Fixing bug 69070. Don't allow loading of images from file: URIs from web content. r+sr=bzbarsky@mit.edu

content/base/src/nsContentUtils.cpp

@@ -1692,19 +1692,48 @@ nsContentUtils::CanLoadImage(nsIURI* aURI, nsISupports* aContext,
   NS_PRECONDITION(aURI, "Must have a URI");
   NS_PRECONDITION(aLoadingDocument, "Must have a document");
 
-  // XXXbz Do security manager check here!
-
   nsIURI *docURI = aLoadingDocument->GetDocumentURI();
 
+  nsresult rv;
+
+  PRUint32 appType = nsIDocShell::APP_TYPE_UNKNOWN;
+
+  {
+    nsCOMPtr<nsISupports> container = aLoadingDocument->GetContainer();
+    nsCOMPtr<nsIDocShellTreeItem> docShellTreeItem =
+      do_QueryInterface(container);
+
+    if (docShellTreeItem) {
+      nsCOMPtr<nsIDocShellTreeItem> root;
+      docShellTreeItem->GetRootTreeItem(getter_AddRefs(root));
+
+      nsCOMPtr<nsIDocShell> docShell(do_QueryInterface(root));
+
+      if (!docShell || NS_FAILED(docShell->GetAppType(&appType))) {
+        appType = nsIDocShell::APP_TYPE_UNKNOWN;
+      }
+    }
+  }
+
+  if (appType != nsIDocShell::APP_TYPE_EDITOR) {
+    // Editor apps get special treatment here, editors can load images
+    // from anywhere.
+    rv = sSecurityManager->
+      CheckLoadURI(docURI, aURI, nsIScriptSecurityManager::ALLOW_CHROME);
+    if (NS_FAILED(rv)) {
+      return PR_FALSE;
+    }
+  }
+
   PRInt16 decision = nsIContentPolicy::ACCEPT;
 
-  nsresult rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_IMAGE,
-                                          aURI,
-                                          docURI,
-                                          aContext,
-                                          EmptyCString(), //mime guess
-                                          nsnull,         //extra
-                                          &decision);
+  rv = NS_CheckContentLoadPolicy(nsIContentPolicy::TYPE_IMAGE,
+                                 aURI,
+                                 docURI,
+                                 aContext,
+                                 EmptyCString(), //mime guess
+                                 nsnull,         //extra
+                                 &decision);
 
   return NS_FAILED(rv) ? PR_FALSE : NS_CP_ACCEPTED(decision);
 }

content/xbl/src/nsXBLResourceLoader.cpp

@@ -92,7 +92,6 @@ nsXBLResourceLoader::LoadResources(PRBool* aResult)
   *aResult = PR_TRUE;
 
   // Declare our loaders.
-  nsCOMPtr<imgILoader> il;
   nsCOMPtr<nsICSSLoader> cssLoader;
 
   nsCOMPtr<nsIDocument> doc;
@@ -110,19 +109,17 @@ nsXBLResourceLoader::LoadResources(PRBool* aResult)
       continue;
 
     if (curr->mType == nsXBLAtoms::image) {
-      // Obtain our src attribute.  
-      // Construct a URI out of our src attribute.
-      // We need to ensure the image loader is constructed.
-      if (!il) {
-        il = do_GetService("@mozilla.org/image/loader;1");
-        if (!il) continue;
+      if (!nsContentUtils::CanLoadImage(url, doc, doc)) {
+        // We're not permitted to load this image, move on...
+        continue;
       }
 
       // Now kick off the image load...
       // Passing NULL for pretty much everything -- cause we don't care!
       // XXX: initialDocumentURI is NULL! 
       nsCOMPtr<imgIRequest> req;
-      il->LoadImage(url, nsnull, nsnull, nsnull, nsnull, nsnull, nsIRequest::LOAD_BACKGROUND, nsnull, nsnull, getter_AddRefs(req));
+      nsContentUtils::LoadImage(url, doc, nsnull, nsIRequest::LOAD_BACKGROUND,
+                                getter_AddRefs(req));
     }
     else if (curr->mType == nsXBLAtoms::stylesheet) {
       if (!cssLoader) {

docshell/base/nsIDocShell.idl

@@ -259,6 +259,7 @@ interface nsIDocShell : nsISupports
    */
   const unsigned long APP_TYPE_UNKNOWN  = 0;
   const unsigned long APP_TYPE_MAIL     = 1;
+  const unsigned long APP_TYPE_EDITOR   = 2;
 
   attribute unsigned long appType;
 

editor/ui/composer/content/editor.js

@@ -538,6 +538,9 @@ function SetFocusOnStartup()
 
 function EditorStartup()
 {
+  GetCurrentEditorElement().docShell.appType =
+    Components.interfaces.nsIDocShell.APP_TYPE_EDITOR;
+
   var is_HTMLEditor = IsHTMLEditor();
   if (is_HTMLEditor)
   {

layout/xul/base/src/nsImageBoxFrame.cpp

@@ -576,21 +576,6 @@ nsImageBoxFrame::GetFrameName(nsAString& aResult) const
 #endif
 
 
-already_AddRefed<nsILoadGroup>
-nsImageBoxFrame::GetLoadGroup()
-{
-  nsIPresShell *shell = GetPresContext()->GetPresShell();
-  if (!shell)
-    return nsnull;
-
-  nsIDocument *doc = shell->GetDocument();
-  if (!doc)
-    return nsnull;
-
-  return doc->GetDocumentLoadGroup(); // already_AddRefed
-}
-
-
 NS_IMETHODIMP nsImageBoxFrame::OnStartContainer(imgIRequest *request,
                                                 imgIContainer *image)
 {

layout/xul/base/src/nsImageBoxFrame.h

@@ -134,12 +134,6 @@ protected:
 
   nsImageBoxFrame(nsIPresShell* aShell);
 
-  /**
-   * Get the load group for the current document, that should be used for
-   * network requests.
-   */
-  already_AddRefed<nsILoadGroup> GetLoadGroup();
-
   virtual void GetImageSize();
 
 private:

mailnews/compose/src/nsMsgCompose.cpp

@@ -535,7 +535,7 @@ nsMsgCompose::ConvertAndLoadComposeWindow(nsString& aPrefix,
 
       // XXX see bug #206793
       if (docshell)
-        docshell->SetAppType(nsIDocShell::APP_TYPE_UNKNOWN);
+        docshell->SetAppType(nsIDocShell::APP_TYPE_EDITOR);
 
       m_editor->EndOfDocument();
     }
@@ -697,6 +697,8 @@ nsMsgCompose::Initialize(nsIDOMWindowInternal *aWindow, nsIMsgComposeParams *par
     if (NS_FAILED(rv)) return rv;
 
     m_baseWindow = do_QueryInterface(treeOwner);
+
+    globalObj->GetDocShell()->SetAppType(nsIDocShell::APP_TYPE_EDITOR);
   }
   
   MSG_ComposeFormat format;
@@ -2405,7 +2407,7 @@ QuotingOutputStreamListener::InsertToCompose(nsIEditor *aEditor,
 
       // XXX see bug #206793
       if (docshell)
-        docshell->SetAppType(nsIDocShell::APP_TYPE_UNKNOWN);
+        docshell->SetAppType(nsIDocShell::APP_TYPE_EDITOR);
     }
       
   }