From 2b38cfdbd15cc5f719977349ebc4809e6c7fcdb9 Mon Sep 17 00:00:00 2001
From: "bzbarsky%mit.edu"
 <bzbarsky%mit.edu@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Tue, 21 Oct 2008 20:25:48 +0000
Subject: [PATCH] Bug 424733. Be a little more careful with certificate
 principals. r+sr=sicking, a=dveditz

git-svn-id: svn://10.0.0.236/trunk@254712 18797224-902f-48f8-a5cc-f745e15eee43
---
 mozilla/content/xbl/src/nsXBLBinding.cpp | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/mozilla/content/xbl/src/nsXBLBinding.cpp b/mozilla/content/xbl/src/nsXBLBinding.cpp
index 0300616242b..3f9a45c2628 100644
--- a/mozilla/content/xbl/src/nsXBLBinding.cpp
+++ b/mozilla/content/xbl/src/nsXBLBinding.cpp
@@ -1373,7 +1373,21 @@ nsXBLBinding::AllowScripts()
   PRBool canExecute;
   nsresult rv =
     mgr->CanExecuteScripts(cx, ourDocument->NodePrincipal(), &canExecute);
-  return NS_SUCCEEDED(rv) && canExecute;
+  if (NS_FAILED(rv) || !canExecute) {
+    return PR_FALSE;
+  }
+
+  // Now one last check: make sure that we're not allowing a privilege
+  // escalations here.
+  PRBool haveCert;
+  doc->NodePrincipal()->GetHasCertificate(&haveCert);
+  if (!haveCert) {
+    return PR_TRUE;
+  }
+
+  PRBool subsumes;
+  rv = ourDocument->NodePrincipal()->Subsumes(doc->NodePrincipal(), &subsumes);
+  return NS_SUCCEEDED(rv) && subsumes;
 }
 
 void