Opened 17 years ago

Closed 17 years ago

#2296 closed Bug (fixed)

Permission denied error when clicking on files in file browser under domain relaxation

Reported by: Martin Kou Owned by: Martin Kou
Priority: Normal Milestone: FCKeditor 2.6.2
Component: General Version: SVN (FCKeditor) - Retired
Keywords: Confirmed Firefox Review+ Cc:

Description

Reproduction procedure:

  1. Open sample01.html under domain relaxation mode.
  2. Open the image dialog.
  3. Click "Browse Server".
  4. Click on one of the uploaded image files.
  5. Permission denied error.

This bug affects both Firefox 2 and Firefox 3.

Attachments (2)

2296.patch (2.0 KB) - added by Martin Kou 17 years ago.
2296_2.patch (3.5 KB) - added by Martin Kou 17 years ago.

Download all attachments as: .zip

Change History (8)

Changed 17 years ago by Martin Kou

Attachment: 2296.patch added

comment:1 Changed 17 years ago by Martin Kou

Keywords: Review? added

comment:2 Changed 17 years ago by Frederico Caldeira Knabben

Keywords: Review- added; Review? removed

I've tested the patch, as well as #2115 and #1919 with FF2, FF3, IE6, IE7 ans Safari, with and without document.domain. Almost everything worked well, except:

  • FF2: the patch causes a regression of #2117 (show stopper).
  • Opera: domain relaxation is not working... not related to this ticket, so no problem.

So, it seems that our domain relaxation stuff is not needed for FF2 in that case. We are almost there, but not there yet.

comment:3 Changed 17 years ago by Martin Kou

I don't think the domain relaxation stuff is unneeded for Firefox... We're having issue in Firefox 2 and 3 here because the file browser dialog is currently having a different document.domain than the main FCKeditor window.

Let's say I fired up sample01.html from www.fckeditor.local but document.domain is set to fckeditor.local inside sample01.html. Everything inside the window should have document.domain == 'fckeditor.local' or else they cannot interact with each other. If I open the file browser dialog from inside the image dialog, and print out the document.domain value with Firebug, the value would be www.fckeditor.local, which makes it impossible for the file browser to communicate with the main window in any way (thus SetUrl fails).

Applying the #2296 patch alone would cause a regression in #2117 in Firefox 2 because of Firefox 2's XMLHttpRequest bug, described in here. Basically, what this means is, whenever we've set document.domain in Firefox 2, XMLHttpRequest will stop working the "normal way" in the sense that its responseXML attribute will always be inaccessible. The only way to fix this is to parse the responseText to an XML DOM ourselves. We've got the very same fix as #2117 in editor/_source/classes/fckxml_gecko.js for domain relaxation, so #2117 is just fixing a known bug. That is why I said #2117's patch has to be applied in conjunction with this ticket's patch to get a working dialog.

I don't really see any other way this issue can be fixed in JavaScript as domain checking is a very fundamental security feature in Firefox.

Changed 17 years ago by Martin Kou

Attachment: 2296_2.patch added

comment:4 Changed 17 years ago by Martin Kou

Keywords: Review? added; Review- removed

Proposing a new patch which merges the old patch with #2117's.

comment:5 Changed 17 years ago by Frederico Caldeira Knabben

Keywords: Review+ added; Review? removed

Tested the patch with IE6, IE7, FF2, FF3, Safari and Opera, with and without domain relaxation. Everything worked well ;)

comment:6 Changed 17 years ago by Martin Kou

Resolution: fixed
Status: newclosed

Fixed with [2108].

Click here for more info about our SVN system.

Note: See TracTickets for help on using tickets.
© 2003 – 2022, CKSource sp. z o.o. sp.k. All rights reserved. | Terms of use | Privacy policy