From 04a78925d3661c50863ef3cd2e40676693a0d11f Mon Sep 17 00:00:00 2001
From: Bobby Holley <bobbyholley@gmail.com>
Date: Tue, 8 Jan 2013 10:39:45 -0800
Subject: [PATCH] Bug 824670 - Validate Activity and Message hrefs during
 manifest parsing. r=mounir

---
 dom/apps/src/AppsUtils.jsm | 54 ++++++++++++++++++++++++++++++--------
 1 file changed, 43 insertions(+), 11 deletions(-)

diff --git a/dom/apps/src/AppsUtils.jsm b/dom/apps/src/AppsUtils.jsm
index eb7fcd65c3d0..759496712121 100644
--- a/dom/apps/src/AppsUtils.jsm
+++ b/dom/apps/src/AppsUtils.jsm
@@ -25,6 +25,13 @@ function debug(s) {
   //dump("-*- AppsUtils.jsm: " + s + "\n");
 }
 
+function isAbsoluteURI(aURI) {
+  let foo = Services.io.newURI("http://foo", null, null);
+  let bar = Services.io.newURI("http://bar", null, null);
+  return Services.io.newURI(aURI, null, foo).prePath != foo.prePath ||
+         Services.io.newURI(aURI, null, bar).prePath != bar.prePath;
+}
+
 this.AppsUtils = {
   // Clones a app, without the manifest.
   cloneAppObject: function cloneAppObject(aApp) {
@@ -161,21 +168,13 @@ this.AppsUtils = {
     if (aManifest.name == undefined)
       return false;
 
-    function isAbsolute(uri) {
-      // See bug 810551
-      let foo = Services.io.newURI("http://foo", null, null);
-      let bar = Services.io.newURI("http://bar", null, null);
-      return Services.io.newURI(uri, null, foo).prePath != foo.prePath ||
-             Services.io.newURI(uri, null, bar).prePath != bar.prePath;
-    }
-
-    // launch_path and entry_points launch paths can't be absolute
-    if (aManifest.launch_path && isAbsolute(aManifest.launch_path))
+    // launch_path, entry_points launch paths, message hrefs, and activity hrefs can't be absolute
+    if (aManifest.launch_path && isAbsoluteURI(aManifest.launch_path))
       return false;
 
     function checkAbsoluteEntryPoints(entryPoints) {
       for (let name in entryPoints) {
-        if (entryPoints[name].launch_path && isAbsolute(entryPoints[name].launch_path)) {
+        if (entryPoints[name].launch_path && isAbsoluteURI(entryPoints[name].launch_path)) {
           return true;
         }
       }
@@ -191,6 +190,35 @@ this.AppsUtils = {
       }
     }
 
+    if (aManifest.activities) {
+      for (let activityName in aManifest.activities) {
+        let activity = aManifest.activities[activityName];
+        if (activity.href && isAbsoluteURI(activity.href)) {
+          return false;
+        }
+      }
+    }
+
+    // |messages| is an array of items, where each item is either a string or
+    // a {name: href} object.
+    let messages = aManifest.messages;
+    if (messages) {
+      if (!Array.isArray(messages)) {
+        return false;
+      }
+      for (let item of aManifest.messages) {
+        if (typeof item == "object") {
+          let keys = Object.keys(item);
+          if (keys.length != 1) {
+            return false;
+          }
+          if (isAbsoluteURI(item[keys[0]])) {
+            return false;
+          }
+        }
+      }
+    }
+
     return true;
   },
 
@@ -440,6 +468,10 @@ ManifestHelper.prototype = {
   },
 
   resolveFromOrigin: function(aURI) {
+    // This should be enforced higher up, but check it here just in case.
+    if (!isAbsoluteURI(aURI)) {
+      throw new Error("Webapps.jsm: non-relative URI passed to resolveFromOrigin");
+    }
     return this._origin.resolve(aURI);
   },