From 3d8333a8de96ce0f86fab92b3077ca77a64e8101 Mon Sep 17 00:00:00 2001 From: Phil Ringnalda Date: Tue, 29 May 2012 23:27:40 -0700 Subject: [PATCH] Bug 758990 - Don't create feed URIs that inherit security context, r=gavin --- browser/components/feeds/src/FeedConverter.js | 11 +++-- .../components/feeds/test/unit/test_355473.js | 4 +- .../components/feeds/test/unit/test_758990.js | 42 +++++++++++++++++++ .../components/feeds/test/unit/xpcshell.ini | 1 + 4 files changed, 52 insertions(+), 6 deletions(-) create mode 100644 browser/components/feeds/test/unit/test_758990.js diff --git a/browser/components/feeds/src/FeedConverter.js b/browser/components/feeds/src/FeedConverter.js index 73d708ad1128..a51996837a95 100644 --- a/browser/components/feeds/src/FeedConverter.js +++ b/browser/components/feeds/src/FeedConverter.js @@ -525,14 +525,19 @@ GenericProtocolHandler.prototype = { var scheme = this._scheme + ":"; if (spec.substr(0, scheme.length) != scheme) - throw Components.results.NS_ERROR_MALFORMED_URI; + throw Cr.NS_ERROR_MALFORMED_URI; var prefix = spec.substr(scheme.length, 2) == "//" ? "http:" : ""; var inner = Cc["@mozilla.org/network/io-service;1"]. getService(Ci.nsIIOService).newURI(spec.replace(scheme, prefix), originalCharset, baseURI); - var uri = Cc["@mozilla.org/network/util;1"]. - getService(Ci.nsINetUtil).newSimpleNestedURI(inner); + var netutil = Cc["@mozilla.org/network/util;1"].getService(Ci.nsINetUtil); + const URI_INHERITS_SECURITY_CONTEXT = Ci.nsIProtocolHandler + .URI_INHERITS_SECURITY_CONTEXT; + if (netutil.URIChainHasFlags(inner, URI_INHERITS_SECURITY_CONTEXT)) + throw Cr.NS_ERROR_MALFORMED_URI; + + var uri = netutil.newSimpleNestedURI(inner); uri.spec = inner.spec.replace(prefix, scheme); return uri; }, diff --git a/browser/components/feeds/test/unit/test_355473.js b/browser/components/feeds/test/unit/test_355473.js index 0b337a927906..54900a5a7ee8 100644 --- a/browser/components/feeds/test/unit/test_355473.js +++ b/browser/components/feeds/test/unit/test_355473.js @@ -1,5 +1,3 @@ -const NS_ERROR_MALFORMED_URI = 0x804B000A; - function run_test() { var feedFeedURI = ios.newURI("feed://example.com/feed.xml", null, null); var httpFeedURI = ios.newURI("feed:http://example.com/feed.xml", null, null); @@ -23,7 +21,7 @@ function run_test() { do_check_true(httpURI.equals(httpChannel.URI)); do_check_true(httpsURI.equals(httpsChannel.URI)); - var dataFeedURI = ios.newURI("feed:data:text/xml,", null, null); + // check that we don't throw creating feed: URIs from file and ftp var ftpFeedURI = ios.newURI("feed:ftp://example.com/feed.xml", null, null); var fileFeedURI = ios.newURI("feed:file:///var/feed.xml", null, null); } diff --git a/browser/components/feeds/test/unit/test_758990.js b/browser/components/feeds/test/unit/test_758990.js new file mode 100644 index 000000000000..3a1dde770594 --- /dev/null +++ b/browser/components/feeds/test/unit/test_758990.js @@ -0,0 +1,42 @@ +function run_test() { + var success = false; + try { + var newURI = ios.newURI("feed:javascript:alert('hi');", null, null); + } + catch (e) { + success = e.result == Cr.NS_ERROR_MALFORMED_URI; + } + if (!success) + do_throw("We didn't throw NS_ERROR_MALFORMED_URI creating a feed:javascript: URI"); + + success = false; + try { + newURI = ios.newURI("feed:data:text/html,hi", null, null); + } + catch (e) { + success = e.result == Cr.NS_ERROR_MALFORMED_URI; + } + if (!success) + do_throw("We didn't throw NS_ERROR_MALFORMED_URI creating a feed:data: URI"); + + success = false; + try { + newURI = ios.newURI("pcast:javascript:alert('hi');", null, null); + } + catch (e) { + success = e.result == Cr.NS_ERROR_MALFORMED_URI; + } + if (!success) + do_throw("We didn't throw NS_ERROR_MALFORMED_URI creating a pcast:javascript: URI"); + + success = false; + try { + newURI = ios.newURI("pcast:data:text/html,hi", null, null); + } + catch (e) { + success = e.result == Cr.NS_ERROR_MALFORMED_URI; + } + if (!success) + do_throw("We didn't throw NS_ERROR_MALFORMED_URI creating a pcast:data: URI"); + +} diff --git a/browser/components/feeds/test/unit/xpcshell.ini b/browser/components/feeds/test/unit/xpcshell.ini index 4300140dc73e..ec16259754f9 100644 --- a/browser/components/feeds/test/unit/xpcshell.ini +++ b/browser/components/feeds/test/unit/xpcshell.ini @@ -3,3 +3,4 @@ head = head_feeds.js tail = [test_355473.js] +[test_758990.js]