bug 395942 mitigations for QuickTime media-link flaw, r=gavin,neil, b=beltzner

2024-09-13 09:24:08 -07:00 · 2007-09-17 17:54:03 -07:00 · 2007-09-17 17:54:03 -07:00 · 93a4f91334
commit 93a4f91334
parent 2260fcfe2e
2 changed files with 23 additions and 4 deletions
--- a/browser/components/nsBrowserContentHandler.js
+++ b/browser/components/nsBrowserContentHandler.js
@ -51,6 +51,7 @@ const nsIFactory             = Components.interfaces.nsIFactory;
 const nsIFileURL             = Components.interfaces.nsIFileURL;
 const nsIHttpProtocolHandler = Components.interfaces.nsIHttpProtocolHandler;
 const nsIInterfaceRequestor  = Components.interfaces.nsIInterfaceRequestor;
+const nsINetUtil             = Components.interfaces.nsINetUtil;
 const nsIPrefBranch          = Components.interfaces.nsIPrefBranch;
 const nsIPrefLocalizedString = Components.interfaces.nsIPrefLocalizedString;
 const nsISupportsString      = Components.interfaces.nsISupportsString;
@ -67,6 +68,9 @@ const NS_BINDING_ABORTED = 0x804b0002;
 const NS_ERROR_WONT_HANDLE_CONTENT = 0x805d0001;
 const NS_ERROR_ABORT = Components.results.NS_ERROR_ABORT;

+const URI_INHERITS_SECURITY_CONTEXT = nsIHttpProtocolHandler
+                                        .URI_INHERITS_SECURITY_CONTEXT;
+
 function shouldLoadURI(aURI) {
  if (aURI && !aURI.schemeIs("chrome"))
    return true;
@ -430,12 +434,21 @@ var nsBrowserContentHandler = {
      // Handle the old preference dialog URL separately (bug 285416)
      if (chromeParam == "chrome://browser/content/pref/pref.xul") {
        openPreferences();
-      } else {
+        cmdLine.preventDefault = true;
+      } else try {
+        // only load URIs which do not inherit chrome privs
        var features = "chrome,dialog=no,all" + this.getFeatures(cmdLine);
-        openWindow(null, chromeParam, "_blank", features, "");
+        var uri = resolveURIInternal(cmdLine, chromeParam);
+        var netutil = Components.classes["@mozilla.org/network/util;1"]
+                                .getService(nsINetUtil);
+        if (!netutil.URIChainHasFlags(uri, URI_INHERITS_SECURITY_CONTEXT)) {
+          openWindow(null, uri.spec, "_blank", features, "");
+          cmdLine.preventDefault = true;
+        }
+      }
+      catch (e) {
+        Components.utils.reportError(e);
      }
-
-      cmdLine.preventDefault = true;
    }
    if (cmdLine.handleFlag("preferences", false)) {
      openPreferences();
--- a/toolkit/mozapps/extensions/src/nsExtensionManager.js.in
+++ b/toolkit/mozapps/extensions/src/nsExtensionManager.js.in
@ -2616,6 +2616,12 @@ ExtensionManager.prototype = {
  _installGlobalItem: function(file) {
    if (!file || !file.exists())
      throw new Error("Unable to find the file specified on the command line!");
+#ifdef XP_WIN
+    // make sure the file is local on Windows
+    file.normalize();
+    if (file.path[1] != ':')
+      throw new Error("Can't install global chrome from non-local file "+file.path);
+#endif
    var installManifestFile = extractRDFFileToTempDir(file, FILE_INSTALL_MANIFEST, true);
    if (!installManifestFile.exists())
      throw new Error("The package is missing an install manifest!");