Wrath: Global variable UIDROPDOWNMENU_MENU_LEVEL tainted by BuffomatClassic
klingo opened this issue ยท 4 comments
Steps to reproduce
- Disable all addons except BuffomatClassic (Version: 2022.10.5.1)
- Login to Wrath Classic
- Type /bom to open Buffomat window
- Click the cogwheel to open the settings dropdown, then close it again
- Open Blizzard Group Finder and create any listing
Chat will display: "Interface action failed because of an AddOn".
Blizzard taint.log will show:
11/1 00:00:45.049 Global variable UIDROPDOWNMENU_MENU_LEVEL tainted by BuffomatClassic - Interface\FrameXML\UIDropDownMenu.lua:40
11/1 00:00:45.049 securecall()
11/1 00:00:45.049 Interface\FrameXML\UIDropDownMenu.lua:74 UIDropDownMenu_Initialize()
11/1 00:00:45.049 Interface\AddOns\BuffomatClassic\Src/Toolbox.lua:633 Show()
11/1 00:00:45.049 Interface\AddOns\BuffomatClassic\Src/Ui/OptionsPopup.lua:162 Setup()
11/1 00:00:45.049 Interface\AddOns\BuffomatClassic\Src/Buffomat.lua:198 BtnSettings()
11/1 00:00:45.049 BomC_MainWindow_SettingsButton:OnMouseDown()
11/1 00:00:45.049 Execution tainted by BuffomatClassic while reading UIDROPDOWNMENU_MENU_LEVEL - Interface\FrameXML\UIDropDownMenu.lua:890 UIDropDownMenu_GetSelectedID()
11/1 00:00:45.049 Interface\FrameXML\UIDropDownMenu.lua:550 UIDropDownMenu_AddButton()
11/1 00:00:45.049 Interface\AddOns\BuffomatClassic\Src/Toolbox.lua:625 initFunction()
11/1 00:00:45.049 Interface\FrameXML\UIDropDownMenu.lua:79 UIDropDownMenu_Initialize()
11/1 00:00:45.049 Interface\FrameXML\UIDropDownMenu.lua:1094 ToggleDropDownMenu()
11/1 00:00:45.049 Interface\AddOns\BuffomatClassic\Src/Toolbox.lua:635 Show()
11/1 00:00:45.049 Interface\AddOns\BuffomatClassic\Src/Ui/OptionsPopup.lua:162 Setup()
11/1 00:00:45.049 Interface\AddOns\BuffomatClassic\Src/Buffomat.lua:198 BtnSettings()
11/1 00:00:45.049 BomC_MainWindow_SettingsButton:OnMouseDown()
11/1 00:00:45.049 An action was blocked because of taint from BuffomatClassic - Search()
11/1 00:00:45.049 Interface\AddOns\Blizzard_LookingForGroupUI\Blizzard_LFGBrowse.lua:225 LFGBrowse_DoSearch()
11/1 00:00:45.049 Interface\AddOns\Blizzard_LookingForGroupUI\Blizzard_LFGBrowse.lua:178 LFGBrowseFrame:SearchActiveEntry()
11/1 00:00:45.049 Interface\AddOns\Blizzard_LookingForGroupUI\Blizzard_LFGParentFrame.lua:92 LFGParentFrame_SearchActiveEntry()
11/1 00:00:45.049 Interface\AddOns\Blizzard_LookingForGroupUI\Blizzard_LFGListing.lua:67
Hm, I just learned that this apparently is caused by a bug on Blizzard side that has not been fixed in over three years now :/
--> Stanzilla/WoWUIBugs#4
There is Ace-based dropdown menu library basically a tainted copy of Blizzard UI dropdown menu which can't taint any secure code because it;s; a copy. I will consider it at some pont in the future.
Maybe https://www.wowinterface.com/downloads/info24408-LibUIDropDownMenu.html would help? According to the description this lib aims to avoid taints while still providing the UIDropDownMenu features.