Bug 1338637 - Ask user for confirmation before folder upload. r=Gijs,geckoview-reviewers,agi,baku

Differential Revision: https://phabricator.services.mozilla.com/D95324
2020-11-16 09:33:43 +00:00 · 2020-11-16 09:33:43 +00:00 · 574bf71758
--- a/browser/components/prompts/PromptCollection.jsm
+++ b/browser/components/prompts/PromptCollection.jsm
@ -131,6 +131,48 @@ class PromptCollection {
      result.QueryInterface(Ci.nsIPropertyBag2).get("buttonNumClicked") == 0
    );
  }
+
+  confirmFolderUpload(browsingContext, directoryName) {
+    let title;
+    let message;
+    let acceptLabel;
+
+    try {
+      title = this.stringBundles.dom.GetStringFromName(
+        "FolderUploadPrompt.title"
+      );
+      message = this.stringBundles.dom.formatStringFromName(
+        "FolderUploadPrompt.message",
+        [directoryName]
+      );
+      acceptLabel = this.stringBundles.dom.GetStringFromName(
+        "FolderUploadPrompt.acceptButtonLabel"
+      );
+    } catch (exception) {
+      Cu.reportError("Failed to get strings from dom.properties");
+      return false;
+    }
+
+    let buttonFlags =
+      Services.prompt.BUTTON_TITLE_IS_STRING * Services.prompt.BUTTON_POS_0 +
+      Services.prompt.BUTTON_TITLE_CANCEL * Services.prompt.BUTTON_POS_1 +
+      Services.prompt.BUTTON_POS_1_DEFAULT;
+
+    return (
+      Services.prompt.confirmExBC(
+        browsingContext,
+        Services.prompt.MODAL_TYPE_TAB,
+        title,
+        message,
+        buttonFlags,
+        acceptLabel,
+        null,
+        null,
+        null,
+        {}
+      ) === 0
+    );
+  }
 }

 const BUNDLES = {
--- a/dom/html/HTMLInputElement.cpp
+++ b/dom/html/HTMLInputElement.cpp
@ -54,6 +54,7 @@
 #include "nsError.h"
 #include "nsIEditor.h"
 #include "nsAttrValueOrString.h"
+#include "nsIPromptCollection.h"

 #include "mozilla/PresState.h"
 #include "nsLinebreakConverter.h"  //to strip out carriage returns
@ -480,6 +481,37 @@ HTMLInputElement::nsFilePickerShownCallback::Done(int16_t aResult) {
               mode == static_cast<int16_t>(nsIFilePicker::modeGetFolder));
    nsCOMPtr<nsISupports> tmp;
    nsresult rv = mFilePicker->GetDomFileOrDirectory(getter_AddRefs(tmp));
+
+    // Show a prompt to get user confirmation before allowing folder access.
+    // This is to prevent sites from tricking the user into uploading files.
+    // See Bug 1338637.
+    if (mode == static_cast<int16_t>(nsIFilePicker::modeGetFolder)) {
+      nsCOMPtr<nsIPromptCollection> prompter =
+          do_GetService("@mozilla.org/embedcomp/prompt-collection;1");
+      if (!prompter) {
+        return NS_ERROR_NOT_AVAILABLE;
+      }
+
+      bool confirmed = false;
+      BrowsingContext* bc = mInput->OwnerDoc()->GetBrowsingContext();
+
+      // Get directory name
+      RefPtr<Directory> directory = static_cast<Directory*>(tmp.get());
+      nsAutoString directoryName;
+      ErrorResult error;
+      directory->GetName(directoryName, error);
+      if (NS_WARN_IF(error.Failed())) {
+        return error.StealNSResult();
+      }
+
+      rv = prompter->ConfirmFolderUpload(bc, directoryName, &confirmed);
+      NS_ENSURE_SUCCESS(rv, rv);
+      if (!confirmed) {
+        // User aborted upload
+        return NS_OK;
+      }
+    }
+
    NS_ENSURE_SUCCESS(rv, rv);

    RefPtr<Blob> blob = do_QueryObject(tmp);
--- a/dom/locales/en-US/chrome/dom/dom.properties
+++ b/dom/locales/en-US/chrome/dom/dom.properties
@ -401,3 +401,7 @@ RequestStorageAccessNested=document.requestStorageAccess() may not be called in
 RequestStorageAccessUserGesture=document.requestStorageAccess() may only be requested from inside a short running user-generated event handler.
 # LOCALIZATION NOTE: Do not translate "Location" and "History".
 LocChangeFloodingPrevented=Too many calls to Location or History APIs within a short timeframe.
+FolderUploadPrompt.title = Confirm Upload
+# LOCALIZATION NOTE: %S is the name of the folder the user selected in the file picker.
+FolderUploadPrompt.message = Are you sure you want to upload all files from “%S”? Only do this if you trust the site.
+FolderUploadPrompt.acceptButtonLabel = Upload
--- a/mobile/android/components/geckoview/PromptCollection.jsm
+++ b/mobile/android/components/geckoview/PromptCollection.jsm
@ -38,6 +38,11 @@ class PromptCollection {
      prompter.asyncShowPrompt(msg, resolve);
    }).then(result => !!result?.allow);
  }
+
+  confirmFolderUpload() {
+    // Folder upload is not supported by GeckoView yet, see Bug 1674428.
+    return false;
+  }
 }

 PromptCollection.prototype.QueryInterface = ChromeUtils.generateQI([
--- a/toolkit/components/windowwatcher/nsIPromptCollection.idl
+++ b/toolkit/components/windowwatcher/nsIPromptCollection.idl
@ -33,4 +33,17 @@ interface nsIPromptCollection : nsISupports
   * @return true if the page should be allowed to repost data.
   */
  boolean confirmRepost(in BrowsingContext aBrowsingContext);
+
+  /**
+   * Ask the user for confirmation to upload a selected folder.
+   *
+   * @param aBrowsingContext
+   *        The browsing context the prompt should be opened for.
+   * @param aDirectoryName
+   *        Name of the folder that will be uploaded.
+   *
+   * @return true if the user confirmed the upload, false otherwise.
+   */
+  boolean confirmFolderUpload(in BrowsingContext aBrowsingContext,
+                              in AString aDirectoryName);
 };