From 36cd507c54d6ff58e41267a0dc6693499512321e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= <emilio@crisal.io>
Date: Fri, 24 Jul 2020 16:52:33 +0000
Subject: [PATCH] Bug 1654683 - Avoid failing to set the search range for find
 due to nsRange security checks. r=smaug

We should probably switch nsRange to use CallerType instead of implicit
JSContext checks?

Differential Revision: https://phabricator.services.mozilla.com/D84803
---
 dom/base/test/mochitest.ini                  |  1 +
 dom/base/test/test_find_bug1654683.html      | 30 ++++++++++++++++++++
 toolkit/components/find/nsWebBrowserFind.cpp |  6 ++++
 3 files changed, 37 insertions(+)
 create mode 100644 dom/base/test/test_find_bug1654683.html

diff --git a/dom/base/test/mochitest.ini b/dom/base/test/mochitest.ini
index 33eabce54e40..2a3d66d385a0 100644
--- a/dom/base/test/mochitest.ini
+++ b/dom/base/test/mochitest.ini
@@ -683,6 +683,7 @@ skip-if = toolkit == 'android' && !is_fennec # Bug 1525959
 [test_find.html]
 [test_find_nac.html]
 [test_find_bug1601118.html]
+[test_find_bug1654683.html]
 [test_focus_shadow_dom_root.html]
 [test_focus_shadow_dom.html]
 [test_focus_scrollable_input.html]
diff --git a/dom/base/test/test_find_bug1654683.html b/dom/base/test/test_find_bug1654683.html
new file mode 100644
index 000000000000..c4a8aea8aff8
--- /dev/null
+++ b/dom/base/test/test_find_bug1654683.html
@@ -0,0 +1,30 @@
+<!doctype html>
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<div class="before">
+  mozilla before
+</div>
+<input value="mozilla">
+<div class="after">
+  mozilla after
+</div>
+<script>
+function selectionContainedWithin(selector) {
+  for (let node = getSelection().anchorNode; node; node = node.parentNode) {
+    if (node.matches && node.matches(selector))
+      return true;
+  }
+  return false;
+}
+
+test(function () {
+  let input = document.querySelector("input");
+  input.focus();
+  assert_true(window.find("mozilla"), "Found the string, didn't throw");
+  assert_true(selectionContainedWithin(".after"), "Should've found the following node");
+  assert_true(!window.find("mozilla"), "No more matches forward");
+  assert_true(window.find("mozilla", /* caseSensitive = */ false, /* backwards = */ true), "Should find stuff backwards");
+  assert_true(selectionContainedWithin(".before"), "Should've found the node before the input (should not return the NAC range)");
+}, "window.find() doesn't throw if focused on an <input>");
+</script>
diff --git a/toolkit/components/find/nsWebBrowserFind.cpp b/toolkit/components/find/nsWebBrowserFind.cpp
index 3ca599462704..f9d20bbf2b7a 100644
--- a/toolkit/components/find/nsWebBrowserFind.cpp
+++ b/toolkit/components/find/nsWebBrowserFind.cpp
@@ -10,6 +10,7 @@
 // else we could use nsRange.h and nsIFind.h.
 #include "nsFind.h"
 
+#include "mozilla/dom/ScriptSettings.h"
 #include "nsIInterfaceRequestor.h"
 #include "nsIInterfaceRequestorUtils.h"
 #include "nsPIDOMWindow.h"
@@ -448,6 +449,11 @@ nsresult nsWebBrowserFind::GetSearchLimits(nsRange* aSearchRange,
   nsCOMPtr<nsINode> node;
   uint32_t offset;
 
+  // Prevent the security checks in nsRange from getting into effect for the
+  // purposes of determining the search range. These ranges will never be
+  // exposed to content.
+  mozilla::dom::AutoNoJSAPI nojsapi;
+
   // Forward, not wrapping: SelEnd to DocEnd
   if (!mFindBackwards && !aWrap) {
     // This isn't quite right, since the selection's ranges aren't