Bug 776606 - Possible chrome-level JS injection attack with user portraits in the Social API. r=gavin

2024-09-13 09:24:08 -07:00 · 2012-07-30 19:28:23 -07:00 · 2012-07-30 19:28:23 -07:00 · 0fe187f956
commit 0fe187f956
parent 73b3aac203
2 changed files with 16 additions and 2 deletions
--- a/browser/base/content/browser-social.js
+++ b/browser/base/content/browser-social.js
@ -160,10 +160,10 @@ let SocialShareButton = {
  updateProfileInfo: function SSB_updateProfileInfo() {
    let profileRow = document.getElementById("editSharePopupHeader");
    let profile = Social.provider.profile;
-    if (profile && profile.portrait && profile.displayName) {
+    if (profile && profile.displayName) {
      profileRow.hidden = false;
      let portrait = document.getElementById("socialUserPortrait");
-      portrait.style.listStyleImage = profile.portrait;
+      portrait.setAttribute("src", profile.portrait || "chrome://browser/skin/social/social.png");
      let displayName = document.getElementById("socialUserDisplayName");
      displayName.setAttribute("label", profile.displayName);
    } else {
--- a/toolkit/components/social/SocialService.jsm
+++ b/toolkit/components/social/SocialService.jsm
@ -201,6 +201,20 @@ SocialProvider.prototype = {
  updateUserProfile: function(profile) {
    this.profile = profile;

+    // Sanitize the portrait from any potential script-injection.
+    if (profile.portrait) {
+      try {
+        let portraitUri = Services.io.newURI(profile.portrait, null, null);
+
+        let scheme = portraitUri ? portraitUri.scheme : "";
+        if (scheme != "data" && scheme != "http" && scheme != "https") {
+          profile.portrait = "";
+        }
+      } catch (ex) {
+        profile.portrait = "";
+      }
+    }
+
    if (profile.iconURL)
      this.iconURL = profile.iconURL;