Bug 576075, stricter tree selection handling, r=enndeakin

--HG--
extra : rebase_source : ea68e33207720ee4193642aaf0749c9939cc12d2

content/xul/templates/src/Makefile.in

@@ -83,6 +83,7 @@ include $(topsrcdir)/config/rules.mk
 
 LOCAL_INCLUDES	= -I$(srcdir)/../../../base/src \
 		  -I$(srcdir)/../../content/src \
+		  -I$(srcdir)/../../../../layout/xul/base/src/tree/src \
 		  $(NULL)
 
 DEFINES += -D_IMPL_NS_LAYOUT

content/xul/templates/src/nsXULTreeBuilder.cpp

@@ -65,6 +65,7 @@
 #include "nsINameSpaceManager.h"
 #include "nsIDOMClassInfo.h"
 #include "nsWhitespaceTokenizer.h"
+#include "nsTreeContentView.h"
 
 // For security check
 #include "nsIDocument.h"
@@ -467,6 +468,9 @@ nsXULTreeBuilder::GetSelection(nsITreeSelection** aSelection)
 NS_IMETHODIMP
 nsXULTreeBuilder::SetSelection(nsITreeSelection* aSelection)
 {
+    NS_ENSURE_TRUE(!aSelection ||
+                   nsTreeContentView::CanTrustTreeSelection(aSelection),
+                   NS_ERROR_DOM_SECURITY_ERR);
     mSelection = aSelection;
     return NS_OK;
 }

layout/xul/base/src/tree/public/nsITreeSelection.idl

@@ -152,3 +152,14 @@ interface nsITreeSelection : nsISupports
    */
   readonly attribute long shiftSelectPivot;
 };
+
+/**
+ * The following interface is not scriptable and MUST NEVER BE MADE scriptable.
+ * Native treeselections implement it, and we use this to check whether a
+ * treeselection is native (and therefore suitable for use by untrusted content).
+ */
+[uuid(1bd59678-5cb3-4316-b246-31a91b19aabe)]
+interface nsINativeTreeSelection : nsITreeSelection
+{
+  [noscript] void ensureNative();
+};

layout/xul/base/src/tree/src/nsTreeContentView.cpp

@@ -47,6 +47,7 @@
 #include "nsIEventStateManager.h"
 #include "nsINodeInfo.h"
 #include "nsIXULSortService.h"
+#include "nsContentUtils.h"
 #include "nsTreeBodyFrame.h"
 
 #define NS_ENSURE_NATIVE_COLUMN(_col)                                \
@@ -201,9 +202,22 @@ nsTreeContentView::GetSelection(nsITreeSelection** aSelection)
   return NS_OK;
 }
 
+PRBool
+nsTreeContentView::CanTrustTreeSelection(nsISupports* aValue)
+{
+  // Untrusted content is only allowed to specify known-good views
+  if (nsContentUtils::IsCallerTrustedForWrite())
+    return PR_TRUE;
+  nsCOMPtr<nsINativeTreeSelection> nativeTreeSel = do_QueryInterface(aValue);
+  return nativeTreeSel && NS_SUCCEEDED(nativeTreeSel->EnsureNative());
+}
+
 NS_IMETHODIMP
 nsTreeContentView::SetSelection(nsITreeSelection* aSelection)
 {
+  NS_ENSURE_TRUE(!aSelection || CanTrustTreeSelection(aSelection),
+                 NS_ERROR_DOM_SECURITY_ERR);
+
   mSelection = aSelection;
   if (!mSelection || !mUpdateSelection)
     return NS_OK;

layout/xul/base/src/tree/src/nsTreeContentView.h

@@ -82,6 +82,8 @@ class nsTreeContentView : public nsINativeTreeView,
     NS_DECL_NSIMUTATIONOBSERVER_CONTENTREMOVED
     NS_DECL_NSIMUTATIONOBSERVER_NODEWILLBEDESTROYED
 
+    static PRBool CanTrustTreeSelection(nsISupports* aValue);
+
   protected:
     // Recursive methods which deal with serializing of nested content.
     void Serialize(nsIContent* aContent, PRInt32 aParentIndex, PRInt32* aIndex,

layout/xul/base/src/tree/src/nsTreeSelection.cpp

@@ -280,6 +280,7 @@ DOMCI_DATA(TreeSelection, nsTreeSelection)
 // QueryInterface implementation for nsBoxObject
 NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(nsTreeSelection)
   NS_INTERFACE_MAP_ENTRY(nsITreeSelection)
+  NS_INTERFACE_MAP_ENTRY(nsINativeTreeSelection)
   NS_INTERFACE_MAP_ENTRY(nsISupports)
   NS_DOM_INTERFACE_MAP_ENTRY_CLASSINFO(TreeSelection)
 NS_INTERFACE_MAP_END

layout/xul/base/src/tree/src/nsTreeSelection.h

@@ -50,7 +50,7 @@
 class nsITreeBoxObject;
 struct nsTreeRange;
 
-class nsTreeSelection : public nsITreeSelection
+class nsTreeSelection : public nsINativeTreeSelection
 {
 public:
   nsTreeSelection(nsITreeBoxObject* aTree);
@@ -60,6 +60,9 @@ public:
   NS_DECL_CYCLE_COLLECTION_CLASS(nsTreeSelection)
   NS_DECL_NSITREESELECTION
 
+  // nsINativeTreeSelection: Untrusted code can use us
+  NS_IMETHOD EnsureNative() { return NS_OK; }
+
   friend struct nsTreeRange;
 
 protected: