[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Possible Netscape / Mozilla bug

Gordon Paynter <gordon.paynter@ucr.edu> writes:
> Under these circumstances could user2 convince Mozilla to open a new
> user1 Mozilla window on another display without user1 knowing?

My guess would be no.  To open a window on a new display, you'd have
to first open a connection to that display, which you'd normally do
through an XOpenDisplay call or its equivalent.  Mozilla for Linux
uses the GTK toolkit, and it doesn't call XOpenDisplay directly;
instead, it calls gtk_init which eventually calls XOpenDisplay.
However, the code in Mozilla is set up to only perform this gtk_init
call once (the first time a new nsAppShell object is created).  Even
if "user2" could somehow change the value of Mozilla's "DISPLAY"
environment variable, I don't see how she could get Mozilla to rerun
gtk_init and open a connection to a different display.

However, using more sophisticated techniques, "user2" could probably
get the same effect.  Though I haven't actually tested it, it should
be possible for her to convince Mozilla to create a window off-screen
(or move the window off-screen once Mozilla has created it, probably
fast enough that "user1" wouldn't see anything), turn on its backing
store (so the X server maintains its contents even though it can't be
seen), and then run a program the continuously copies its contents to
a local window (so she can see what she's doing) and resends keyboard
and mouse events from the local window to the "invisible" window (so
she can do all sorts of terrible damage).

Kevin Buhr <buhr@telus.net>

To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: