From 21edbcf9bf07cc69a774eaee275f9431718981fe Mon Sep 17 00:00:00 2001 From: "mstoltz%netscape.com" Date: Fri, 26 May 2000 23:28:40 +0000 Subject: [PATCH] Fixed bug in DOM security checks, fixes bug 37907, 23516. Added security check for htmlelement.innerhtml, fixes 39083. Added location check to BASE HREF=, fixes 35859. r=vidur. Added check to style= tag, fixes 16858, r=pierre. git-svn-id: svn://10.0.0.236/trunk@70965 18797224-902f-48f8-a5cc-f745e15eee43 --- mozilla/caps/src/nsScriptSecurityManager.cpp | 3 ++- .../content/html/document/src/nsHTMLContentSink.cpp | 11 +++++++++++ mozilla/content/html/style/src/nsCSSLoader.cpp | 12 ++++++++++++ .../layout/html/document/src/nsHTMLContentSink.cpp | 11 +++++++++++ mozilla/layout/html/style/src/nsCSSLoader.cpp | 12 ++++++++++++ mozilla/layout/style/nsCSSLoader.cpp | 12 ++++++++++++ mozilla/modules/libpref/src/init/all.js | 2 ++ 7 files changed, 62 insertions(+), 1 deletion(-) diff --git a/mozilla/caps/src/nsScriptSecurityManager.cpp b/mozilla/caps/src/nsScriptSecurityManager.cpp index 34eb9a5c3f3..4dfe17aa3e1 100644 --- a/mozilla/caps/src/nsScriptSecurityManager.cpp +++ b/mozilla/caps/src/nsScriptSecurityManager.cpp @@ -1392,11 +1392,11 @@ nsScriptSecurityManager::GetSecurityLevel(nsIPrincipal *principal, nsresult rv; mIsAccessingPrefs = PR_TRUE; rv = mPrefs->CopyCharPref(prefName, &secLevelString); - mIsAccessingPrefs = PR_FALSE; if (NS_FAILED(rv)) { prefName += (isWrite ? ".write" : ".read"); rv = mPrefs->CopyCharPref(prefName, &secLevelString); } + mIsAccessingPrefs = PR_FALSE; if (NS_SUCCEEDED(rv) && secLevelString) { if (PL_strcmp(secLevelString, "sameOrigin") == 0) secLevel = SCRIPT_SECURITY_SAME_DOMAIN_ACCESS; @@ -1637,6 +1637,7 @@ nsScriptSecurityManager::EnumeratePolicyCallback(const char *prefName, { if (!prefName || !*prefName) return; + nsScriptSecurityManager *mgr = (nsScriptSecurityManager *) data; unsigned count = 0; const char *dots[5]; diff --git a/mozilla/content/html/document/src/nsHTMLContentSink.cpp b/mozilla/content/html/document/src/nsHTMLContentSink.cpp index 9ae5aac2482..0c1c4f1b721 100644 --- a/mozilla/content/html/document/src/nsHTMLContentSink.cpp +++ b/mozilla/content/html/document/src/nsHTMLContentSink.cpp @@ -3374,6 +3374,17 @@ HTMLContentSink::ProcessAREATag(const nsIParserNode& aNode) void HTMLContentSink::ProcessBaseHref(const nsString& aBaseHref) { + //-- Make sure this page is allowed to load this URL + nsresult rv; + NS_WITH_SERVICE(nsIScriptSecurityManager, securityManager, + NS_SCRIPTSECURITYMANAGER_PROGID, &rv); + if (NS_FAILED(rv)) return; + nsCOMPtr baseHrefURI; + rv = NS_NewURI(getter_AddRefs(baseHrefURI), aBaseHref, nsnull); + if (NS_FAILED(rv)) return; + rv = securityManager->CheckLoadURI(mDocumentBaseURL, baseHrefURI, PR_FALSE); + if (NS_FAILED(rv)) return; + if (nsnull == mBody) { // still in real HEAD mHTMLDocument->SetBaseURL(aBaseHref); NS_RELEASE(mDocumentBaseURL); diff --git a/mozilla/content/html/style/src/nsCSSLoader.cpp b/mozilla/content/html/style/src/nsCSSLoader.cpp index 96cb97303ff..927396fcdf2 100644 --- a/mozilla/content/html/style/src/nsCSSLoader.cpp +++ b/mozilla/content/html/style/src/nsCSSLoader.cpp @@ -50,6 +50,7 @@ #include "nsVoidArray.h" #include "nsISupportsArray.h" #include "nsCOMPtr.h" +#include "nsIScriptSecurityManager.h" #include @@ -1281,6 +1282,17 @@ CSSLoaderImpl::LoadStyleLink(nsIContent* aElement, if (! mDocument) { return NS_ERROR_NOT_INITIALIZED; } + + //-- Make sure this page is allowed to load this URL + nsresult rv; + NS_WITH_SERVICE(nsIScriptSecurityManager, secMan, NS_SCRIPTSECURITYMANAGER_PROGID, &rv); + if (NS_FAILED(rv)) return rv; + nsIURI* docURI; + rv = mDocument->GetBaseURL(docURI); + if (NS_FAILED(rv) || !docURI) return NS_ERROR_FAILURE; + rv = secMan->CheckLoadURI(docURI, aURL, PR_FALSE); + NS_IF_RELEASE(docURI); + if (NS_FAILED(rv)) return NS_ERROR_FAILURE; // XXX need to add code to cancel any pending sheets for element nsresult result = NS_ERROR_NULL_POINTER; diff --git a/mozilla/layout/html/document/src/nsHTMLContentSink.cpp b/mozilla/layout/html/document/src/nsHTMLContentSink.cpp index 9ae5aac2482..0c1c4f1b721 100644 --- a/mozilla/layout/html/document/src/nsHTMLContentSink.cpp +++ b/mozilla/layout/html/document/src/nsHTMLContentSink.cpp @@ -3374,6 +3374,17 @@ HTMLContentSink::ProcessAREATag(const nsIParserNode& aNode) void HTMLContentSink::ProcessBaseHref(const nsString& aBaseHref) { + //-- Make sure this page is allowed to load this URL + nsresult rv; + NS_WITH_SERVICE(nsIScriptSecurityManager, securityManager, + NS_SCRIPTSECURITYMANAGER_PROGID, &rv); + if (NS_FAILED(rv)) return; + nsCOMPtr baseHrefURI; + rv = NS_NewURI(getter_AddRefs(baseHrefURI), aBaseHref, nsnull); + if (NS_FAILED(rv)) return; + rv = securityManager->CheckLoadURI(mDocumentBaseURL, baseHrefURI, PR_FALSE); + if (NS_FAILED(rv)) return; + if (nsnull == mBody) { // still in real HEAD mHTMLDocument->SetBaseURL(aBaseHref); NS_RELEASE(mDocumentBaseURL); diff --git a/mozilla/layout/html/style/src/nsCSSLoader.cpp b/mozilla/layout/html/style/src/nsCSSLoader.cpp index 96cb97303ff..927396fcdf2 100644 --- a/mozilla/layout/html/style/src/nsCSSLoader.cpp +++ b/mozilla/layout/html/style/src/nsCSSLoader.cpp @@ -50,6 +50,7 @@ #include "nsVoidArray.h" #include "nsISupportsArray.h" #include "nsCOMPtr.h" +#include "nsIScriptSecurityManager.h" #include @@ -1281,6 +1282,17 @@ CSSLoaderImpl::LoadStyleLink(nsIContent* aElement, if (! mDocument) { return NS_ERROR_NOT_INITIALIZED; } + + //-- Make sure this page is allowed to load this URL + nsresult rv; + NS_WITH_SERVICE(nsIScriptSecurityManager, secMan, NS_SCRIPTSECURITYMANAGER_PROGID, &rv); + if (NS_FAILED(rv)) return rv; + nsIURI* docURI; + rv = mDocument->GetBaseURL(docURI); + if (NS_FAILED(rv) || !docURI) return NS_ERROR_FAILURE; + rv = secMan->CheckLoadURI(docURI, aURL, PR_FALSE); + NS_IF_RELEASE(docURI); + if (NS_FAILED(rv)) return NS_ERROR_FAILURE; // XXX need to add code to cancel any pending sheets for element nsresult result = NS_ERROR_NULL_POINTER; diff --git a/mozilla/layout/style/nsCSSLoader.cpp b/mozilla/layout/style/nsCSSLoader.cpp index 96cb97303ff..927396fcdf2 100644 --- a/mozilla/layout/style/nsCSSLoader.cpp +++ b/mozilla/layout/style/nsCSSLoader.cpp @@ -50,6 +50,7 @@ #include "nsVoidArray.h" #include "nsISupportsArray.h" #include "nsCOMPtr.h" +#include "nsIScriptSecurityManager.h" #include @@ -1281,6 +1282,17 @@ CSSLoaderImpl::LoadStyleLink(nsIContent* aElement, if (! mDocument) { return NS_ERROR_NOT_INITIALIZED; } + + //-- Make sure this page is allowed to load this URL + nsresult rv; + NS_WITH_SERVICE(nsIScriptSecurityManager, secMan, NS_SCRIPTSECURITYMANAGER_PROGID, &rv); + if (NS_FAILED(rv)) return rv; + nsIURI* docURI; + rv = mDocument->GetBaseURL(docURI); + if (NS_FAILED(rv) || !docURI) return NS_ERROR_FAILURE; + rv = secMan->CheckLoadURI(docURI, aURL, PR_FALSE); + NS_IF_RELEASE(docURI); + if (NS_FAILED(rv)) return NS_ERROR_FAILURE; // XXX need to add code to cancel any pending sheets for element nsresult result = NS_ERROR_NULL_POINTER; diff --git a/mozilla/modules/libpref/src/init/all.js b/mozilla/modules/libpref/src/init/all.js index 1ee7053ac7a..fdfa0985564 100644 --- a/mozilla/modules/libpref/src/init/all.js +++ b/mozilla/modules/libpref/src/init/all.js @@ -440,6 +440,8 @@ pref("security.policy.default.element.setattribute", "sameOrigin"); pref("security.policy.default.element.setattributenode", "sameOrigin"); pref("security.policy.default.element.tagname", "sameOrigin"); +pref("security.policy.default.htmlelement.innerhtml", "sameOrigin"); + pref("security.policy.default.nshtmlformelement.nameditem", "sameOrigin"); pref("security.policy.default.history.current.read", "UniversalBrowserRead");