Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-09 19:35:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

bug 292691 plug IconURL and history.back() XSS exploits fixed in firefox 1.0.4

Browse Source 
docshell patch by jst, r=bz,brendan;sr=dveditz,shaver;a=asa
xpinstall patch by dveditz and vlad; r=vlad,jst; sr=jst,shaver; a=asa
This commit is contained in:
dveditz%cruzio.com 2005-05-13 23:08:09 +00:00
parent 23c8d215b6
commit 7b49950fef
2 changed files with 128 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
docshell/base/nsDocShell.cpp
View File

@ -4722,6 +4722,29 @@ nsDocShell::CreateAboutBlankContentViewer()
mCreatingDocument = PR_TRUE;
if (mContentViewer) {
// We've got a content viewer already. Make sure the user
// permits us to discard the current document and replace it
// with about:blank. And also ensure we fire the unload events
// in the current document.
PRBool okToUnload;
rv = mContentViewer->PermitUnload(&okToUnload);
if (NS_SUCCEEDED(rv) && !okToUnload) {
// The user chose not to unload the page, interrupt the load.
return NS_ERROR_FAILURE;
}
// Notify the current document that it is about to be unloaded!!
//
// It is important to fire the unload() notification *before* any state
// is changed within the DocShell - otherwise, javascript will get the
// wrong information :-(
//
(void) FireUnloadNotification();
}
// one helper factory, please
nsCOMPtr<nsICategoryManager> catMan(do_GetService(NS_CATEGORYMANAGER_CONTRACTID));
if (!catMan)
@ -7151,6 +7174,26 @@ nsDocShell::LoadHistoryEntry(nsISHEntry * aEntry, PRUint32 aLoadType)
NS_ERROR_FAILURE);
NS_ENSURE_SUCCESS(aEntry->GetContentType(contentType), NS_ERROR_FAILURE);
PRBool isJavaScript, isViewSource, isData;
if ((NS_SUCCEEDED(uri->SchemeIs("javascript", &isJavaScript)) &&
isJavaScript) ||
(NS_SUCCEEDED(uri->SchemeIs("view-source", &isViewSource)) &&
isViewSource) ||
(NS_SUCCEEDED(uri->SchemeIs("data", &isData)) && isData)) {
// We're loading a javascript: or data: URL from session
// history. Replace the current document with about:blank to
// prevent anything from the current document from leaking
// into any JavaScript code in the URL.
rv = CreateAboutBlankContentViewer();
if (NS_FAILED(rv)) {
// The creation of the intermittent about:blank content
// viewer failed for some reason (potentially because the
// user prevented it). Interrupt the history load.
return NS_OK;
}
}
/* If there is a valid postdata *and* the user pressed
* reload or shift-reload, take user's permission before we
* repost the data to the server.

136
xpinstall/src/nsJSInstallTriggerGlobal.cpp
View File

@ -44,6 +44,11 @@
#include "nsString.h"
#include "nsIDOMInstallVersion.h"
#include "nsIDOMInstallTriggerGlobal.h"
#include "nsIDOMWindow.h"
#include "nsIDOMDocument.h"
#include "nsIDocument.h"
#include "nsIDocShell.h"
#include "nsIObserverService.h"
#include "nsInstallTrigger.h"
#include "nsXPITriggerInfo.h"
@ -143,6 +148,59 @@ static JSBool CreateNativeObject(JSContext *cx, JSObject *obj, nsIDOMInstallTrig
return JS_TRUE;
}
//
// Helper function for URI verification
//
static nsresult
InstallTriggerCheckLoadURIFromScript(JSContext *cx, const nsAString& uriStr)
{
nsresult rv;
nsCOMPtr<nsIScriptSecurityManager> secman(
do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID,&rv));
NS_ENSURE_SUCCESS(rv, rv);
// get the script base URI
nsCOMPtr<nsIURI> scriptURI;
nsCOMPtr<nsIPrincipal> principal;
rv = secman->GetSubjectPrincipal(getter_AddRefs(principal));
NS_ENSURE_SUCCESS(rv, rv);
if (!principal)
return NS_ERROR_FAILURE;
rv = principal->GetURI(getter_AddRefs(scriptURI));
NS_ENSURE_SUCCESS(rv, rv);
if (!scriptURI) {
// No URI reachable from the principal, get one from the calling
// window.
nsIScriptContext *scx = GetScriptContextFromJSContext(cx);
NS_ENSURE_TRUE(scx, NS_ERROR_FAILURE);
nsCOMPtr<nsIDOMWindow> window =
do_QueryInterface(scx->GetGlobalObject());
NS_ENSURE_TRUE(window, NS_ERROR_FAILURE);
nsCOMPtr<nsIDOMDocument> domDoc;
window->GetDocument(getter_AddRefs(domDoc));
nsCOMPtr<nsIDocument> doc = do_QueryInterface(domDoc);
NS_ENSURE_TRUE(doc, NS_ERROR_FAILURE);
scriptURI = doc->GetDocumentURI();
}
// convert the requested URL string to a URI
nsCOMPtr<nsIURI> uri;
rv = NS_NewURI(getter_AddRefs(uri), uriStr);
NS_ENSURE_SUCCESS(rv, rv);
// are we allowed to load this one?
rv = secman->CheckLoadURI(scriptURI, uri,
nsIScriptSecurityManager::DISALLOW_SCRIPT_OR_DATA);
return rv;
}
//
// Native method UpdateEnabled
//
@ -215,11 +273,7 @@ InstallTriggerGlobalInstall(JSContext *cx, JSObject *obj, uintN argc, jsval *arg
}
}
// if we can't create a security manager we might be in the wizard, allow
PRBool abortLoad = PR_FALSE;
nsCOMPtr<nsIScriptSecurityManager> secman(
do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID));
// parse associative array of installs
if ( argc >= 1 && JSVAL_IS_OBJECT(argv[0]) )
@ -267,19 +321,6 @@ InstallTriggerGlobalInstall(JSContext *cx, JSObject *obj, uintN argc, jsval *arg
xpiURL = NS_ConvertUTF8toUTF16(resolvedURL);
}
// Make sure we're allowed to load this URL
if (secman)
{
nsCOMPtr<nsIURI> uri;
nsresult rv = NS_NewURI(getter_AddRefs(uri), xpiURL);
if (NS_SUCCEEDED(rv))
{
rv = secman->CheckLoadURIFromScript(cx, uri);
if (NS_FAILED(rv))
abortLoad = PR_TRUE;
}
}
nsAutoString icon(iconURL);
if (iconURL && baseURL)
{
@ -288,13 +329,28 @@ InstallTriggerGlobalInstall(JSContext *cx, JSObject *obj, uintN argc, jsval *arg
icon = NS_ConvertUTF8toUTF16(resolvedIcon);
}
nsXPITriggerItem *item = new nsXPITriggerItem( name, xpiURL.get(), icon.get() );
if ( item )
{
trigger->Add( item );
}
else
// Make sure we're allowed to load this URL and the icon URL
nsresult rv = InstallTriggerCheckLoadURIFromScript(cx, xpiURL);
if (NS_FAILED(rv))
abortLoad = PR_TRUE;
if (!abortLoad && iconURL)
{
rv = InstallTriggerCheckLoadURIFromScript(cx, icon);
if (NS_FAILED(rv))
abortLoad = PR_TRUE;
}
if (!abortLoad)
{
nsXPITriggerItem *item = new nsXPITriggerItem( name, xpiURL.get(), icon.get() );
if ( item )
{
trigger->Add( item );
}
else
abortLoad = PR_TRUE;
}
}
else
abortLoad = PR_TRUE;
@ -393,20 +449,9 @@ InstallTriggerGlobalInstallChrome(JSContext *cx, JSObject *obj, uintN argc, jsva
}
// Make sure caller is allowed to load this url.
// if we can't create a security manager we might be in the wizard, allow
nsCOMPtr<nsIScriptSecurityManager> secman(
do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID));
if (secman)
{
nsCOMPtr<nsIURI> uri;
nsresult rv = NS_NewURI(getter_AddRefs(uri), sourceURL);
if (NS_SUCCEEDED(rv))
{
rv = secman->CheckLoadURIFromScript(cx, uri);
if (NS_FAILED(rv))
return JS_FALSE;
}
}
nsresult rv = InstallTriggerCheckLoadURIFromScript(cx, sourceURL);
if (NS_FAILED(rv))
return JS_FALSE;
if ( chromeType & CHROME_ALL )
{
@ -481,20 +526,9 @@ InstallTriggerGlobalStartSoftwareUpdate(JSContext *cx, JSObject *obj, uintN argc
}
// Make sure caller is allowed to load this url.
// if we can't create a security manager we might be in the wizard, allow
nsCOMPtr<nsIScriptSecurityManager> secman(
do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID));
if (secman)
{
nsCOMPtr<nsIURI> uri;
nsresult rv = NS_NewURI(getter_AddRefs(uri), xpiURL);
if (NS_SUCCEEDED(rv))
{
rv = secman->CheckLoadURIFromScript(cx, uri);
if (NS_FAILED(rv))
return JS_FALSE;
}
}
nsresult rv = InstallTriggerCheckLoadURIFromScript(cx, xpiURL);
if (NS_FAILED(rv))
return JS_FALSE;
if (argc >= 2 && !JS_ValueToInt32(cx, argv[1], (int32 *)&flags))
{