Wrath: Global variable UIDROPDOWNMENU_MENU_LEVEL tainted by BuffomatClassic

Question

Wrath: Global variable UIDROPDOWNMENU_MENU_LEVEL tainted by BuffomatClassic

klingo opened this issue 2 years ago · 4 comments

klingo commented 2 years ago

Steps to reproduce

Disable all addons except BuffomatClassic (Version: 2022.10.5.1)
Login to Wrath Classic
Type /bom to open Buffomat window
Click the cogwheel to open the settings dropdown, then close it again
Open Blizzard Group Finder and create any listing

Chat will display: "Interface action failed because of an AddOn".

Blizzard taint.log will show:

11/1 00:00:45.049  Global variable UIDROPDOWNMENU_MENU_LEVEL tainted by BuffomatClassic - Interface\FrameXML\UIDropDownMenu.lua:40
11/1 00:00:45.049      securecall()
11/1 00:00:45.049      Interface\FrameXML\UIDropDownMenu.lua:74 UIDropDownMenu_Initialize()
11/1 00:00:45.049      Interface\AddOns\BuffomatClassic\Src/Toolbox.lua:633 Show()
11/1 00:00:45.049      Interface\AddOns\BuffomatClassic\Src/Ui/OptionsPopup.lua:162 Setup()
11/1 00:00:45.049      Interface\AddOns\BuffomatClassic\Src/Buffomat.lua:198 BtnSettings()
11/1 00:00:45.049      BomC_MainWindow_SettingsButton:OnMouseDown()
11/1 00:00:45.049  Execution tainted by BuffomatClassic while reading UIDROPDOWNMENU_MENU_LEVEL - Interface\FrameXML\UIDropDownMenu.lua:890 UIDropDownMenu_GetSelectedID()
11/1 00:00:45.049      Interface\FrameXML\UIDropDownMenu.lua:550 UIDropDownMenu_AddButton()
11/1 00:00:45.049      Interface\AddOns\BuffomatClassic\Src/Toolbox.lua:625 initFunction()
11/1 00:00:45.049      Interface\FrameXML\UIDropDownMenu.lua:79 UIDropDownMenu_Initialize()
11/1 00:00:45.049      Interface\FrameXML\UIDropDownMenu.lua:1094 ToggleDropDownMenu()
11/1 00:00:45.049      Interface\AddOns\BuffomatClassic\Src/Toolbox.lua:635 Show()
11/1 00:00:45.049      Interface\AddOns\BuffomatClassic\Src/Ui/OptionsPopup.lua:162 Setup()
11/1 00:00:45.049      Interface\AddOns\BuffomatClassic\Src/Buffomat.lua:198 BtnSettings()
11/1 00:00:45.049      BomC_MainWindow_SettingsButton:OnMouseDown()
11/1 00:00:45.049  An action was blocked because of taint from BuffomatClassic - Search()
11/1 00:00:45.049      Interface\AddOns\Blizzard_LookingForGroupUI\Blizzard_LFGBrowse.lua:225 LFGBrowse_DoSearch()
11/1 00:00:45.049      Interface\AddOns\Blizzard_LookingForGroupUI\Blizzard_LFGBrowse.lua:178 LFGBrowseFrame:SearchActiveEntry()
11/1 00:00:45.049      Interface\AddOns\Blizzard_LookingForGroupUI\Blizzard_LFGParentFrame.lua:92 LFGParentFrame_SearchActiveEntry()
11/1 00:00:45.049      Interface\AddOns\Blizzard_LookingForGroupUI\Blizzard_LFGListing.lua:67

klingo · Answer 1 · 2022-10-31T23:37:07.000Z

Hm, I just learned that this apparently is caused by a bug on Blizzard side that has not been fixed in over three years now :/
--> Stanzilla/WoWUIBugs#4

kvakvs · Answer 2 · 2022-11-16T01:09:38.000Z

There is Ace-based dropdown menu library basically a tainted copy of Blizzard UI dropdown menu which can't taint any secure code because it;s; a copy. I will consider it at some pont in the future.

klingo · Answer 3 · 2022-11-19T20:19:29.000Z

Maybe https://www.wowinterface.com/downloads/info24408-LibUIDropDownMenu.html would help? According to the description this lib aims to avoid taints while still providing the UIDropDownMenu features.

kvakvs · Answer 4 · 2022-12-06T04:59:11.000Z

I am now using userspace copy of dropdown menu code (i believe it is the one you linked)

Share to