain. Almost everything worked well, except:

  • FF2: the patch causes a regression of #2117 (show stopper).
  • Opera: domain relaxation is not working... not related to this ticket, so no problem.

So, it seems that our domain relaxation stuff is not needed for FF2 in that case. We are almost there, but not there yet.

comment:3 Changed 8 years ago by martinkou

I don't think the domain relaxation stuff is unneeded for Firefox... We're having issue in Firefox 2 and 3 here because the file browser dialog is currently having a different document.domain than the main FCKeditor window.

Let's say I fired up sample01.html from www.fckeditor.local but document.domain is set to fckeditor.local inside sample01.html. Everything inside the window should have document.domain == 'fckeditor.local' or else they cannot interact with each other. If I open the file browser dialog from inside the image dialog, and print out the document.domain value with Firebug, the value would be www.fckeditor.local, which makes it impossible for the file browser to communicate with the main window in any way (thus SetUrl fails).

Applying the #2296 patch alone would cause a regression in #2117 in Firefox 2 because of Firefox 2's XMLHttpRequest bug, described in here. Basically, what this means is, whenever we've set document.domain in Firefox 2, XMLHttpRequest will stop working the "normal way" in the sense that its responseXML attribute will always be inaccessible. The only way to fix this is to parse the responseText to an XML DOM ourselves. We've got the very same fix as #2117 in editor/_source/classes/fckxml_gecko.js for domain relaxation, so #2117 is just fixing a known bug. That is why I said #2117's patch has to be applied in conjunction with this ticket's patch to get a working dialog.

I don't really see any other way this issue can be fixed in JavaScript as domain checking is a very fundamental security feature in Firefox.

Changed 8 years ago by martinkou

comment:4 Changed 8 years ago by martinkou

  • Keywords Review? added; Review- removed

Proposing a new patch which merges the old patch with #2117's.

comment:5 Changed 8 years ago by fredck

  • Keywords Review+ added; Review? removed

Tested the patch with IE6, IE7, FF2, FF3, Safari and Opera, with and without domain relaxation. Everything worked well ;)

comment:6 Changed 8 years ago by martinkou

  • Resolution set to fixed
  • Status changed from new to closed

Fixed with [2108].

Click here for more info about our SVN system.

Note: See TracTickets for help on using tickets.
© 2003 – 2016 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy