Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-26 06:11:37 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fixing 52497, security problem in document.implementation, r=jst a=brendan

Browse Source
This commit is contained in:
mstoltz%netscape.com 2000-09-20 23:38:28 +00:00
parent ecc687a9f5
commit b3f1af8772
4 changed files with 86 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
caps/src/nsScriptSecurityManager.cpp
View File

@ -446,6 +446,14 @@ NS_IMETHODIMP
nsScriptSecurityManager::CheckLoadURIFromScript(JSContext *cx,
nsIURI *aURI)
{
// Get a context if necessary
if (!cx)
{
cx = GetCurrentContextQuick();
if (!cx)
return NS_OK; // No JS context, so allow the load
}
// Get principal of currently executing script.
nsCOMPtr<nsIPrincipal> principal;
if (NS_FAILED(GetSubjectPrincipal(cx, getter_AddRefs(principal)))) {

20
content/xml/document/src/nsXMLDocument.cpp
View File

@ -46,6 +46,7 @@
#include "nsIDOMComment.h"
#include "nsIDOMElement.h"
#include "nsIDOMText.h"
#include "nsIDOMCDATASection.h"
#include "nsIDOMProcessingInstruction.h"
#include "nsIDOMDocumentType.h"
@ -69,6 +70,8 @@
#include "nsIParserFilter.h"
#include "nsNetUtil.h"
#include "nsDOMError.h"
#include "nsScriptSecurityManager.h"
#include "nsIPrincipal.h"
// XXX The XML world depends on the html atoms
@ -255,11 +258,24 @@ nsXMLDocument::Load(const nsAReadableString& aUrl)
{
nsCOMPtr<nsIChannel> channel;
nsCOMPtr<nsIURI> uri;
nsresult rv = NS_OK;
nsresult rv;
// Create a new URI and channel
// Create a new URI
rv = NS_NewURI(getter_AddRefs(uri), aUrl, mDocumentURL);
if (NS_FAILED(rv)) return rv;
// Get security manager, check to see if we're allowed to load this URI
NS_WITH_SERVICE(nsIScriptSecurityManager, secMan, NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
if (NS_FAILED(rv)) return rv;
if (NS_FAILED(secMan->CheckLoadURIFromScript(nsnull, uri)))
return NS_ERROR_FAILURE;
// Set a principal for this document
rv = secMan->GetCodebasePrincipal(uri, &mPrincipal);
if (!mPrincipal) return rv;
NS_ADDREF(mPrincipal);
// Create a channel
rv = NS_OpenURI(getter_AddRefs(channel), uri, nsnull);
if (NS_FAILED(rv)) return rv;

69
dom/src/base/nsGlobalWindow.cpp
View File

@ -247,10 +247,17 @@ NS_IMETHODIMP GlobalWindowImpl::GetContext(nsIScriptContext ** aContext)
NS_IMETHODIMP GlobalWindowImpl::SetNewDocument(nsIDOMDocument* aDocument)
{
if (aDocument) {
nsCOMPtr<nsIDocument> doc(do_QueryInterface(aDocument));
if (doc)
if (!aDocument) {
if (mDocument) {
// Cache the old principal now that the document is being removed.
nsCOMPtr<nsIDocument> doc(do_QueryInterface(mDocument));
NS_ENSURE_TRUE(doc, NS_ERROR_FAILURE);
doc->GetPrincipal(getter_AddRefs(mDocumentPrincipal));
}
} else {
// let go of the old cached principal
mDocumentPrincipal = nsnull;
}
// Always clear watchpoints, to deal with two cases:
@ -512,33 +519,41 @@ NS_IMETHODIMP GlobalWindowImpl::HandleDOMEvent(nsIPresContext* aPresContext,
NS_IMETHODIMP GlobalWindowImpl::GetPrincipal(nsIPrincipal** result)
{
if (!mDocumentPrincipal && !mDocument) {
// If we don't have a principal and we don't have a document we
// ask the parent window for the principal. This can happen when
// loading a frameset that has a <frame src="javascript:xxx">, in
// that case we use the global window is used in JS before we've
// loaded a document into the window.
nsCOMPtr<nsIDOMWindow> parent;
GetParent(getter_AddRefs(parent));
if (parent && (parent.get() != NS_STATIC_CAST(nsIDOMWindow *, this))) {
nsCOMPtr<nsIScriptObjectPrincipal> objPrincipal(do_QueryInterface(parent));
if (objPrincipal) {
return objPrincipal->GetPrincipal(result);
}
}
return NS_ERROR_FAILURE;
}
NS_ENSURE_ARG_POINTER(result);
*result = mDocumentPrincipal;
NS_ADDREF(*result);
if (mDocument) {
// If we have a document, get the principal from the document
nsCOMPtr<nsIDocument> doc(do_QueryInterface(mDocument));
NS_ENSURE_TRUE(doc, NS_ERROR_FAILURE);
return NS_OK;
return doc->GetPrincipal(result);
}
if (mDocumentPrincipal) {
*result = mDocumentPrincipal;
NS_ADDREF(*result);
return NS_OK;
}
// If we don't have a principal and we don't have a document we
// ask the parent window for the principal. This can happen when
// loading a frameset that has a <frame src="javascript:xxx">, in
// that case the global window is used in JS before we've loaded
// a document into the window.
nsCOMPtr<nsIDOMWindow> parent;
GetParent(getter_AddRefs(parent));
if (parent && (parent.get() != NS_STATIC_CAST(nsIDOMWindow *, this))) {
nsCOMPtr<nsIScriptObjectPrincipal> objPrincipal(do_QueryInterface(parent));
if (objPrincipal) {
return objPrincipal->GetPrincipal(result);
}
}
return NS_ERROR_FAILURE;
}
//*****************************************************************************

20
layout/xml/document/src/nsXMLDocument.cpp
View File

@ -46,6 +46,7 @@
#include "nsIDOMComment.h"
#include "nsIDOMElement.h"
#include "nsIDOMText.h"
#include "nsIDOMCDATASection.h"
#include "nsIDOMProcessingInstruction.h"
#include "nsIDOMDocumentType.h"
@ -69,6 +70,8 @@
#include "nsIParserFilter.h"
#include "nsNetUtil.h"
#include "nsDOMError.h"
#include "nsScriptSecurityManager.h"
#include "nsIPrincipal.h"
// XXX The XML world depends on the html atoms
@ -255,11 +258,24 @@ nsXMLDocument::Load(const nsAReadableString& aUrl)
{
nsCOMPtr<nsIChannel> channel;
nsCOMPtr<nsIURI> uri;
nsresult rv = NS_OK;
nsresult rv;
// Create a new URI and channel
// Create a new URI
rv = NS_NewURI(getter_AddRefs(uri), aUrl, mDocumentURL);
if (NS_FAILED(rv)) return rv;
// Get security manager, check to see if we're allowed to load this URI
NS_WITH_SERVICE(nsIScriptSecurityManager, secMan, NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
if (NS_FAILED(rv)) return rv;
if (NS_FAILED(secMan->CheckLoadURIFromScript(nsnull, uri)))
return NS_ERROR_FAILURE;
// Set a principal for this document
rv = secMan->GetCodebasePrincipal(uri, &mPrincipal);
if (!mPrincipal) return rv;
NS_ADDREF(mPrincipal);
// Create a channel
rv = NS_OpenURI(getter_AddRefs(channel), uri, nsnull);
if (NS_FAILED(rv)) return rv;