From 1a94b0ebf37eaeee41263f95c501e540a07fe760 Mon Sep 17 00:00:00 2001 From: "roc+%cs.cmu.edu" Date: Sun, 26 Mar 2006 20:59:03 +0000 Subject: [PATCH] Bug 326501. Mark tree views as being suitable for untrusted code. r+sr=bzbarsky --- content/base/src/nsContentUtils.cpp | 3 --- content/xul/templates/src/nsXULTreeBuilder.cpp | 4 +++- extensions/sql/base/src/mozSqlResult.h | 4 +++- layout/xul/base/src/tree/public/nsITreeView.idl | 11 +++++++++++ layout/xul/base/src/tree/src/nsTreeBoxObject.cpp | 10 ++++++++++ layout/xul/base/src/tree/src/nsTreeContentView.h | 4 +++- 6 files changed, 30 insertions(+), 6 deletions(-) diff --git a/content/base/src/nsContentUtils.cpp b/content/base/src/nsContentUtils.cpp index d29c86e5eb95..10884fe867f0 100644 --- a/content/base/src/nsContentUtils.cpp +++ b/content/base/src/nsContentUtils.cpp @@ -1020,9 +1020,6 @@ nsContentUtils::IsCallerChrome() static PRBool IsCallerTrustedForCapability(const char* aCapability) { - if (nsContentUtils::IsCallerChrome()) - return PR_TRUE; - // The secman really should handle UniversalXPConnect case, since that // should include UniversalBrowserRead... doesn't right now, though. PRBool hasCap; diff --git a/content/xul/templates/src/nsXULTreeBuilder.cpp b/content/xul/templates/src/nsXULTreeBuilder.cpp index 9968b6c2ff6c..060754276dba 100644 --- a/content/xul/templates/src/nsXULTreeBuilder.cpp +++ b/content/xul/templates/src/nsXULTreeBuilder.cpp @@ -74,7 +74,7 @@ */ class nsXULTreeBuilder : public nsXULTemplateBuilder, public nsIXULTreeBuilder, - public nsITreeView + public nsINativeTreeView { public: // nsISupports @@ -85,6 +85,8 @@ public: // nsITreeView NS_DECL_NSITREEVIEW + // nsINativeTreeView: Untrusted code can use us + NS_IMETHOD EnsureNative() { return NS_OK; } virtual void DocumentWillBeDestroyed(nsIDocument *aDocument); diff --git a/extensions/sql/base/src/mozSqlResult.h b/extensions/sql/base/src/mozSqlResult.h index 7c352fa4e382..7af2e1362e8d 100644 --- a/extensions/sql/base/src/mozSqlResult.h +++ b/extensions/sql/base/src/mozSqlResult.h @@ -293,7 +293,7 @@ class mozSqlResult : public mozISqlResult, public mozISqlDataSource, public nsIRDFDataSource, public nsIRDFRemoteDataSource, - public nsITreeView + public nsINativeTreeView { public: mozSqlResult(mozISqlConnection* aConnection, @@ -328,6 +328,8 @@ class mozSqlResult : public mozISqlResult, NS_DECL_NSIRDFREMOTEDATASOURCE NS_DECL_NSITREEVIEW + // nsINativeTreeView: Untrusted code can use us + NS_IMETHOD EnsureNative() { return NS_OK; } friend class mozSqlResultEnumerator; friend class mozSqlResultStream; diff --git a/layout/xul/base/src/tree/public/nsITreeView.idl b/layout/xul/base/src/tree/public/nsITreeView.idl index 4a0c6e731784..12fc88cb28bf 100644 --- a/layout/xul/base/src/tree/public/nsITreeView.idl +++ b/layout/xul/base/src/tree/public/nsITreeView.idl @@ -225,3 +225,14 @@ interface nsITreeView : nsISupports */ void performActionOnCell(in wstring action, in long row, in nsITreeColumn col); }; + +/** + * The following interface is not scriptable and MUST NEVER BE MADE scriptable. + * Native treeviews implement it, and we use this to check whether a treeview + * is native (and therefore suitable for use by untrusted content). + */ +[uuid(38e0b44d-fa08-458c-83fb-3e10b12aeb45)] +interface nsINativeTreeView : nsITreeView +{ + [noscript] void ensureNative(); +}; diff --git a/layout/xul/base/src/tree/src/nsTreeBoxObject.cpp b/layout/xul/base/src/tree/src/nsTreeBoxObject.cpp index 7a1d5743d82c..893546f44b5f 100644 --- a/layout/xul/base/src/tree/src/nsTreeBoxObject.cpp +++ b/layout/xul/base/src/tree/src/nsTreeBoxObject.cpp @@ -49,6 +49,8 @@ #include "nsINodeInfo.h" #include "nsXULAtoms.h" #include "nsChildIterator.h" +#include "nsContentUtils.h" +#include "nsDOMError.h" class nsTreeBoxObject : public nsPITreeBoxObject, public nsBoxObject { @@ -172,6 +174,14 @@ NS_IMETHODIMP nsTreeBoxObject::GetView(nsITreeView * *aView) NS_IMETHODIMP nsTreeBoxObject::SetView(nsITreeView * aView) { + // Untrusted content is only allowed to specify known-good views + if (!nsContentUtils::IsCallerTrustedForWrite()) { + nsCOMPtr nativeTreeView = do_QueryInterface(aView); + if (!nativeTreeView || NS_FAILED(nativeTreeView->EnsureNative())) + // XXX ERRMSG need a good error here for developers + return NS_ERROR_DOM_SECURITY_ERR; + } + nsITreeBoxObject* body = GetTreeBody(); if (body) { body->SetView(aView); diff --git a/layout/xul/base/src/tree/src/nsTreeContentView.h b/layout/xul/base/src/tree/src/nsTreeContentView.h index 353827440295..d9046f98eddd 100644 --- a/layout/xul/base/src/tree/src/nsTreeContentView.h +++ b/layout/xul/base/src/tree/src/nsTreeContentView.h @@ -50,7 +50,7 @@ nsresult NS_NewTreeContentView(nsITreeContentView** aResult); -class nsTreeContentView : public nsITreeView, +class nsTreeContentView : public nsINativeTreeView, public nsITreeContentView, public nsStubDocumentObserver { @@ -64,6 +64,8 @@ class nsTreeContentView : public nsITreeView, NS_DECL_ISUPPORTS NS_DECL_NSITREEVIEW + // nsINativeTreeView: Untrusted code can use us + NS_IMETHOD EnsureNative() { return NS_OK; } NS_DECL_NSITREECONTENTVIEW