TaintLess: Edit Mode systems tainted by dropdown misuse

Entering Edit Mode while the UIDropDownMenu infrastructure is tainted (i.e. the last dropdown was not opened/initialized securely) will taint all systems registered for Edit Mode.

Status: fixed in 11.0 (by migrating FrameXML to a another menu implementation).

To reproduce

  1. Run the following macro:
    Patch 10.0.2
    /run EasyMenu({{text="boo"}}, UIParent, UIParent, 0, 0) /click GameMenuButtonEditMode
  2. Exit Edit Mode, change action bar pages (e.g. /changeactionbar 2), trigger any ability using the main action bar.
    *** ForceTaint_Strong *** has been blocked from an action only available to the Blizzard UI. You can disable this addon and reload the UI.
    Interface/FrameXML/ActionButton.lua:1071 UpdateFlyout() An action was blocked because of taint from *** ForceTaint_Strong *** - UseAction() Interface/FrameXML/SecureTemplates.lua:364 handler() Interface/FrameXML/SecureTemplates.lua:690 PerformAction() Interface/FrameXML/SecureTemplates.lua:704 OnActionButtonClick() Interface/FrameXML/SecureTemplates.lua:746 SecureActionButton_OnClick() Interface/FrameXML/ActionButton.lua:109 TryUseActionButton() Interface/FrameXML/ActionButton.lua:144 ActionButtonDown() ACTIONBUTTON1:2

How this gets tainted

  1. EditModeManagerFrameMixin​:EnterEditMode calls EditModeManagerFrameMixin​:UpdateDropdownOptions, which calls DropDownControlMixin​:SetOptions, which calls DropDownControlMixin​:Initialize, which calls UIDropDownMenu​_AddButton.
  2. As no dropdown has been initialized up to this point, this will append buttons to somebody else's menu. This requires accessing potentially-tainted DropDownList1​.numButtons and DropDownList1​.maxWidth keys, as well as the UIDROPDOWNMENU​_MENU_LEVEL global (via UIDropDownMenu​_GetSelectedID).
  3. EditModeManagerFrameMixin​:EnterEditMode then calls EditModeManagerFrameMixin​:ShowSystemSelections, which iterates over all registered systems and calls their OnEditModeEnter methods.

How this can be fixed

  1. DropDownControlMixin​:SetOptions should probably use UIDropDownMenu​_Initialize to call DropDownControlMixin​:Initialize instead of calling it directly.

AddOn workaround

This issue is mitigated by TaintLess.