Bug 1772089 p6: Fix content sandbox file system test. r=haik

The content temp dir is no longer defined for macOS and Windows. Differential Revision: https://phabricator.services.mozilla.com/D168597
2024-11-27 14:52:16 +00:00 · 2023-02-24 08:44:42 +00:00 · 2023-02-24 08:44:42 +00:00 · dc4d5dcd99
commit dc4d5dcd99
parent c952d27eac
2 changed files with 20 additions and 16 deletions
--- a/security/sandbox/test/browser_content_sandbox_fs_tests.js
+++ b/security/sandbox/test/browser_content_sandbox_fs_tests.js
@ -17,37 +17,41 @@ async function createFileInHome() {
 }

 // Test if the content process can create a temp file, this is disallowed on
-// macOS but allowed everywhere else. Also test that the content process cannot
-// create symlinks or delete files.
+// macOS and Windows but allowed everywhere else. Also test that the content
+// process cannot create symlinks on macOS or delete files.
 async function createTempFile() {
+  // On Windows we allow access to the temp dir for DEBUG builds, because of
+  // logging that uses that dir.
+  let isOptWin = isWin() && !SpecialPowers.isDebugBuild;
+
  let browser = gBrowser.selectedBrowser;
  let path = fileInTempDir().path;
  let fileCreated = await SpecialPowers.spawn(browser, [path], createFile);
-  if (isMac()) {
-    ok(!fileCreated.ok, "creating a file in content temp is not permitted");
+  if (isMac() || isOptWin) {
+    ok(!fileCreated.ok, "creating a file in temp is not permitted");
  } else {
-    ok(!!fileCreated.ok, "creating a file in content temp is permitted");
+    ok(!!fileCreated.ok, "creating a file in temp is permitted");
  }
  // now delete the file
  let fileDeleted = await SpecialPowers.spawn(browser, [path], deleteFile);
-  if (isMac()) {
+  if (isMac() || isOptWin) {
    // On macOS we do not allow file deletion - it is not needed by the content
    // process itself, and macOS uses a different permission to control access
    // so revoking it is easy.
-    ok(!fileDeleted.ok, "deleting a file in content temp is not permitted");
+    ok(!fileDeleted.ok, "deleting a file in temp is not permitted");
+  } else {
+    ok(!!fileDeleted.ok, "deleting a file in temp is permitted");
+  }

+  // Test that symlink creation is not allowed on macOS.
+  if (isMac()) {
    let path = fileInTempDir().path;
    let symlinkCreated = await SpecialPowers.spawn(
      browser,
      [path],
      createSymlink
    );
-    ok(
-      !symlinkCreated.ok,
-      "created a symlink in content temp is not permitted"
-    );
-  } else {
-    ok(!!fileDeleted.ok, "deleting a file in content temp is permitted");
+    ok(!symlinkCreated.ok, "created a symlink in temp is not permitted");
  }
 }

--- a/security/sandbox/test/browser_content_sandbox_utils.js
+++ b/security/sandbox/test/browser_content_sandbox_utils.js
@ -297,12 +297,12 @@ function fileInHomeDir() {

 // Returns a file object for a new file in the content temp dir (.../<UUID>).
 function fileInTempDir() {
-  let contentTempKey = "ContentTmpD";
+  let contentTempKey = "TmpD";

  // get the content temp dir, make sure it exists
  let ctmp = Services.dirsvc.get(contentTempKey, Ci.nsIFile);
-  Assert.ok(ctmp.exists(), "Content temp dir exists");
-  Assert.ok(ctmp.isDirectory(), "Content temp dir is a directory");
+  Assert.ok(ctmp.exists(), "Temp dir exists");
+  Assert.ok(ctmp.isDirectory(), "Temp dir is a directory");

  // build a file object for a new file in content temp
  let tempFile = ctmp.clone();