[Bug 1222912] Re: Error parsing proxy.pac

Michael Greene mgreene at securityinnovation.com
Fri Sep 25 00:26:34 UTC 2015 

Looks like that was actually only about 95% of the way to the bug.
Here's the real issue, one call further in, in the get_proxy_info
function:

      gpointer instance=getFirstInTableInstance(instance_to_id_map);
      browser_functions.getvalueforurl((NPP) instance, NPNURLVProxy, siteAddr, proxy, len);

looking at the docs for that function (NPN_GetValueForURL), the
signature is:

NPError NPN_GetValueForURL(NPP instance, NPNURLVariable variable, const
char *url, char **value, uint32_t *len);

and an important point called out for the value parameter:

*Note: the value may have internal NULL bytes and may not be NULL-
terminated.*

importantly, neither the return value nor len are actually checked
before moving on and attempting to use the value.

When Firefox is set to use a PAC file that doesn't exist, the function
call fails, no allocation happens for **value (leaving whatever garbage
was in memory before), len is set to 0, but IcedTea disregards that and
continues on as though it succeeded, and concatenates random memory
garbage to the plugin PluginProxyInfo string that is to be sent over to
the java process.

Back in the previous function call, it is enough to work around the bug
by changing gchar* proxy; to gchar* proxy = NULL;, but it is perhaps
only partially correct. Attached here is a patch that resolves the issue
in my case.

** Patch added: "fix_invalid_byte_sequence.patch"
   https://bugs.launchpad.net/ubuntu/+source/icedtea-web/+bug/1222912/+attachment/4473859/+files/fix_invalid_byte_sequence.patch

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to icedtea-web in Ubuntu.
https://bugs.launchpad.net/bugs/1222912

Title:
  Error parsing proxy.pac

Status in icedtea-web package in Ubuntu:
  New

Bug description:
  Ubuntu 12.04.3 LTS 32-bit up-to-date

  When using the following proxy.pac, IcedTea doesn't open embedded java
  applets in Firefox or Chromium:

  function FindProxyForURL(url, host) {
     return "PROXY 192.168.1.3:8080; DIRECT";
  }

  I had to change to:

  function FindProxyForURL(url, host) {
     return "PROXY 192.168.1.3:8080";
  }

  There is some problem passing & parsing proxy.pac configurations.

  I tried using proxy.pac using system proxy configuration, browser
  proxy configuration and IcedTea Web Control Panel.

  My conclusion is that proxy.pac only work if they return one proxy
  possibility (as my above example).

  Similar to:
  https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1091926

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/icedtea-web/+bug/1222912/+subscriptions

More information about the foundations-bugs mailing list