Properly check attribute URLs -- Bug 562547, r=jst, a=blocking2.0

Do not inherit principal from embedding doc (often chrome) when checking URIs,
but use NullPrincipal for untrusted content.

content/html/document/src/Makefile.in

@@ -76,6 +76,7 @@ INCLUDES	+= \
 		-I$(srcdir)/../../../../layout/style \
 		-I$(srcdir)/../../../../dom/base \
 		-I$(srcdir)/../../../../xpcom/io \
+		-I$(srcdir)/../../../../caps/include \
 		$(NULL)
 
 DEFINES += -D_IMPL_NS_LAYOUT

content/html/document/src/nsHTMLFragmentContentSink.cpp

@@ -60,6 +60,7 @@
 #include "nsContentUtils.h"
 #include "nsEscape.h"
 #include "nsNodeInfoManager.h"
+#include "nsNullPrincipal.h"
 #include "nsContentCreatorFunctions.h"
 #include "nsNetUtil.h"
 #include "nsIScriptSecurityManager.h"
@@ -821,6 +822,8 @@ protected:
   PRPackedBool mInStyle; // whether we're inside a style element
   PRPackedBool mProcessComments; // used when comments are allowed
 
+  nsCOMPtr<nsIPrincipal> mNullPrincipal;
+
   // Use nsTHashTable as a hash set for our whitelists
   static nsTHashtable<nsISupportsHashKey>* sAllowedTags;
   static nsTHashtable<nsISupportsHashKey>* sAllowedAttributes;
@@ -989,7 +992,12 @@ nsHTMLParanoidFragmentSink::AddAttributes(const nsIParserNode& aNode,
   nsresult rv;
   // use this to check for safe URIs in the few attributes that allow them
   nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
+  PRUint32 flags = nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL;
   nsCOMPtr<nsIURI> baseURI;
+  if (!mNullPrincipal) {
+      mNullPrincipal = do_CreateInstance(NS_NULLPRINCIPAL_CONTRACTID, &rv);
+      NS_ENSURE_SUCCESS(rv, rv);
+  }
 
   for (PRInt32 i = ac - 1; i >= 0; i--) {
     rv = NS_OK;
@@ -1023,9 +1031,7 @@ nsHTMLParanoidFragmentSink::AddAttributes(const nsIParserNode& aNode,
       rv = NS_NewURI(getter_AddRefs(attrURI), v, nsnull, baseURI);
       if (NS_SUCCEEDED(rv)) {
         rv = secMan->
-          CheckLoadURIWithPrincipal(mTargetDocument->NodePrincipal(),
-                attrURI,
-                nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL);
+          CheckLoadURIWithPrincipal(mNullPrincipal, attrURI, flags);
       }
     }
     

content/xml/document/src/Makefile.in

@@ -68,6 +68,7 @@ LOCAL_INCLUDES	= \
 		-I$(srcdir)/../../../xul/content/src \
 		-I$(srcdir)/../../../events/src \
 		-I$(srcdir)/../../../../dom/base \
+		-I$(srcdir)/../../../../caps/include \
 		$(NULL)
 
 DEFINES += -D_IMPL_NS_LAYOUT

content/xml/document/src/nsXMLFragmentContentSink.cpp

@@ -50,6 +50,7 @@
 #include "nsGkAtoms.h"
 #include "nsINodeInfo.h"
 #include "nsNodeInfoManager.h"
+#include "nsNullPrincipal.h"
 #include "nsContentCreatorFunctions.h"
 #include "nsDOMError.h"
 #include "nsIConsoleService.h"
@@ -519,6 +520,9 @@ public:
                                  PRUint32 aLength);
 protected:
   PRUint32 mSkipLevel; // used when we descend into <style> or <script>
+
+  nsCOMPtr<nsIPrincipal> mNullPrincipal;
+
   // Use nsTHashTable as a hash set for our whitelists
   static nsTHashtable<nsISupportsHashKey>* sAllowedTags;
   static nsTHashtable<nsISupportsHashKey>* sAllowedAttributes;
@@ -640,6 +644,12 @@ nsXHTMLParanoidFragmentSink::AddAttributes(const PRUnichar** aAtts,
   PRInt32 nameSpaceID;
   nsCOMPtr<nsIAtom> prefix, localName;
   nsCOMPtr<nsINodeInfo> nodeInfo;
+
+  if (!mNullPrincipal) {
+      mNullPrincipal = do_CreateInstance(NS_NULLPRINCIPAL_CONTRACTID, &rv);
+      NS_ENSURE_SUCCESS(rv, rv);
+  }
+
   while (*aAtts) {
     nsContentUtils::SplitExpatName(aAtts[0], getter_AddRefs(prefix),
                                    getter_AddRefs(localName), &nameSpaceID);
@@ -655,8 +665,7 @@ nsXHTMLParanoidFragmentSink::AddAttributes(const PRUnichar** aAtts,
       rv = NS_NewURI(getter_AddRefs(attrURI), nsDependentString(aAtts[1]),
                      nsnull, baseURI);
       if (NS_SUCCEEDED(rv)) {
-        rv = secMan->CheckLoadURIWithPrincipal(mTargetDocument->NodePrincipal(),
-                                               attrURI, flags);
+        rv = secMan->CheckLoadURIWithPrincipal(mNullPrincipal, attrURI, flags);
       }
     }