The new BackdropMixin appears to spread taint to any secure frames using backdrops that are instantiated after an addon first uses a backdrop.
- Shared layout table used by both insecure and secure code.
- The shared layout is referenced by ApplyLayout; additionally the "Center" piece is always mutated here which might cause other issues if read elsewhere.
- ApplyLayout iterates over all pieces in the given layout table and invokes PropagateLayoutSettingsToPieceLayout...
- Which leads you into a taint loop; the
pieceLayout.mirrorLayout
field will always benil
, so it enters the branch and reads anil
value from theuserLayout
table - unfortunately from insecure code thisnil
value itself will be tainted and stored inpieceLayout
. On the next call back into this function - either from a secure or insecure frame - the conditional will then read the taintednil
value again due to the layout tables being shared.
The above is backed up by the following taint.log
excerpt; pay particular attention to the fact that it claims the mirrorLayout
"variable" (field, in this case) was tainted by insecure code.
7/18 01:51:47.339 Execution tainted by totalRP3 while reading backdropInfo - Interface\SharedXML\Backdrop.lua:206
7/18 01:51:47.339 Execution tainted by totalRP3 while reading backdropInfo - Interface\SharedXML\Backdrop.lua:208
7/18 01:51:47.339 Execution tainted by totalRP3 while reading backdropInfo - Interface\SharedXML\Backdrop.lua:358 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339 Execution tainted by totalRP3 while reading backdropInfo - Interface\SharedXML\Backdrop.lua:242 TestFrame:GetEdgeSize()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:359 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339 Execution tainted by totalRP3 while reading backdropInfo - Interface\SharedXML\Backdrop.lua:364 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339 Global variable x tainted by totalRP3 - Interface\SharedXML\Backdrop.lua:373 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339 Global variable y tainted by totalRP3 - Interface\SharedXML\Backdrop.lua:374 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339 Global variable x1 tainted by totalRP3 - Interface\SharedXML\Backdrop.lua:375 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339 Global variable y1 tainted by totalRP3 - Interface\SharedXML\Backdrop.lua:376 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339 Global variable mirrorLayout tainted by totalRP3 - Interface\SharedXML\NineSlice.lua:84 PropagateLayoutSettingsToPieceLayout()
7/18 01:51:47.339 Interface\SharedXML\NineSlice.lua:387 ApplyLayout()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:378 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
7/18 01:51:47.339 Global variable TopLeftCorner tainted by totalRP3 - Interface\SharedXML\NineSlice.lua:76 GetNineSlicePiece()
7/18 01:51:47.339 Interface\SharedXML\NineSlice.lua:389 ApplyLayout()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:378 TestFrame:ApplyBackdrop()
7/18 01:51:47.339 Interface\SharedXML\Backdrop.lua:212
Later on, we can see that the PTR issue reporter gets tainted when one of the "Report Bug" or "Confused" buttons is clicked, as the frame created initializes a backdrop:
7/18 01:51:47.930 Execution tainted by totalRP3 while reading mirrorLayout - Interface\SharedXML\NineSlice.lua:83 PropagateLayoutSettingsToPieceLayout()
7/18 01:51:47.930 Interface\SharedXML\NineSlice.lua:387 ApplyLayout()
7/18 01:51:47.930 Interface\SharedXML\Backdrop.lua:378 <unnamed>:ApplyBackdrop()
7/18 01:51:47.930 Interface\SharedXML\Backdrop.lua:397 <unnamed>:SetBackdrop()
7/18 01:51:47.930 Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback_Frames.lua:781 AddBorder()
7/18 01:51:47.930 Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback_Frames.lua:744 CreateMainView()
7/18 01:51:47.930 Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback.lua:70 Init()
7/18 01:51:47.930 Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback.lua:602
7/18 01:51:47.930 Global variable mirrorLayout tainted by totalRP3 - Interface\SharedXML\NineSlice.lua:84 PropagateLayoutSettingsToPieceLayout()
7/18 01:51:47.930 Interface\SharedXML\NineSlice.lua:387 ApplyLayout()
7/18 01:51:47.930 Interface\SharedXML\Backdrop.lua:378 <unnamed>:ApplyBackdrop()
7/18 01:51:47.930 Interface\SharedXML\Backdrop.lua:397 <unnamed>:SetBackdrop()
7/18 01:51:47.930 Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback_Frames.lua:781 AddBorder()
7/18 01:51:47.930 Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback_Frames.lua:744 CreateMainView()
7/18 01:51:47.930 Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback.lua:70 Init()
7/18 01:51:47.930 Interface\AddOns\Blizzard_PTRFeedback\Blizzard_PTRFeedback.lua:602
A very basic reproducible test case can be found in the associated XML file below.
I thought about it some more and came up with a possible fix: Stanzilla/WoWUIBugs#28 (comment)
If that snippet is loaded early in an addon (before any backdrops are assigned) it might clear the taint off the shared layout table. Similar approaches were used in the past for various UIDropDownMenu taint issues. I've not tested it extensively however.