Bug 285438 Drag and drop gestures can be hijacked to load priviliged xul - xpfe/toolkit trunk patch v2.0 p=jst/me r=neil.parkwaycc.co.uk sr=bzbarsky a=benjamin

2024-09-13 09:24:08 -07:00 · 2007-08-21 22:00:22 -07:00 · 2007-08-21 22:00:22 -07:00 · b22a77a6da
commit b22a77a6da
parent 24d00d1cb8
1 changed files with 34 additions and 12 deletions
--- a/browser/base/content/tabbrowser.xml
+++ b/browser/base/content/tabbrowser.xml
@ -1849,7 +1849,7 @@
      <method name="dragDropSecurityCheck">
        <parameter name="aEvent"/>
        <parameter name="aDragSession"/>
-        <parameter name="aUrl"/>
+        <parameter name="aUri"/>
        <body>
          <![CDATA[
            // Do a security check for drag n' drop. Make sure the
@ -1857,22 +1857,44 @@
            var sourceDoc = aDragSession.sourceDocument;
            if (sourceDoc) {
-              var sourceURI = sourceDoc.documentURI;
+              // Strip leading and trailing whitespace, then try to
              // create a URI from the dropped string. If that
              // succeeds, we're dropping a URI and we need to do a
              // security check to make sure the source document can
              // load the dropped URI. We don't so much care about
              // creating the real URI here (i.e. encoding differences
              // etc don't matter), we just want to know if aUri
              // really is a URI.
-              const nsIScriptSecurityManager =
+              var uriStr = aUri.replace(/^\s*|\s*$/g, '');
-                Components.interfaces.nsIScriptSecurityManager;
+              var uri = null;
              var secMan =
                Components.classes["@mozilla.org/scriptsecuritymanager;1"]
                .getService(nsIScriptSecurityManager);
              try {
-                secMan.checkLoadURIStr(sourceURI, aUrl,
+                uri = Components.classes["@mozilla.org/network/io-service;1"]
-                                       nsIScriptSecurityManager.STANDARD);
+                  .getService(Components.interfaces.nsIIOService)
                  .newURI(uriStr, null, null);
              } catch (e) {
-                // Stop event propagation right here.
+              }
                aEvent.stopPropagation();
-                throw "Drop of " + aUrl + " denied.";
+              if (uri) {
                // aUri is a URI, do the security check.
                var sourceURI = sourceDoc.documentURI;
                const nsIScriptSecurityManager =
                  Components.interfaces.nsIScriptSecurityManager;
                var secMan =
                  Components.classes["@mozilla.org/scriptsecuritymanager;1"]
                  .getService(nsIScriptSecurityManager);
                try {
                  secMan.checkLoadURIStr(sourceURI, uriStr,
                                         nsIScriptSecurityManager.STANDARD);
                } catch (e) {
                  // Stop event propagation right here.
                  aEvent.stopPropagation();
                  throw "Drop of " + aUri + " denied.";
                }
              }
            }
          ]]>