mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-26 06:11:37 +00:00
Fixing 52497, security problem in document.implementation, r=jst a=brendan
This commit is contained in:
parent
ecc687a9f5
commit
b3f1af8772
@ -446,6 +446,14 @@ NS_IMETHODIMP
|
||||
nsScriptSecurityManager::CheckLoadURIFromScript(JSContext *cx,
|
||||
nsIURI *aURI)
|
||||
{
|
||||
// Get a context if necessary
|
||||
if (!cx)
|
||||
{
|
||||
cx = GetCurrentContextQuick();
|
||||
if (!cx)
|
||||
return NS_OK; // No JS context, so allow the load
|
||||
}
|
||||
|
||||
// Get principal of currently executing script.
|
||||
nsCOMPtr<nsIPrincipal> principal;
|
||||
if (NS_FAILED(GetSubjectPrincipal(cx, getter_AddRefs(principal)))) {
|
||||
|
@ -46,6 +46,7 @@
|
||||
#include "nsIDOMComment.h"
|
||||
#include "nsIDOMElement.h"
|
||||
#include "nsIDOMText.h"
|
||||
|
||||
#include "nsIDOMCDATASection.h"
|
||||
#include "nsIDOMProcessingInstruction.h"
|
||||
#include "nsIDOMDocumentType.h"
|
||||
@ -69,6 +70,8 @@
|
||||
#include "nsIParserFilter.h"
|
||||
#include "nsNetUtil.h"
|
||||
#include "nsDOMError.h"
|
||||
#include "nsScriptSecurityManager.h"
|
||||
#include "nsIPrincipal.h"
|
||||
|
||||
|
||||
// XXX The XML world depends on the html atoms
|
||||
@ -255,11 +258,24 @@ nsXMLDocument::Load(const nsAReadableString& aUrl)
|
||||
{
|
||||
nsCOMPtr<nsIChannel> channel;
|
||||
nsCOMPtr<nsIURI> uri;
|
||||
nsresult rv = NS_OK;
|
||||
nsresult rv;
|
||||
|
||||
// Create a new URI and channel
|
||||
// Create a new URI
|
||||
rv = NS_NewURI(getter_AddRefs(uri), aUrl, mDocumentURL);
|
||||
if (NS_FAILED(rv)) return rv;
|
||||
|
||||
// Get security manager, check to see if we're allowed to load this URI
|
||||
NS_WITH_SERVICE(nsIScriptSecurityManager, secMan, NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
|
||||
if (NS_FAILED(rv)) return rv;
|
||||
if (NS_FAILED(secMan->CheckLoadURIFromScript(nsnull, uri)))
|
||||
return NS_ERROR_FAILURE;
|
||||
|
||||
// Set a principal for this document
|
||||
rv = secMan->GetCodebasePrincipal(uri, &mPrincipal);
|
||||
if (!mPrincipal) return rv;
|
||||
NS_ADDREF(mPrincipal);
|
||||
|
||||
// Create a channel
|
||||
rv = NS_OpenURI(getter_AddRefs(channel), uri, nsnull);
|
||||
if (NS_FAILED(rv)) return rv;
|
||||
|
||||
|
@ -247,10 +247,17 @@ NS_IMETHODIMP GlobalWindowImpl::GetContext(nsIScriptContext ** aContext)
|
||||
|
||||
NS_IMETHODIMP GlobalWindowImpl::SetNewDocument(nsIDOMDocument* aDocument)
|
||||
{
|
||||
if (aDocument) {
|
||||
nsCOMPtr<nsIDocument> doc(do_QueryInterface(aDocument));
|
||||
if (doc)
|
||||
if (!aDocument) {
|
||||
if (mDocument) {
|
||||
// Cache the old principal now that the document is being removed.
|
||||
nsCOMPtr<nsIDocument> doc(do_QueryInterface(mDocument));
|
||||
NS_ENSURE_TRUE(doc, NS_ERROR_FAILURE);
|
||||
|
||||
doc->GetPrincipal(getter_AddRefs(mDocumentPrincipal));
|
||||
}
|
||||
} else {
|
||||
// let go of the old cached principal
|
||||
mDocumentPrincipal = nsnull;
|
||||
}
|
||||
|
||||
// Always clear watchpoints, to deal with two cases:
|
||||
@ -512,33 +519,41 @@ NS_IMETHODIMP GlobalWindowImpl::HandleDOMEvent(nsIPresContext* aPresContext,
|
||||
|
||||
NS_IMETHODIMP GlobalWindowImpl::GetPrincipal(nsIPrincipal** result)
|
||||
{
|
||||
if (!mDocumentPrincipal && !mDocument) {
|
||||
// If we don't have a principal and we don't have a document we
|
||||
// ask the parent window for the principal. This can happen when
|
||||
// loading a frameset that has a <frame src="javascript:xxx">, in
|
||||
// that case we use the global window is used in JS before we've
|
||||
// loaded a document into the window.
|
||||
nsCOMPtr<nsIDOMWindow> parent;
|
||||
|
||||
GetParent(getter_AddRefs(parent));
|
||||
|
||||
if (parent && (parent.get() != NS_STATIC_CAST(nsIDOMWindow *, this))) {
|
||||
nsCOMPtr<nsIScriptObjectPrincipal> objPrincipal(do_QueryInterface(parent));
|
||||
|
||||
if (objPrincipal) {
|
||||
return objPrincipal->GetPrincipal(result);
|
||||
}
|
||||
}
|
||||
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
NS_ENSURE_ARG_POINTER(result);
|
||||
|
||||
*result = mDocumentPrincipal;
|
||||
NS_ADDREF(*result);
|
||||
if (mDocument) {
|
||||
// If we have a document, get the principal from the document
|
||||
nsCOMPtr<nsIDocument> doc(do_QueryInterface(mDocument));
|
||||
NS_ENSURE_TRUE(doc, NS_ERROR_FAILURE);
|
||||
|
||||
return NS_OK;
|
||||
return doc->GetPrincipal(result);
|
||||
}
|
||||
|
||||
if (mDocumentPrincipal) {
|
||||
*result = mDocumentPrincipal;
|
||||
NS_ADDREF(*result);
|
||||
|
||||
return NS_OK;
|
||||
}
|
||||
|
||||
// If we don't have a principal and we don't have a document we
|
||||
// ask the parent window for the principal. This can happen when
|
||||
// loading a frameset that has a <frame src="javascript:xxx">, in
|
||||
// that case the global window is used in JS before we've loaded
|
||||
// a document into the window.
|
||||
nsCOMPtr<nsIDOMWindow> parent;
|
||||
|
||||
GetParent(getter_AddRefs(parent));
|
||||
|
||||
if (parent && (parent.get() != NS_STATIC_CAST(nsIDOMWindow *, this))) {
|
||||
nsCOMPtr<nsIScriptObjectPrincipal> objPrincipal(do_QueryInterface(parent));
|
||||
|
||||
if (objPrincipal) {
|
||||
return objPrincipal->GetPrincipal(result);
|
||||
}
|
||||
}
|
||||
|
||||
return NS_ERROR_FAILURE;
|
||||
}
|
||||
|
||||
//*****************************************************************************
|
||||
|
@ -46,6 +46,7 @@
|
||||
#include "nsIDOMComment.h"
|
||||
#include "nsIDOMElement.h"
|
||||
#include "nsIDOMText.h"
|
||||
|
||||
#include "nsIDOMCDATASection.h"
|
||||
#include "nsIDOMProcessingInstruction.h"
|
||||
#include "nsIDOMDocumentType.h"
|
||||
@ -69,6 +70,8 @@
|
||||
#include "nsIParserFilter.h"
|
||||
#include "nsNetUtil.h"
|
||||
#include "nsDOMError.h"
|
||||
#include "nsScriptSecurityManager.h"
|
||||
#include "nsIPrincipal.h"
|
||||
|
||||
|
||||
// XXX The XML world depends on the html atoms
|
||||
@ -255,11 +258,24 @@ nsXMLDocument::Load(const nsAReadableString& aUrl)
|
||||
{
|
||||
nsCOMPtr<nsIChannel> channel;
|
||||
nsCOMPtr<nsIURI> uri;
|
||||
nsresult rv = NS_OK;
|
||||
nsresult rv;
|
||||
|
||||
// Create a new URI and channel
|
||||
// Create a new URI
|
||||
rv = NS_NewURI(getter_AddRefs(uri), aUrl, mDocumentURL);
|
||||
if (NS_FAILED(rv)) return rv;
|
||||
|
||||
// Get security manager, check to see if we're allowed to load this URI
|
||||
NS_WITH_SERVICE(nsIScriptSecurityManager, secMan, NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
|
||||
if (NS_FAILED(rv)) return rv;
|
||||
if (NS_FAILED(secMan->CheckLoadURIFromScript(nsnull, uri)))
|
||||
return NS_ERROR_FAILURE;
|
||||
|
||||
// Set a principal for this document
|
||||
rv = secMan->GetCodebasePrincipal(uri, &mPrincipal);
|
||||
if (!mPrincipal) return rv;
|
||||
NS_ADDREF(mPrincipal);
|
||||
|
||||
// Create a channel
|
||||
rv = NS_OpenURI(getter_AddRefs(channel), uri, nsnull);
|
||||
if (NS_FAILED(rv)) return rv;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user