BackdropMixin Taint

README.md

The new BackdropMixin appears to spread taint to any secure frames using backdrops that are instantiated after an addon first uses a backdrop.

1. Shared layout table used by both insecure and secure code.
2. The shared layout is referenced by ApplyLayout; additionally the "Center" piece is always mutated here which might cause other issues if read elsewhere.
3. ApplyLayout iterates over all pieces in the given layout table and invokes PropagateLayoutSettingsToPieceLayout...
4. Which leads you into a taint loop; the pieceLayout.mirrorLayout field will always be nil, so it enters the branch and reads a nil value from the userLayout table - unfortunately from insecure code this nil value itself will be tainted and stored in pieceLayout. On the next call back into this function - either from a secure or insecure frame - the conditional will then read the tainted nil value again due to the layout tables being shared.

The above is backed up by the following taint.log excerpt; pay particular attention to the fact that it claims the mirrorLayout "variable" (field, in this case) was tainted by insecure code.

7/18 01:51:47.339  Execution tainted by totalRP3 while reading backdropInfo - Interface\SharedXML\Backdrop.lua:206
7/18 01:51:47.339  Execution tainted by totalRP3 while reading backdropInfo - Interface\SharedXML\Backdrop.lua:208
7/18 01:51:47.339  Execution tainted by totalRP3 while reading backdropInfo - Interface\SharedXML\Backdrop.lua:358 TestFrame:ApplyBackdrop()
7/18 01:51:47.339      Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339  Execution tainted by totalRP3 while reading backdropInfo - Interface\SharedXML\Backdrop.lua:242 TestFrame:GetEdgeSize()
7/18 01:51:47.339      Interface\SharedXML\Backdrop.lua:359 TestFrame:ApplyBackdrop()
7/18 01:51:47.339      Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339  Execution tainted by totalRP3 while reading backdropInfo - Interface\SharedXML\Backdrop.lua:364 TestFrame:ApplyBackdrop()
7/18 01:51:47.339      Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339  Global variable x tainted by totalRP3 - Interface\SharedXML\Backdrop.lua:373 TestFrame:ApplyBackdrop()
7/18 01:51:47.339      Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339  Global variable y tainted by totalRP3 - Interface\SharedXML\Backdrop.lua:374 TestFrame:ApplyBackdrop()
7/18 01:51:47.339      Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339  Global variable x1 tainted by totalRP3 - Interface\SharedXML\Backdrop.lua:375 TestFrame:ApplyBackdrop()
7/18 01:51:47.339      Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339  Global variable y1 tainted by totalRP3 - Interface\SharedXML\Backdrop.lua:376 TestFrame:ApplyBackdrop()
7/18 01:51:47.339      Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339  Global variable mirrorLayout tainted by totalRP3 - Interface\SharedXML\NineSlice.lua:84 PropagateLayoutSettingsToPieceLayout()
7/18 01:51:47.339      Interface\SharedXML\NineSlice.lua:387 ApplyLayout()
7/18 01:51:47.339      Interface\SharedXML\Backdrop.lua:378 TestFrame:ApplyBackdrop()
7/18 01:51:47.339      Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339  Global variable TopLeftCorner tainted by totalRP3 - Interface\SharedXML\NineSlice.lua:76 GetNineSlicePiece()
7/18 01:51:47.339      Interface\SharedXML\NineSlice.lua:389 ApplyLayout()
7/18 01:51:47.339      Interface\SharedXML\Backdrop.lua:378 TestFrame:ApplyBackdrop()
7/18 01:51:47.339      Interface\SharedXML\Backdrop.lua:212

Later on, we can see that the PTR issue reporter gets tainted when one of the "Report Bug" or "Confused" buttons is clicked, as the frame created initializes a backdrop:

7/18 01:51:47.930  Execution tainted by totalRP3 while reading mirrorLayout - Interface\SharedXML\NineSlice.lua:83 PropagateLayoutSettingsToPieceLayout()
7/18 01:51:47.930      Interface\SharedXML\NineSlice.lua:387 ApplyLayout()
7/18 01:51:47.930      Interface\SharedXML\Backdrop.lua:378 <unnamed>:ApplyBackdrop()
7/18 01:51:47.930      Interface\SharedXML\Backdrop.lua:397 <unnamed>:SetBackdrop()
7/18 01:51:47.930      Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback_Frames.lua:781 AddBorder()
7/18 01:51:47.930      Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback_Frames.lua:744 CreateMainView()
7/18 01:51:47.930      Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback.lua:70 Init()
7/18 01:51:47.930      Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback.lua:602
7/18 01:51:47.930  Global variable mirrorLayout tainted by totalRP3 - Interface\SharedXML\NineSlice.lua:84 PropagateLayoutSettingsToPieceLayout()
7/18 01:51:47.930      Interface\SharedXML\NineSlice.lua:387 ApplyLayout()
7/18 01:51:47.930      Interface\SharedXML\Backdrop.lua:378 <unnamed>:ApplyBackdrop()
7/18 01:51:47.930      Interface\SharedXML\Backdrop.lua:397 <unnamed>:SetBackdrop()
7/18 01:51:47.930      Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback_Frames.lua:781 AddBorder()
7/18 01:51:47.930      Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback_Frames.lua:744 CreateMainView()
7/18 01:51:47.930      Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback.lua:70 Init()
7/18 01:51:47.930      Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback.lua:602

A very basic reproducible test case can be found in the associated XML file below.

BackdropMixinTaintTest.xml

<Ui xmlns="http://www.blizzard.com/wow/ui/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.blizzard.com/wow/ui/">
    <!--
        Upon login, run the following in the chat frame - if taint has
        occurred both of the following  variables will report as being insecure:

        /dump issecurevariable(PTR_IssueReporter.Data, "CurrentMapID")
        /dump issecurevariable(PTRIssueReporterAlertFrame, "FrameComponents")

        It's possible for the first one to spuriously return "true" - there
        might be an element of luck to it, but the "FrameComponents" key on
        the PTRIssueReporterAlertFrame seems to consistently be tainted.

        If the "backdropInfo" KeyValue element is removed, taint won't occur.
    -->
    <Frame name="TestFrame" inherits="BackdropTemplate">
        <KeyValues>
            <KeyValue key="backdropInfo" value="BACKDROP_DIALOG_32_32" type="global"/>
        </KeyValues>
    </Frame>
</Ui>

Screenshot of the taint results from the /dump commands.

Anything that we can do here to fix this?

We've reported it to Blizzard, it's pending a fix on their side. Maybe next build. 🤞.

Thanks for the quick answer, because it is really annoying if you try got get the add-on ready for SL

I thought about it some more and came up with a possible fix: Stanzilla/WoWUIBugs#28 (comment)

If that snippet is loaded early in an addon (before any backdrops are assigned) it might clear the taint off the shared layout table. Similar approaches were used in the past for various UIDropDownMenu taint issues. I've not tested it extensively however.

this is working 👍

Good to hear - I'd updated it just a few minutes ago so make sure you've pulled in the latest version of it though. There was a minor issue where it'd screw up the layering of the center piece.

@Nils89 Just so you're aware - we've been told that there should be fixes shipping for the backdrop taint issues in the next PTR/beta build.

That sounds great, thanks :)