search

kvakvs / BuffomatClassic

Maintained Buffomat addon for Classic World of Warcraft and Classic TBC.
Other
6 stars 13 forks source link

Wrath: Global variable UIDROPDOWNMENU_MENU_LEVEL tainted by BuffomatClassic #104

Closed klingo closed 1 year ago

klingo commented 2 years ago

Steps to reproduce

  1. Disable all addons except BuffomatClassic (Version: 2022.10.5.1)
  2. Login to Wrath Classic
  3. Type /bom to open Buffomat window
  4. Click the cogwheel to open the settings dropdown, then close it again
  5. Open Blizzard Group Finder and create any listing

Chat will display: "Interface action failed because of an AddOn".

Blizzard taint.log will show:

11/1 00:00:45.049  Global variable UIDROPDOWNMENU_MENU_LEVEL tainted by BuffomatClassic - Interface\FrameXML\UIDropDownMenu.lua:40
11/1 00:00:45.049      securecall()
11/1 00:00:45.049      Interface\FrameXML\UIDropDownMenu.lua:74 UIDropDownMenu_Initialize()
11/1 00:00:45.049      Interface\AddOns\BuffomatClassic\Src/Toolbox.lua:633 Show()
11/1 00:00:45.049      Interface\AddOns\BuffomatClassic\Src/Ui/OptionsPopup.lua:162 Setup()
11/1 00:00:45.049      Interface\AddOns\BuffomatClassic\Src/Buffomat.lua:198 BtnSettings()
11/1 00:00:45.049      BomC_MainWindow_SettingsButton:OnMouseDown()
11/1 00:00:45.049  Execution tainted by BuffomatClassic while reading UIDROPDOWNMENU_MENU_LEVEL - Interface\FrameXML\UIDropDownMenu.lua:890 UIDropDownMenu_GetSelectedID()
11/1 00:00:45.049      Interface\FrameXML\UIDropDownMenu.lua:550 UIDropDownMenu_AddButton()
11/1 00:00:45.049      Interface\AddOns\BuffomatClassic\Src/Toolbox.lua:625 initFunction()
11/1 00:00:45.049      Interface\FrameXML\UIDropDownMenu.lua:79 UIDropDownMenu_Initialize()
11/1 00:00:45.049      Interface\FrameXML\UIDropDownMenu.lua:1094 ToggleDropDownMenu()
11/1 00:00:45.049      Interface\AddOns\BuffomatClassic\Src/Toolbox.lua:635 Show()
11/1 00:00:45.049      Interface\AddOns\BuffomatClassic\Src/Ui/OptionsPopup.lua:162 Setup()
11/1 00:00:45.049      Interface\AddOns\BuffomatClassic\Src/Buffomat.lua:198 BtnSettings()
11/1 00:00:45.049      BomC_MainWindow_SettingsButton:OnMouseDown()
11/1 00:00:45.049  An action was blocked because of taint from BuffomatClassic - Search()
11/1 00:00:45.049      Interface\AddOns\Blizzard_LookingForGroupUI\Blizzard_LFGBrowse.lua:225 LFGBrowse_DoSearch()
11/1 00:00:45.049      Interface\AddOns\Blizzard_LookingForGroupUI\Blizzard_LFGBrowse.lua:178 LFGBrowseFrame:SearchActiveEntry()
11/1 00:00:45.049      Interface\AddOns\Blizzard_LookingForGroupUI\Blizzard_LFGParentFrame.lua:92 LFGParentFrame_SearchActiveEntry()
11/1 00:00:45.049      Interface\AddOns\Blizzard_LookingForGroupUI\Blizzard_LFGListing.lua:67
klingo commented 2 years ago

Hm, I just learned that this apparently is caused by a bug on Blizzard side that has not been fixed in over three years now :/ --> https://github.com/Stanzilla/WoWUIBugs/issues/4

kvakvs commented 2 years ago

There is Ace-based dropdown menu library basically a tainted copy of Blizzard UI dropdown menu which can't taint any secure code because it;s; a copy. I will consider it at some pont in the future.

klingo commented 2 years ago

Maybe https://www.wowinterface.com/downloads/info24408-LibUIDropDownMenu.html would help? According to the description this lib aims to avoid taints while still providing the UIDropDownMenu features.

kvakvs commented 1 year ago

I am now using userspace copy of dropdown menu code (i believe it is the one you linked)