Bug 285438 Drag and drop gestures can be hijacked to load priviliged xul - xpfe/toolkit trunk patch v2.0 p=jst/me r=neil.parkwaycc.co.uk sr=bzbarsky a=benjamin

2024-09-13 09:24:08 -07:00 · 2007-08-21 22:00:22 -07:00 · 2007-08-21 22:00:22 -07:00 · b22a77a6da
commit b22a77a6da
parent 24d00d1cb8
1 changed files with 34 additions and 12 deletions
--- a/browser/base/content/tabbrowser.xml
+++ b/browser/base/content/tabbrowser.xml
@ -1849,7 +1849,7 @@
      <method name="dragDropSecurityCheck">
        <parameter name="aEvent"/>
        <parameter name="aDragSession"/>
-        <parameter name="aUrl"/>
+        <parameter name="aUri"/>
        <body>
          <![CDATA[
            // Do a security check for drag n' drop. Make sure the
@ -1857,22 +1857,44 @@
            var sourceDoc = aDragSession.sourceDocument;

            if (sourceDoc) {
-              var sourceURI = sourceDoc.documentURI;
+              // Strip leading and trailing whitespace, then try to
+              // create a URI from the dropped string. If that
+              // succeeds, we're dropping a URI and we need to do a
+              // security check to make sure the source document can
+              // load the dropped URI. We don't so much care about
+              // creating the real URI here (i.e. encoding differences
+              // etc don't matter), we just want to know if aUri
+              // really is a URI.

-              const nsIScriptSecurityManager =
-                Components.interfaces.nsIScriptSecurityManager;
-              var secMan =
-                Components.classes["@mozilla.org/scriptsecuritymanager;1"]
-                .getService(nsIScriptSecurityManager);
+              var uriStr = aUri.replace(/^\s*|\s*$/g, '');
+              var uri = null;

              try {
-                secMan.checkLoadURIStr(sourceURI, aUrl,
-                                       nsIScriptSecurityManager.STANDARD);
+                uri = Components.classes["@mozilla.org/network/io-service;1"]
+                  .getService(Components.interfaces.nsIIOService)
+                  .newURI(uriStr, null, null);
              } catch (e) {
-                // Stop event propagation right here.
-                aEvent.stopPropagation();
+              }

-                throw "Drop of " + aUrl + " denied.";
+              if (uri) {
+                // aUri is a URI, do the security check.
+                var sourceURI = sourceDoc.documentURI;
+
+                const nsIScriptSecurityManager =
+                  Components.interfaces.nsIScriptSecurityManager;
+                var secMan =
+                  Components.classes["@mozilla.org/scriptsecuritymanager;1"]
+                  .getService(nsIScriptSecurityManager);
+
+                try {
+                  secMan.checkLoadURIStr(sourceURI, uriStr,
+                                         nsIScriptSecurityManager.STANDARD);
+                } catch (e) {
+                  // Stop event propagation right here.
+                  aEvent.stopPropagation();
+
+                  throw "Drop of " + aUri + " denied.";
+                }
              }
            }
          ]]>