mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-26 06:11:37 +00:00
Bug 813994 - Alarm API - Need additional security checks for the "alarms" permission. r=bent
This commit is contained in:
parent
143c323c27
commit
da6c06fca4
@ -84,6 +84,16 @@ this.AlarmService = {
|
||||
receiveMessage: function receiveMessage(aMessage) {
|
||||
debug("receiveMessage(): " + aMessage.name);
|
||||
|
||||
// To prevent hacked child processes from sending commands to parent
|
||||
// to schedule alarms, we need to check their installed permissions.
|
||||
if (["AlarmsManager:GetAll", "AlarmsManager:Add", "AlarmsManager:Remove"]
|
||||
.indexOf(aMessage.name) != -1) {
|
||||
if (!aMessage.target.assertPermission("alarms")) {
|
||||
debug("Got message from a child process with no 'alarms' permission.");
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
let mm = aMessage.target.QueryInterface(Ci.nsIMessageSender);
|
||||
let json = aMessage.json;
|
||||
switch (aMessage.name) {
|
||||
|
@ -141,15 +141,10 @@ AlarmsManager.prototype = {
|
||||
if (!Services.prefs.getBoolPref("dom.mozAlarms.enabled"))
|
||||
return null;
|
||||
|
||||
let principal = aWindow.document.nodePrincipal;
|
||||
let secMan = Cc["@mozilla.org/scriptsecuritymanager;1"].getService(Ci.nsIScriptSecurityManager);
|
||||
|
||||
let perm = Services.perms.testExactPermissionFromPrincipal(principal, "alarms");
|
||||
|
||||
// Only pages with perm set can use the alarms.
|
||||
this.hasPrivileges = perm == Ci.nsIPermissionManager.ALLOW_ACTION;
|
||||
|
||||
if (!this.hasPrivileges)
|
||||
let principal = aWindow.document.nodePrincipal;
|
||||
let perm = Services.perms.testExactPermissionFromPrincipal(principal, "alarms");
|
||||
if (perm != Ci.nsIPermissionManager.ALLOW_ACTION)
|
||||
return null;
|
||||
|
||||
this._cpmm = Cc["@mozilla.org/childprocessmessagemanager;1"].getService(Ci.nsISyncMessageSender);
|
||||
|
Loading…
Reference in New Issue
Block a user