The new BackdropMixin appears to spread taint to any secure frames using backdrops that are instantiated after an addon first uses a backdrop.
- Shared layout table used by both insecure and secure code.
- The shared layout is referenced by ApplyLayout; additionally the "Center" piece is always mutated here which might cause other issues if read elsewhere.
- ApplyLayout iterates over all pieces in the given layout table and invokes PropagateLayoutSettingsToPieceLayout...
- Which leads you into a taint loop; the
pieceLayout.mirrorLayout
field will always benil
, so it enters the branch and reads anil
value from theuserLayout
table - unfortunately from insecure code thisnil
value itself will be tainted and stored inpieceLayout
. On the next call back into this function - either from a secure or insecure frame - the conditional will then read the taintednil
value again due to the layout tables being shared.
The above is backed up by the following taint.log
excerpt; pay particular attention to the fact that it claims the mirrorLayout
"variable" (field, in this case) was tainted by insecure code.
7/18 01:51:47.339 Execution tainted by totalRP3 while reading backdropInfo - Interface\SharedXML\Backdrop.lua:206
7/18 01:51:47.339 Execution tainted by totalRP3 while reading backdropInfo - Interface\SharedXML\Backdrop.lua:208
7/18 01:51:47.339 Execution tainted by totalRP3 while reading backdropInfo - Interface\SharedXML\Backdrop.lua:358 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339 Execution tainted by totalRP3 while reading backdropInfo - Interface\SharedXML\Backdrop.lua:242 TestFrame:GetEdgeSize()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:359 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339 Execution tainted by totalRP3 while reading backdropInfo - Interface\SharedXML\Backdrop.lua:364 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339 Global variable x tainted by totalRP3 - Interface\SharedXML\Backdrop.lua:373 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339 Global variable y tainted by totalRP3 - Interface\SharedXML\Backdrop.lua:374 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339 Global variable x1 tainted by totalRP3 - Interface\SharedXML\Backdrop.lua:375 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339 Global variable y1 tainted by totalRP3 - Interface\SharedXML\Backdrop.lua:376 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339 Global variable mirrorLayout tainted by totalRP3 - Interface\SharedXML\NineSlice.lua:84 PropagateLayoutSettingsToPieceLayout()
7/18 01:51:47.339 Interface\SharedXML\NineSlice.lua:387 ApplyLayout()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:378 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339 Global variable TopLeftCorner tainted by totalRP3 - Interface\SharedXML\NineSlice.lua:76 GetNineSlicePiece()
7/18 01:51:47.339 Interface\SharedXML\NineSlice.lua:389 ApplyLayout()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:378 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
Later on, we can see that the PTR issue reporter gets tainted when one of the "Report Bug" or "Confused" buttons is clicked, as the frame created initializes a backdrop:
7/18 01:51:47.930 Execution tainted by totalRP3 while reading mirrorLayout - Interface\SharedXML\NineSlice.lua:83 PropagateLayoutSettingsToPieceLayout()
7/18 01:51:47.930 Interface\SharedXML\NineSlice.lua:387 ApplyLayout()
7/18 01:51:47.930 Interface\SharedXML\Backdrop.lua:378 <unnamed>:ApplyBackdrop()
7/18 01:51:47.930 Interface\SharedXML\Backdrop.lua:397 <unnamed>:SetBackdrop()
7/18 01:51:47.930 Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback_Frames.lua:781 AddBorder()
7/18 01:51:47.930 Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback_Frames.lua:744 CreateMainView()
7/18 01:51:47.930 Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback.lua:70 Init()
7/18 01:51:47.930 Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback.lua:602
7/18 01:51:47.930 Global variable mirrorLayout tainted by totalRP3 - Interface\SharedXML\NineSlice.lua:84 PropagateLayoutSettingsToPieceLayout()
7/18 01:51:47.930 Interface\SharedXML\NineSlice.lua:387 ApplyLayout()
7/18 01:51:47.930 Interface\SharedXML\Backdrop.lua:378 <unnamed>:ApplyBackdrop()
7/18 01:51:47.930 Interface\SharedXML\Backdrop.lua:397 <unnamed>:SetBackdrop()
7/18 01:51:47.930 Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback_Frames.lua:781 AddBorder()
7/18 01:51:47.930 Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback_Frames.lua:744 CreateMainView()
7/18 01:51:47.930 Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback.lua:70 Init()
7/18 01:51:47.930 Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback.lua:602
A very basic reproducible test case can be found in the associated XML file below.
Screenshot of the taint results from the /dump commands.