From 0488da364fd73cf4527de21bf9937f58e88a5eac Mon Sep 17 00:00:00 2001
From: "bzbarsky%mit.edu" <bzbarsky%mit.edu>
Date: Tue, 25 Apr 2006 03:24:43 +0000
Subject: [PATCH] Deal with checkLoadURI better in the face of URI fixup.  Bug
 334341, r=biesi, sr=dveditz

---
 caps/src/nsScriptSecurityManager.cpp | 34 +++++++++++++++++++++++++++-
 toolkit/content/contentAreaUtils.js  |  5 +---
 2 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/caps/src/nsScriptSecurityManager.cpp b/caps/src/nsScriptSecurityManager.cpp
index 4bf39b8a7cf..a347aad853b 100644
--- a/caps/src/nsScriptSecurityManager.cpp
+++ b/caps/src/nsScriptSecurityManager.cpp
@@ -83,6 +83,8 @@
 #include "nsAutoPtr.h"
 #include "nsAboutProtocolUtils.h"
 #include "nsIClassInfo.h"
+#include "nsIURIFixup.h"
+#include "nsCDefaultURIFixup.h"
 
 static NS_DEFINE_CID(kZipReaderCID, NS_ZIPREADER_CID);
 
@@ -1486,11 +1488,41 @@ nsScriptSecurityManager::CheckLoadURIStr(const nsACString& aSourceURIStr,
     nsresult rv = NS_NewURI(getter_AddRefs(source), aSourceURIStr,
                             nsnull, nsnull, sIOService);
     NS_ENSURE_SUCCESS(rv, rv);
+
     nsCOMPtr<nsIURI> target;
     rv = NS_NewURI(getter_AddRefs(target), aTargetURIStr,
                    nsnull, nsnull, sIOService);
     NS_ENSURE_SUCCESS(rv, rv);
-    return CheckLoadURI(source, target, aFlags);
+
+    rv = CheckLoadURI(source, target, aFlags);
+    NS_ENSURE_SUCCESS(rv, rv);
+
+    // Now start testing fixup -- since aTargetURIStr is a string, not
+    // an nsIURI, we may well end up fixing it up before loading.
+    // Note: This needs to stay in sync with the nsIURIFixup api.
+    nsCOMPtr<nsIURIFixup> fixup = do_GetService(NS_URIFIXUP_CONTRACTID);
+    if (!fixup) {
+        return rv;
+    }
+
+    PRUint32 flags[] = {
+        nsIURIFixup::FIXUP_FLAG_NONE,
+        nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP,
+        nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI,
+        nsIURIFixup::FIXUP_FLAG_ALLOW_KEYWORD_LOOKUP |
+        nsIURIFixup::FIXUP_FLAGS_MAKE_ALTERNATE_URI
+    };
+
+    for (PRUint32 i = 0; i < NS_ARRAY_LENGTH(flags); ++i) {
+        rv = fixup->CreateFixupURI(aTargetURIStr, flags[i],
+                                   getter_AddRefs(target));
+        NS_ENSURE_SUCCESS(rv, rv);
+
+        rv = CheckLoadURI(source, target, aFlags);
+        NS_ENSURE_SUCCESS(rv, rv);
+    }
+
+    return rv;
 }
 
 NS_IMETHODIMP
diff --git a/toolkit/content/contentAreaUtils.js b/toolkit/content/contentAreaUtils.js
index 0636f3e05fb..9f245c6bcc6 100644
--- a/toolkit/content/contentAreaUtils.js
+++ b/toolkit/content/contentAreaUtils.js
@@ -117,14 +117,11 @@ function openNewWindowWith(href, sourceURL, postData, allowThirdPartyFixup)
  */
 function urlSecurityCheck(url, sourceURL)
 {
-  var sourceURI = makeURI(sourceURL);
-  var destURI = makeURI(url);
-
   const nsIScriptSecurityManager = Components.interfaces.nsIScriptSecurityManager;
   var secMan = Components.classes["@mozilla.org/scriptsecuritymanager;1"]
                          .getService(nsIScriptSecurityManager);
   try {
-    secMan.checkLoadURI(sourceURI, destURI, nsIScriptSecurityManager.STANDARD);
+    secMan.checkLoadURIStr(sourceURL, url, nsIScriptSecurityManager.STANDARD);
   } catch (e) {
     throw "Load of " + url + " from " + sourceURL + " denied.";
   }