Bug 1161831 - Forbid mapping to anything but file:// and jar:// URIs. r=billm,sr=bz

2024-09-13 09:24:08 -07:00 · 2015-07-19 23:06:52 -07:00 · 2015-07-19 23:06:52 -07:00 · f694ec0a43
commit f694ec0a43
parent 511cc8c18f
3 changed files with 23 additions and 3 deletions
--- a/netwerk/protocol/res/SubstitutingProtocolHandler.cpp
+++ b/netwerk/protocol/res/SubstitutingProtocolHandler.cpp
@ -81,10 +81,12 @@ SubstitutingURL::GetClassIDNoAlloc(nsCID *aClassIDNoAlloc)
  return NS_OK;
 }

-SubstitutingProtocolHandler::SubstitutingProtocolHandler(const char* aScheme, uint32_t aFlags)
+SubstitutingProtocolHandler::SubstitutingProtocolHandler(const char* aScheme, uint32_t aFlags,
+                                                         bool aEnforceFileOrJar)
  : mScheme(aScheme)
  , mFlags(aFlags)
  , mSubstitutions(16)
+  , mEnforceFileOrJar(aEnforceFileOrJar)
 {
  nsresult rv;
  mIOService = do_GetIOService(&rv);
@ -287,6 +289,11 @@ SubstitutingProtocolHandler::SetSubstitution(const nsACString& root, nsIURI *bas
  nsresult rv = baseURI->GetScheme(scheme);
  NS_ENSURE_SUCCESS(rv, rv);
  if (!scheme.Equals(mScheme)) {
+    if (mEnforceFileOrJar && !scheme.EqualsLiteral("file") && !scheme.EqualsLiteral("jar")) {
+      NS_WARNING("Refusing to create substituting URI to non-file:// target");
+      return NS_ERROR_INVALID_ARG;
+    }
+
    mSubstitutions.Put(root, baseURI);
    SendSubstitution(root, baseURI);
    return NS_OK;
--- a/netwerk/protocol/res/SubstitutingProtocolHandler.h
+++ b/netwerk/protocol/res/SubstitutingProtocolHandler.h
@ -26,7 +26,7 @@ namespace mozilla {
 class SubstitutingProtocolHandler
 {
 public:
-  SubstitutingProtocolHandler(const char* aScheme, uint32_t aFlags);
+  SubstitutingProtocolHandler(const char* aScheme, uint32_t aFlags, bool aEnforceFileOrJar = true);

  NS_INLINE_DECL_REFCOUNTING(SubstitutingProtocolHandler);
  NS_DECL_NON_VIRTUAL_NSIPROTOCOLHANDLER;
@ -54,6 +54,18 @@ private:
  uint32_t mFlags;
  nsInterfaceHashtable<nsCStringHashKey,nsIURI> mSubstitutions;
  nsCOMPtr<nsIIOService> mIOService;
+
+  // In general, we expect the principal of a document loaded from a
+  // substituting URI to be a codebase principal for that URI (rather than
+  // a principal for whatever is underneath). However, this only works if
+  // the protocol handler for the underlying URI doesn't set an explicit
+  // owner (which chrome:// does, for example). So we want to require that
+  // substituting URIs only map to other URIs of the same type, or to
+  // file:// and jar:// URIs.
+  //
+  // Enforcing this for ye olde resource:// URIs could carry compat risks, so
+  // we just try to enforce it on new protocols going forward.
+  bool mEnforceFileOrJar;
 };

 // SubstitutingURL : overrides nsStandardURL::GetFile to provide nsIFile resolution
--- a/netwerk/protocol/res/nsResProtocolHandler.h
+++ b/netwerk/protocol/res/nsResProtocolHandler.h
@ -26,7 +26,8 @@ public:
    NS_FORWARD_NSISUBSTITUTINGPROTOCOLHANDLER(mozilla::SubstitutingProtocolHandler::)

    nsResProtocolHandler()
-      : SubstitutingProtocolHandler("resource", URI_STD | URI_IS_UI_RESOURCE | URI_IS_LOCAL_RESOURCE)
+      : SubstitutingProtocolHandler("resource", URI_STD | URI_IS_UI_RESOURCE | URI_IS_LOCAL_RESOURCE,
+                                    /* aEnforceFileOrJar = */ false)
    {}

    nsresult Init();