From b8945cbda41b7a910ca304a557254f6fbe038fca Mon Sep 17 00:00:00 2001
From: Gijs Kruitbosch <gijskruitbosch@gmail.com>
Date: Tue, 24 Jun 2014 15:52:28 +0100
Subject: [PATCH] Bug 1000514, r=dao

--HG--
extra : rebase_source : ae7d5335d873814eb73fbc52d299cc93ba892a4f
---
 toolkit/content/customizeToolbar.js | 35 ++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/toolkit/content/customizeToolbar.js b/toolkit/content/customizeToolbar.js
index 8ad3d10dd554..f5189b6524ce 100644
--- a/toolkit/content/customizeToolbar.js
+++ b/toolkit/content/customizeToolbar.js
@@ -622,6 +622,10 @@ function isToolbarItem(aElt)
 
 function onToolbarDragExit(aEvent)
 {
+  if (isUnwantedDragEvent(aEvent)) {
+    return;
+  }
+
   if (gCurrentDragOverItem)
     setDragActive(gCurrentDragOverItem, false);
 }
@@ -645,6 +649,10 @@ function onToolbarDragStart(aEvent)
 
 function onToolbarDragOver(aEvent)
 {
+  if (isUnwantedDragEvent(aEvent)) {
+    return;
+  }
+
   var documentId = gToolboxDocument.documentElement.id;
   if (!aEvent.dataTransfer.types.contains("text/toolbarwrapper-id/" + documentId.toLowerCase()))
     return;
@@ -697,6 +705,10 @@ function onToolbarDragOver(aEvent)
 
 function onToolbarDrop(aEvent)
 {
+  if (isUnwantedDragEvent(aEvent)) {
+    return;
+  }
+
   if (!gCurrentDragOverItem)
     return;
 
@@ -767,13 +779,19 @@ function onToolbarDrop(aEvent)
 
 function onPaletteDragOver(aEvent)
 {
+  if (isUnwantedDragEvent(aEvent)) {
+    return;
+  }
   var documentId = gToolboxDocument.documentElement.id;
   if (aEvent.dataTransfer.types.contains("text/toolbarwrapper-id/" + documentId.toLowerCase()))
     aEvent.preventDefault();
 }
 
 function onPaletteDrop(aEvent)
- {
+{
+  if (isUnwantedDragEvent(aEvent)) {
+    return;
+  }
   var documentId = gToolboxDocument.documentElement.id;
   var itemId = aEvent.dataTransfer.getData("text/toolbarwrapper-id/" + documentId);
 
@@ -798,3 +816,18 @@ function onPaletteDrop(aEvent)
 
   toolboxChanged();
 }
+
+
+function isUnwantedDragEvent(aEvent) {
+  /* Discard drag events that originated from a separate window to
+     prevent content->chrome privilege escalations. */
+  let mozSourceNode = aEvent.dataTransfer.mozSourceNode;
+  // mozSourceNode is null in the dragStart event handler or if
+  // the drag event originated in an external application.
+  if (!mozSourceNode) {
+    return true;
+  }
+  let sourceWindow = mozSourceNode.ownerDocument.defaultView;
+  return sourceWindow != window && sourceWindow != gToolboxDocument.defaultView;
+}
+