Fix 28612 META Refresh allowed in Mail/News

r=mstoltz,a=jar Fix 28658 File upload vulnerability r=vidur,a=jar git-svn-id: svn://10.0.0.236/trunk@61523 18797224-902f-48f8-a5cc-f745e15eee43
2000-02-23 22:34:40 +00:00
parent e028eadd0f
commit bf96355ad4
15 changed files with 143 additions and 42 deletions
--- a/mozilla/caps/src/nsScriptSecurityManager.cpp
+++ b/mozilla/caps/src/nsScriptSecurityManager.cpp
@@ -440,7 +440,7 @@ nsScriptSecurityManager::CheckLoadURIFromScript(JSContext *cx,
    nsCOMPtr<nsIURI> uri;
    if (NS_FAILED(codebase->GetURI(getter_AddRefs(uri)))) 
        return NS_ERROR_FAILURE;
-    if (NS_SUCCEEDED(CheckLoadURI(uri, aURI)))
+    if (NS_SUCCEEDED(CheckLoadURI(uri, aURI, PR_FALSE)))
        return NS_OK;

    // See if we're attempting to load a file: URI. If so, let a 
@@ -467,9 +467,21 @@ nsScriptSecurityManager::CheckLoadURIFromScript(JSContext *cx,
 }

 NS_IMETHODIMP
-nsScriptSecurityManager::CheckLoadURI(nsIURI *aFromURI,
-                                      nsIURI *aURI)
+nsScriptSecurityManager::CheckLoadURI(nsIURI *aFromURI, nsIURI *aURI,
+                                      PRBool aDisallowFromMail)
 {
+    nsXPIDLCString fromScheme;
+    if (NS_FAILED(aFromURI->GetScheme(getter_Copies(fromScheme))))
+        return NS_ERROR_FAILURE;
+
+    if (aDisallowFromMail && 
+        (nsCRT::strcmp(fromScheme, "mailbox")  == 0 ||
+         nsCRT::strcmp(fromScheme, "imap")     == 0 ||
+         nsCRT::strcmp(fromScheme, "news")))
+    {
+        return NS_ERROR_DOM_BAD_URI;
+    }
+
    nsXPIDLCString scheme;
    if (NS_FAILED(aURI->GetScheme(getter_Copies(scheme))))
        return NS_ERROR_FAILURE;
@@ -485,9 +497,7 @@ nsScriptSecurityManager::CheckLoadURI(nsIURI *aFromURI,
    }

    nsXPIDLCString scheme2;
-    if (NS_SUCCEEDED(aFromURI->GetScheme(getter_Copies(scheme2))) &&
-        nsCRT::strcmp(scheme, scheme2) == 0) 
-    {
+    if (nsCRT::strcmp(scheme, fromScheme) == 0) {
        // every scheme can access another URI from the same scheme
        return NS_OK;
    }
@@ -897,9 +907,9 @@ nsScriptSecurityManager::EnableCapability(const char *capability)
                                                       source);
        Recycle(source);
        if (CheckConfirmDialog(message, check.GetUnicode(), &remember))
-	    canEnable = nsIPrincipal::ENABLE_GRANTED;
-	else
-	    canEnable = nsIPrincipal::ENABLE_DENIED;
+            canEnable = nsIPrincipal::ENABLE_GRANTED;
+        else
+            canEnable = nsIPrincipal::ENABLE_DENIED;
        PR_FREEIF(message);
        if (remember) {
            if (NS_FAILED(principal->SetCanEnableCapability(capability, canEnable)))
@@ -1138,14 +1148,6 @@ nsScriptSecurityManager::CheckPermissions(JSContext *aCx, JSObject *aObj,
    if (NS_FAILED(GetSubjectPrincipal(aCx, getter_AddRefs(subject))))
        return NS_ERROR_FAILURE;

-    // If native code or system principal, allow access
-    PRBool equals;
-    if (!subject || 
-        (NS_SUCCEEDED(subject->Equals(mSystemPrincipal, &equals)) && equals))
-    {
-        return NS_OK;
-    }
-
    nsCOMPtr<nsIPrincipal> object;
    if (NS_FAILED(GetObjectPrincipal(aCx, aObj, getter_AddRefs(object))))
        return NS_ERROR_FAILURE;