fixes bug 141061 - XMLHttpRequest allows reading of local files

r=mstoltz sr=heikki git-svn-id: svn://10.0.0.236/trunk@120353 18797224-902f-48f8-a5cc-f745e15eee43
2002-04-30 23:22:04 +00:00 · 2002-04-30 23:22:04 +00:00 · 4f32d845fb
commit 4f32d845fb
parent 10f3c5e677
4 changed files with 16 additions and 0 deletions
--- a/mozilla/netwerk/protocol/http/src/Makefile.in
+++ b/mozilla/netwerk/protocol/http/src/Makefile.in
@ -36,6 +36,8 @@ REQUIRES	= xpcom \
 		  intl \
 		  exthandler \
 		  caps \
+		  xpconnect \
+		  js \
 		  $(NULL)

 CPPSRCS		= \
--- a/mozilla/netwerk/protocol/http/src/makefile.win
+++ b/mozilla/netwerk/protocol/http/src/makefile.win
@ -29,6 +29,8 @@ REQUIRES	= xpcom \
 		  intl \
 		  exthandler \
 		  caps \
+		  xpconnect \
+		  js \
 		  $(NULL)
 include <$(DEPTH)/config/config.mak>

--- a/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp
+++ b/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp
@ -34,6 +34,7 @@
 #include "nsISupportsPrimitives.h"
 #include "nsIURL.h"
 #include "nsIMIMEService.h"
+#include "nsIScriptSecurityManager.h"
 #include "nsCExternalHandlerService.h"
 #include "nsMimeTypes.h"
 #include "nsNetUtil.h"
@ -1466,6 +1467,15 @@ nsHttpChannel::ProcessRedirection(PRUint32 redirectType)
                               getter_AddRefs(newURI));
        if (NS_FAILED(rv)) return rv;

+        // verify that this is a legal redirect
+        nsCOMPtr<nsIScriptSecurityManager> securityManager = 
+                 do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID);
+        if (securityManager) {
+            rv = securityManager->CheckLoadURI(mURI, newURI,
+                                               nsIScriptSecurityManager::DISALLOW_FROM_MAIL);
+            if (NS_FAILED(rv)) return rv;
+        }
+
        // Kill the current cache entry if we are redirecting
        // back to ourself.
        PRBool redirectingBackToSameURI = PR_FALSE;
--- a/mozilla/uriloader/base/nsDocLoader.cpp
+++ b/mozilla/uriloader/base/nsDocLoader.cpp
@ -1263,6 +1263,7 @@ NS_IMETHODIMP nsDocLoaderImpl::OnRedirect(nsIHttpChannel *aOldChannel, nsIChanne
    rv = aNewChannel->GetURI(getter_AddRefs(newURI));
    if (NS_FAILED(rv)) return rv;

+#ifdef HTTP_DOESNT_CALL_CHECKLOADURI
    // verify that this is a legal redirect
    nsCOMPtr<nsIScriptSecurityManager> securityManager = 
             do_GetService(NS_SCRIPTSECURITYMANAGER_CONTRACTID, &rv);
@ -1270,6 +1271,7 @@ NS_IMETHODIMP nsDocLoaderImpl::OnRedirect(nsIHttpChannel *aOldChannel, nsIChanne
    rv = securityManager->CheckLoadURI(oldURI, newURI,
                                       nsIScriptSecurityManager::DISALLOW_FROM_MAIL);
    if (NS_FAILED(rv)) return rv;
+#endif

    nsLoadFlags loadFlags = 0;
    PRInt32 stateFlags = nsIWebProgressListener::STATE_REDIRECTING |