Bug 628747: (patch v2) Disallow SVG-as-an-image from loading external resources, unless we're sure they won't hit the network. r=bz r=roc a=roc

This commit is contained in:
Daniel Holbert 2011-01-28 07:59:15 -08:00
parent 35983e2c7f
commit 6784da77e1
12 changed files with 98 additions and 0 deletions

View File

@ -42,6 +42,8 @@
*/
#include "nsDataDocumentContentPolicy.h"
#include "nsNetUtil.h"
#include "nsScriptSecurityManager.h"
#include "nsIDocument.h"
#include "nsINode.h"
#include "nsIDOMWindow.h"
@ -84,6 +86,32 @@ nsDataDocumentContentPolicy::ShouldLoad(PRUint32 aContentType,
return NS_OK;
}
// Allow local resources for SVG-as-an-image documents, but disallow
// everything else, to prevent data leakage
if (doc->IsBeingUsedAsImage()) {
PRBool hasFlags;
nsresult rv = NS_URIChainHasFlags(aContentLocation,
nsIProtocolHandler::URI_IS_LOCAL_RESOURCE,
&hasFlags);
if (NS_FAILED(rv) || !hasFlags) {
// resource is not local (or we couldn't tell) - reject!
*aDecision = nsIContentPolicy::REJECT_TYPE;
// report error, if we can.
if (node) {
nsIPrincipal* requestingPrincipal = node->NodePrincipal();
nsRefPtr<nsIURI> principalURI;
rv = requestingPrincipal->GetURI(getter_AddRefs(principalURI));
if (NS_SUCCEEDED(rv) && principalURI) {
nsScriptSecurityManager::ReportError(
nsnull, NS_LITERAL_STRING("CheckSameOriginError"), principalURI,
aContentLocation);
}
}
}
return NS_OK;
}
// Allow all loads for non-external-resource documents
if (!doc->GetDisplayDocument()) {
return NS_OK;

View File

@ -0,0 +1,4 @@
<svg xmlns="http://www.w3.org/2000/svg" version="1.1"
width="100" height="100">
<rect width="100%" height="100%" fill="blue"/>
</svg>

After

Width:  |  Height:  |  Size: 141 B

View File

@ -88,3 +88,13 @@ random-if(cocoaWidget&&layersGPUAccelerated) random-if(d2d) == img-width-slice-2
== svg-image-recursive-1b.svg svg-image-recursive-1-ref.svg
== svg-image-recursive-2a.svg svg-image-recursive-2-ref.svg
== svg-image-recursive-2b.html svg-image-recursive-2-ref.svg
# tests for external resources vs. data URIs in SVG as an image
== svg-image-datauri-1.html lime100x100.svg
HTTP == svg-image-datauri-1.html lime100x100.svg
== svg-image-external-1.html lime100x100.svg
HTTP == svg-image-external-1.html blue100x100.svg
== svg-stylesheet-datauri-1.html lime100x100.svg
HTTP == svg-stylesheet-datauri-1.html lime100x100.svg
== svg-stylesheet-external-1.html lime100x100.svg
HTTP == svg-stylesheet-external-1.html blue100x100.svg

View File

@ -0,0 +1,5 @@
<html>
<body style="margin: 0">
<img src="svg-image-datauri.svg">
</body>
</html>

View File

@ -0,0 +1,8 @@
<svg xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
width="100" height="100">
<!-- This blue rect should always be covered up by the <image>: -->
<circle cx="50" cy="50" r="50" fill="blue"/>
<image width="100" height="100"
xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGQAAABkCAYAAABw4pVUAAAAAXNSR0IArs4c6QAAAKJJREFUeNrt0QENAAAIw7CDf89gg5BOwlqZTHSmtgCIgAARECACAkRAgAiIgAARECACAkRAgAiIgAARECACAkRAgAiIgAARECACAkRAgAiIgAARECACAkRAgAiIgAARECACAkRAgAiIgAARECACAkRAgAiIgAARECACAkRAgAiIgAARECACAkRAgAiIgAARECACAkRAgAgIEAERECACAkRAvrfrTQLGaH3qbAAAAABJRU5ErkJggg%3D%3D"/>
</svg>

After

Width:  |  Height:  |  Size: 640 B

View File

@ -0,0 +1,5 @@
<html>
<body style="margin: 0">
<img src="svg-image-external.svg">
</body>
</html>

View File

@ -0,0 +1,10 @@
<svg xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
width="100" height="100">
<!-- This blue rect should be covered up by the <image> when this SVG is
loaded as an image by a local document, but not when the document is
served over HTTP: -->
<rect width="100" height="100" fill="blue"/>
<image width="100" height="100"
xlink:href="lime100x100.png"/>
</svg>

After

Width:  |  Height:  |  Size: 427 B

View File

@ -0,0 +1,5 @@
<html>
<body style="margin: 0">
<img src="svg-stylesheet-datauri.svg">
</body>
</html>

View File

@ -0,0 +1,8 @@
<?xml-stylesheet href="data:text/css,rect%20%7B%20fill%3A%20lime%20%7D%0A"
type="text/css"?>
<svg xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
width="100" height="100">
<!-- This blue rect should always be styled as lime by the stylesheet: -->
<rect width="100" height="100" fill="blue"/>
</svg>

After

Width:  |  Height:  |  Size: 360 B

View File

@ -0,0 +1,5 @@
<html>
<body style="margin: 0">
<img src="svg-stylesheet-external.svg">
</body>
</html>

View File

@ -0,0 +1 @@
rect { fill: lime }

View File

@ -0,0 +1,9 @@
<?xml-stylesheet href="svg-stylesheet-external.css" type="text/css"?>
<svg xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
width="100" height="100">
<!-- This blue rect should be styled as lime by the stylesheet when this SVG
is loaded as an image by a local document, but not when the document is
served over HTTP: -->
<rect width="100" height="100" fill="blue"/>
</svg>

After

Width:  |  Height:  |  Size: 430 B