1 files changed, 173 insertions, 0 deletions

diff --git a/toolkit/components/passwordmgr/test/mochitest/test_form_action_2.html b/toolkit/components/passwordmgr/test/mochitest/test_form_action_2.html
new file mode 100644
index 0000000000..2eae0958ca
--- /dev/null
+++ b/toolkit/components/passwordmgr/test/mochitest/test_form_action_2.html
@@ -0,0 +1,173 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>Test for considering form action</title>
+  <script src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="pwmgr_common.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+Login Manager test: Bug 360493
+<script>
+gTestDependsOnDeprecatedLogin = true;
+runChecksAfterCommonInit(() => startTest());
+
+let DEFAULT_ORIGIN = window.location.origin;
+</script>
+<p id="display"></p>
+<div id="content" style="display: none">
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Login Manager: 360493 (Cross-Site Forms + Password Manager = Security Failure) **/
+
+async function startTest() {
+  let win = window.open("about:blank");
+  SimpleTest.registerCleanupFunction(() => win.close());
+  await loadFormIntoWindow(DEFAULT_ORIGIN, `
+    <!-- The tests in this page exercise things that shouldn't work. -->
+
+    <!-- Change port # of action URL from 8888 to 7777 -->
+    <form id="form1" action="http://localhost:7777/tests/toolkit/components/passwordmgr/test/formtest.js">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- No port # in action URL -->
+    <form id="form2" action="http://localhost/tests/toolkit/components/passwordmgr/test/formtest.js">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- Change protocol from http:// to ftp://, include the expected 8888 port # -->
+    <form id="form3" action="ftp://localhost:8888/tests/toolkit/components/passwordmgr/test/formtest.js">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- Change protocol from http:// to ftp://, no port # specified -->
+    <form id="form4" action="ftp://localhost/tests/toolkit/components/passwordmgr/test/formtest.js">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- Try a weird URL. -->
+    <form id="form5" action="about:blank">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- Try a weird URL. (If the normal embedded action URL doesn't work, that should mean other URLs won't either) -->
+    <form id="form6" action="view-source:http://localhost:8888/tests/toolkit/components/passwordmgr/test/formtest.js">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- Try a weird URL. -->
+    <form id="form7" action="view-source:formtest.js">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- Action URL points to a different host (this is the archetypical exploit) -->
+    <form id="form8" action="http://www.cnn.com/">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- Action URL points to a different host, user field prefilled -->
+    <form id="form9" action="http://www.cnn.com/">
+      <input  type="text"       name="uname" value="testuser">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit</button>
+      <button type="reset"> Reset </button>
+    </form>
+
+    <!-- Try wrapping a evil form around a good form, to see if we can confuse the parser. -->
+    <form id="form10-A" action="http://www.cnn.com/">
+     <form id="form10-B" action="formtest.js">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit (inner)</button>
+      <button type="reset"> Reset  (inner)</button>
+     </form>
+     <button type="submit" id="neutered_submit10">Submit (outer)</button>
+     <button type="reset">Reset (outer)</button>
+    </form>
+
+    <!-- Try wrapping a good form around an evil form, to see if we can confuse the parser. -->
+    <form id="form11-A" action="formtest.js">
+     <form id="form11-B" action="http://www.cnn.com/">
+      <input  type="text"       name="uname">
+      <input  type="password"   name="pword">
+
+      <button type="submit">Submit (inner)</button>
+      <button type="reset"> Reset  (inner)</button>
+     </form>
+     <button type="submit" id="neutered_submit11">Submit (outer)</button>
+     <button type="reset">Reset (outer)</button>
+    </form>`, win, 11);
+
+  // TODO: probably should have some accounts which have no port # in the action url.
+  // JS too. And different host/proto.
+  // TODO: www.site.com vs. site.com?
+  // TODO: foo.site.com vs. bar.site.com?
+
+  for (var i = 1; i <= 8; i++) {
+    // Check form i
+    await checkLoginFormInFrameWithElementValues(win, i, "", "");
+  }
+
+  await checkLoginFormInFrameWithElementValues(win, 9, "testuser", "");
+
+  await checkLoginFormInFrameWithElementValues(win, "10-A", "", "");
+
+  // The DOM indicates this form could be filled, as the evil inner form
+  // is discarded. And yet pwmgr seems not to fill it. Not sure why.
+  todo(false, "Mangled form combo not being filled when maybe it could be?");
+  await checkLoginFormInFrameWithElementValues(win, "11-A", "testuser", "testpass");
+
+  // Verify this by making sure there are no extra forms in the document, and
+  // that the submit button for the neutered forms don't do anything.
+  // If the test finds extra forms the submit() causes the test to timeout, then
+  // there may be a security issue.
+  await SpecialPowers.spawn(win, [], async function submitForms() {
+    is(this.content.document.forms.length, 11, "Checking for unexpected forms");
+    this.content.document.getElementById("neutered_submit10").click();
+    this.content.document.getElementById("neutered_submit11").click();
+  });
+
+  SimpleTest.finish();
+}
+</script>
+</pre>
+</body>
+</html>