Bug 758990 - Don't create feed URIs that inherit security context, r=gavin

browser/components/feeds/src/FeedConverter.js

@@ -525,14 +525,19 @@ GenericProtocolHandler.prototype = {
 
     var scheme = this._scheme + ":";
     if (spec.substr(0, scheme.length) != scheme)
-      throw Components.results.NS_ERROR_MALFORMED_URI;
+      throw Cr.NS_ERROR_MALFORMED_URI;
 
     var prefix = spec.substr(scheme.length, 2) == "//" ? "http:" : "";
     var inner = Cc["@mozilla.org/network/io-service;1"].
                 getService(Ci.nsIIOService).newURI(spec.replace(scheme, prefix),
                                                    originalCharset, baseURI);
-    var uri = Cc["@mozilla.org/network/util;1"].
-              getService(Ci.nsINetUtil).newSimpleNestedURI(inner);
+    var netutil = Cc["@mozilla.org/network/util;1"].getService(Ci.nsINetUtil);
+    const URI_INHERITS_SECURITY_CONTEXT = Ci.nsIProtocolHandler
+                                            .URI_INHERITS_SECURITY_CONTEXT;
+    if (netutil.URIChainHasFlags(inner, URI_INHERITS_SECURITY_CONTEXT))
+      throw Cr.NS_ERROR_MALFORMED_URI;
+
+    var uri = netutil.newSimpleNestedURI(inner);
     uri.spec = inner.spec.replace(prefix, scheme);
     return uri;
   },

browser/components/feeds/test/unit/test_355473.js

@@ -1,5 +1,3 @@
-const NS_ERROR_MALFORMED_URI = 0x804B000A;
-
 function run_test() {
   var feedFeedURI = ios.newURI("feed://example.com/feed.xml", null, null);
   var httpFeedURI = ios.newURI("feed:http://example.com/feed.xml", null, null);
@@ -23,7 +21,7 @@ function run_test() {
   do_check_true(httpURI.equals(httpChannel.URI));
   do_check_true(httpsURI.equals(httpsChannel.URI));
 
-  var dataFeedURI = ios.newURI("feed:data:text/xml,<rss/>", null, null);
+  // check that we don't throw creating feed: URIs from file and ftp
   var ftpFeedURI = ios.newURI("feed:ftp://example.com/feed.xml", null, null);
   var fileFeedURI = ios.newURI("feed:file:///var/feed.xml", null, null);
 }

browser/components/feeds/test/unit/test_758990.js

@@ -0,0 +1,42 @@
+function run_test() {
+  var success = false;
+  try {
+    var newURI = ios.newURI("feed:javascript:alert('hi');", null, null);
+  }
+  catch (e) {
+    success = e.result == Cr.NS_ERROR_MALFORMED_URI;
+  }
+  if (!success)
+    do_throw("We didn't throw NS_ERROR_MALFORMED_URI creating a feed:javascript: URI");
+
+  success = false;
+  try {
+    newURI = ios.newURI("feed:data:text/html,hi", null, null);
+  }
+  catch (e) {
+    success = e.result == Cr.NS_ERROR_MALFORMED_URI;
+  }
+  if (!success)
+    do_throw("We didn't throw NS_ERROR_MALFORMED_URI creating a feed:data: URI");
+
+  success = false;
+  try {
+    newURI = ios.newURI("pcast:javascript:alert('hi');", null, null);
+  }
+  catch (e) {
+    success = e.result == Cr.NS_ERROR_MALFORMED_URI;
+  }
+  if (!success)
+    do_throw("We didn't throw NS_ERROR_MALFORMED_URI creating a pcast:javascript: URI");
+
+  success = false;
+  try {
+    newURI = ios.newURI("pcast:data:text/html,hi", null, null);
+  }
+  catch (e) {
+    success = e.result == Cr.NS_ERROR_MALFORMED_URI;
+  }
+  if (!success)
+    do_throw("We didn't throw NS_ERROR_MALFORMED_URI creating a pcast:data: URI");
+
+}

browser/components/feeds/test/unit/xpcshell.ini

@@ -3,3 +3,4 @@ head = head_feeds.js
 tail = 
 
 [test_355473.js]
+[test_758990.js]