Bug 670514 - Arbitrary File + Directory read via .lnk files on Windows Share. r=bz

2012-05-03 15:23:28 -04:00 · 2012-05-03 15:23:28 -04:00 · 807e54d008
--- a/netwerk/base/public/nsNetUtil.h
+++ b/netwerk/base/public/nsNetUtil.h
@ -229,8 +229,14 @@ NS_NewChannel(nsIChannel           **result,
                rv |= chan->SetLoadGroup(loadGroup);
            if (callbacks)
                rv |= chan->SetNotificationCallbacks(callbacks);
-            if (loadFlags != nsIRequest::LOAD_NORMAL)
-                rv |= chan->SetLoadFlags(loadFlags);
+            if (loadFlags != nsIRequest::LOAD_NORMAL) {
+                // Retain the LOAD_REPLACE load flag if set.
+                nsLoadFlags normalLoadFlags = 0;
+                chan->GetLoadFlags(&normalLoadFlags);
+                rv |= chan->SetLoadFlags(loadFlags | 
+                                         (normalLoadFlags & 
+                                          nsIChannel::LOAD_REPLACE));
+            }
            if (channelPolicy) {
                nsCOMPtr<nsIWritablePropertyBag2> props = do_QueryInterface(chan);
                if (props) {
--- a/netwerk/protocol/file/nsFileChannel.cpp
+++ b/netwerk/protocol/file/nsFileChannel.cpp
@ -273,6 +273,36 @@ nsFileUploadContentStream::OnCopyComplete()

 //-----------------------------------------------------------------------------

+nsFileChannel::nsFileChannel(nsIURI *uri) 
+{
+  // If we have a link file, we should resolve its target right away.
+  // This is to protect against a same origin attack where the same link file
+  // can point to different resources right after the first resource is loaded.
+  nsCOMPtr<nsIFile> file;
+  nsCOMPtr <nsIURI> targetURI;
+  nsCAutoString fileTarget;
+  nsCOMPtr<nsILocalFile> resolvedFile;
+  bool symLink;
+  nsCOMPtr<nsIFileURL> fileURL = do_QueryInterface(uri);
+  if (fileURL && 
+      NS_SUCCEEDED(fileURL->GetFile(getter_AddRefs(file))) &&
+      NS_SUCCEEDED(file->IsSymlink(&symLink)) && 
+      symLink &&
+      NS_SUCCEEDED(file->GetNativeTarget(fileTarget)) &&
+      NS_SUCCEEDED(NS_NewNativeLocalFile(fileTarget, PR_TRUE, 
+                                         getter_AddRefs(resolvedFile))) &&
+      NS_SUCCEEDED(NS_NewFileURI(getter_AddRefs(targetURI), 
+                   resolvedFile, nsnull))) {
+    SetURI(targetURI);
+    SetOriginalURI(uri);
+    nsLoadFlags loadFlags = 0;
+    GetLoadFlags(&loadFlags);
+    SetLoadFlags(loadFlags | nsIChannel::LOAD_REPLACE);
+  } else {
+    SetURI(uri);
+  }
+}
+
 nsresult
 nsFileChannel::MakeFileInputStream(nsIFile *file,
                                   nsCOMPtr<nsIInputStream> &stream,
--- a/netwerk/protocol/file/nsFileChannel.h
+++ b/netwerk/protocol/file/nsFileChannel.h
@ -53,9 +53,7 @@ public:
  NS_DECL_NSIFILECHANNEL
  NS_DECL_NSIUPLOADCHANNEL

-  nsFileChannel(nsIURI *uri) {
-    SetURI(uri);
-  }
+  nsFileChannel(nsIURI *uri);

 protected:
  // Called to construct a blocking file input stream for the given file.  This
--- a/xpcom/io/nsLocalFileWin.cpp
+++ b/xpcom/io/nsLocalFileWin.cpp
@ -2925,19 +2925,22 @@ nsLocalFile::IsSymlink(bool *_retval)
    NS_ENSURE_ARG(_retval);

    // unless it is a valid shortcut path it's not a symlink
-    if (!IsShortcutPath(mWorkingPath))
-    {
+    if (!IsShortcutPath(mWorkingPath)) {
        *_retval = false;
        return NS_OK;
    }

    // we need to know if this is a file or directory
    nsresult rv = ResolveAndStat();
-    if (NS_FAILED(rv))
+    if (NS_FAILED(rv)) {
        return rv;
+    }

-    // it's only a shortcut if it is a file
-    *_retval = (mFileInfo64.type == PR_FILE_FILE);
+    // We should not check mFileInfo64.type here for PR_FILE_FILE because lnk
+    // files can point to directories or files.  Important security checks
+    // depend on correctly identifying lnk files.  mFileInfo64 now holds info
+    // about the target of the lnk file, not the actual lnk file!
+    *_retval = true;
    return NS_OK;
 }