mozilla
/
pjs
зеркало из https://github.com/mozilla/pjs.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Fix a number of security bugs. (I can't see the numbers at home because 

they have restricted visibility.)
r=mstoltz
This commit is contained in:
norris%netscape.com 2000-03-18 17:48:12 +00:00
Родитель 5ea90ce2da
Коммит 437a7174ea
10 изменённых файлов: 136 добавлений и 128 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

74
content/html/document/src/nsHTMLDocument.cpp
Просмотреть файл

@ -65,6 +65,8 @@
#include "nsDOMError.h"
#include "nsICodebasePrincipal.h"
#include "nsIScriptSecurityManager.h"
#include "nsJSUtils.h"
#include "nsDOMPropEnums.h"
#include "nsIIOService.h"
#include "nsICookieService.h"
@ -2532,18 +2534,25 @@ nsHTMLDocument::FindNamedItem(nsIContent *aContent,
}
NS_IMETHODIMP
nsHTMLDocument::NamedItem(const nsString& aName, nsIDOMElement** aReturn)
nsHTMLDocument::NamedItem(JSContext* cx, jsval* argv, PRUint32 argc,
jsval* aReturn)
{
nsresult result = NS_OK;
nsIContent *content = nsnull;
if (argc < 1)
return NS_ERROR_DOM_TOO_FEW_PARAMETERS_ERR;
char *str = JS_GetStringBytes(JS_ValueToString(cx, argv[0]));
nsAutoString name(str);
// XXX If we have a parser, it means that we're still loading the
// document. Since there's still content coming in (and not all
// may yet have been explicitly added to the document), we do
// a depth-first search rather than build up a table.
// Obviously, this may be inefficient for large documents.
if (nsnull != mParser) {
content = FindNamedItem(mRootContent, aName, PR_FALSE);
content = FindNamedItem(mRootContent, name, PR_FALSE);
}
else {
// If the document has completed loading, we build a table and
@ -2555,18 +2564,39 @@ nsHTMLDocument::NamedItem(const nsString& aName, nsIDOMElement** aReturn)
RegisterNamedItems(mRootContent, PR_FALSE);
}
char *str = aName.ToNewCString();
content = (nsIContent *)PL_HashTableLookup(mNamedItems, str);
Recycle(str);
}
nsIScriptContext *context = (nsIScriptContext*)JS_GetContextPrivate(cx);
JSObject *scriptObject;
result = GetScriptObject(context, (void **)&scriptObject);
if (NS_FAILED(result))
return result;
if (nsnull != content) {
result = content->QueryInterface(kIDOMElementIID, (void **)aReturn);
nsIScriptSecurityManager *sm = nsJSUtils::nsGetSecurityManager(cx, scriptObject);
result = sm->CheckScriptAccess(cx, scriptObject,
NS_DOM_PROP_NSHTMLFORMELEMENT_NAMEDITEM,
PR_FALSE);
if (NS_SUCCEEDED(result)) {
nsCOMPtr<nsIScriptObjectOwner> owner = do_QueryInterface(content);
JSObject* obj;
result = owner->GetScriptObject(context, (void**)&obj);
if (NS_FAILED(result)) {
return result;
}
*aReturn = OBJECT_TO_JSVAL(obj);
}
return result;
}
else {
*aReturn = nsnull;
nsISupports *supports;
result = this->QueryInterface(NS_GET_IID(nsISupports), (void **) &supports);
if (NS_SUCCEEDED(result)) {
result = nsJSUtils::nsCallJSScriptObjectGetProperty(supports, cx, scriptObject,
argv[0], aReturn);
NS_RELEASE(supports);
}
return result;
}
@ -2621,29 +2651,15 @@ nsHTMLDocument::Resolve(JSContext *aContext, JSObject *aObj, jsval aID)
}
nsresult result;
nsCOMPtr<nsIDOMElement> element;
char* str = JS_GetStringBytes(JSVAL_TO_STRING(aID));
nsAutoString name(str);
PRBool ret = PR_TRUE;
jsval val = 0;
result = NamedItem(name, getter_AddRefs(element));
if (NS_SUCCEEDED(result) && element) {
nsCOMPtr<nsIScriptObjectOwner> owner = do_QueryInterface(element);
if (owner) {
nsCOMPtr<nsIScriptContext> scriptContext;
nsLayoutUtils::GetStaticScriptContext(aContext, aObj,
getter_AddRefs(scriptContext));
if (scriptContext) {
JSObject* obj;
result = owner->GetScriptObject(scriptContext, (void**)&obj);
if (NS_SUCCEEDED(result) && obj) {
ret = ::JS_DefineProperty(aContext, aObj,
str, OBJECT_TO_JSVAL(obj),
nsnull, nsnull, 0);
}
}
}
result = NamedItem(aContext, &aID, 1, &val);
if (NS_SUCCEEDED(result) && val) {
char *str = JS_GetStringBytes(JSVAL_TO_STRING(aID));
ret = ::JS_DefineProperty(aContext, aObj,
str, val,
nsnull, nsnull, 0);
}
if (NS_FAILED(result)) {
ret = PR_FALSE;

4
docshell/base/nsWebShell.cpp
Просмотреть файл

@ -1245,8 +1245,8 @@ nsWebShell::DoLoadURL(nsIURI * aUri,
}
// Fix for bug 1646. Change the notion of current url and referrer only after
// the document load succeeds.
if (NS_SUCCEEDED(rv)) {
// the document load succeeds (but only if we're not targeting another window).
if (NS_SUCCEEDED(rv) && !aWindowTarget) {
SetCurrentURI(aUri);
SetReferrer(aReferrer);
}

7
dom/public/html/nsIDOMNSHTMLDocument.h
Просмотреть файл

@ -29,7 +29,6 @@
#include "nsIScriptContext.h"
#include "jsapi.h"
class nsIDOMElement;
class nsIDOMEvent;
class nsIDOMHTMLCollection;
@ -64,7 +63,7 @@ public:
NS_IMETHOD GetSelection(nsString& aReturn)=0;
NS_IMETHOD NamedItem(const nsString& aName, nsIDOMElement** aReturn)=0;
NS_IMETHOD NamedItem(JSContext* cx, jsval* argv, PRUint32 argc, jsval* aReturn)=0;
NS_IMETHOD Open(JSContext* cx, jsval* argv, PRUint32 argc)=0;
@ -97,7 +96,7 @@ public:
NS_IMETHOD GetEmbeds(nsIDOMHTMLCollection** aEmbeds); \
NS_IMETHOD GetPlugins(nsIDOMHTMLCollection** aPlugins); \
NS_IMETHOD GetSelection(nsString& aReturn); \
NS_IMETHOD NamedItem(const nsString& aName, nsIDOMElement** aReturn); \
NS_IMETHOD NamedItem(JSContext* cx, jsval* argv, PRUint32 argc, jsval* aReturn); \
NS_IMETHOD Open(JSContext* cx, jsval* argv, PRUint32 argc); \
NS_IMETHOD Write(JSContext* cx, jsval* argv, PRUint32 argc); \
NS_IMETHOD Writeln(JSContext* cx, jsval* argv, PRUint32 argc); \
@ -123,7 +122,7 @@ public:
NS_IMETHOD GetEmbeds(nsIDOMHTMLCollection** aEmbeds) { return _to GetEmbeds(aEmbeds); } \
NS_IMETHOD GetPlugins(nsIDOMHTMLCollection** aPlugins) { return _to GetPlugins(aPlugins); } \
NS_IMETHOD GetSelection(nsString& aReturn) { return _to GetSelection(aReturn); } \
NS_IMETHOD NamedItem(const nsString& aName, nsIDOMElement** aReturn) { return _to NamedItem(aName, aReturn); } \
NS_IMETHOD NamedItem(JSContext* cx, jsval* argv, PRUint32 argc, jsval* aReturn) { return _to NamedItem(cx, argv, argc, aReturn); } \
NS_IMETHOD Open(JSContext* cx, jsval* argv, PRUint32 argc) { return _to Open(cx, argv, argc); } \
NS_IMETHOD Write(JSContext* cx, jsval* argv, PRUint32 argc) { return _to Write(cx, argv, argc); } \
NS_IMETHOD Writeln(JSContext* cx, jsval* argv, PRUint32 argc) { return _to Writeln(cx, argv, argc); } \

2
dom/public/idl/html/HTMLDocument.idl
Просмотреть файл

@ -37,7 +37,7 @@
readonly attribute HTMLCollection plugins;
wstring getSelection();
Element namedItem(in wstring name);
jsval namedItem(/* ... */);
void open(/* ... */);
void write(/* ... */);

43
dom/src/html/nsJSHTMLDocument.cpp
Просмотреть файл

@ -399,33 +399,12 @@ GetHTMLDocumentProperty(JSContext *cx, JSObject *obj, jsval id, jsval *vp)
}
if (checkNamedItem) {
nsIDOMElement* prop;
nsIDOMNSHTMLDocument* b;
nsAutoString name;
JSString *jsstring = JS_ValueToString(cx, id);
if (nsnull != jsstring) {
name.SetString(JS_GetStringChars(jsstring));
}
else {
name.SetString("");
}
nsresult result = NS_OK;
if (NS_OK == a->QueryInterface(kINSHTMLDocumentIID, (void **)&b)) {
nsresult result = NS_OK;
result = b->NamedItem(name, &prop);
if (NS_SUCCEEDED(result)) {
NS_RELEASE(b);
if (NULL != prop) {
// get the js object
nsJSUtils::nsConvertObjectToJSVal((nsISupports *)prop, cx, obj, vp);
}
else {
return nsJSUtils::nsCallJSScriptObjectGetProperty(a, cx, obj, id, vp);
}
}
else {
NS_RELEASE(b);
result = b->NamedItem(cx, &id, 1, vp);
NS_RELEASE(b);
if (NS_FAILED(result)) {
return nsJSUtils::nsReportError(cx, obj, result);
}
}
@ -833,8 +812,7 @@ NSHTMLDocumentNamedItem(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, j
return nsJSUtils::nsReportError(cx, obj, NS_ERROR_DOM_WRONG_TYPE_ERR);
}
nsIDOMElement* nativeRet;
nsAutoString b0;
jsval nativeRet;
// If there's no private data, this must be the prototype, so ignore
if (!nativeThis) {
return JS_TRUE;
@ -849,18 +827,13 @@ NSHTMLDocumentNamedItem(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, j
if (NS_FAILED(result)) {
return nsJSUtils::nsReportError(cx, obj, result);
}
if (argc < 1) {
return nsJSUtils::nsReportError(cx, obj, NS_ERROR_DOM_TOO_FEW_PARAMETERS_ERR);
}
nsJSUtils::nsConvertJSValToString(b0, cx, argv[0]);
result = nativeThis->NamedItem(b0, &nativeRet);
result = nativeThis->NamedItem(cx, argv+0, argc-0, &nativeRet);
if (NS_FAILED(result)) {
return nsJSUtils::nsReportError(cx, obj, result);
}
nsJSUtils::nsConvertObjectToJSVal(nativeRet, cx, obj, rval);
*rval = nativeRet;
}
return JS_TRUE;
@ -1232,7 +1205,7 @@ static JSFunctionSpec HTMLDocumentMethods[] =
{"getElementById", HTMLDocumentGetElementById, 1},
{"getElementsByName", HTMLDocumentGetElementsByName, 1},
{"getSelection", NSHTMLDocumentGetSelection, 0},
{"namedItem", NSHTMLDocumentNamedItem, 1},
{"namedItem", NSHTMLDocumentNamedItem, 0},
{"open", NSHTMLDocumentOpen, 0},
{"write", NSHTMLDocumentWrite, 0},
{"writeln", NSHTMLDocumentWriteln, 0},

22
layout/generic/nsFrameFrame.cpp
Просмотреть файл

@ -998,21 +998,17 @@ nsHTMLFrameInnerFrame::ReloadURL()
}
}
nsCOMPtr<nsIWebNavigation> webNav(do_QueryInterface(mSubShell));
NS_ENSURE_TRUE(webNav, NS_ERROR_FAILURE);
nsCOMPtr<nsIWebShell> webShell(do_QueryInterface(mSubShell));
NS_ENSURE_TRUE(webShell, NS_ERROR_FAILURE);
rv = webNav->LoadURI(absURL.GetUnicode()); // URL string with a default nsnull value for post Data
/*
XXX no webshell to call LoadURL on, webNav doesn't have a referrer arg
// load with an URL string with a default nsnull value for post Data
rv = mWebShell->LoadURL(absURL.GetUnicode(),
nsnull, PR_TRUE,
nsIChannel::LOAD_NORMAL,
0,
nsnull,
referrer.Length() > 0 ? referrer.GetUnicode()
: nsnull);
*/
rv = webShell->LoadURL(absURL.GetUnicode(),
nsnull, PR_TRUE,
nsIChannel::LOAD_NORMAL,
0,
nsnull,
referrer.Length() > 0 ? referrer.GetUnicode()
: nsnull);
}
} else {
mCreatingViewer = PR_TRUE;

22
layout/html/document/src/nsFrameFrame.cpp
Просмотреть файл

@ -998,21 +998,17 @@ nsHTMLFrameInnerFrame::ReloadURL()
}
}
nsCOMPtr<nsIWebNavigation> webNav(do_QueryInterface(mSubShell));
NS_ENSURE_TRUE(webNav, NS_ERROR_FAILURE);
nsCOMPtr<nsIWebShell> webShell(do_QueryInterface(mSubShell));
NS_ENSURE_TRUE(webShell, NS_ERROR_FAILURE);
rv = webNav->LoadURI(absURL.GetUnicode()); // URL string with a default nsnull value for post Data
/*
XXX no webshell to call LoadURL on, webNav doesn't have a referrer arg
// load with an URL string with a default nsnull value for post Data
rv = mWebShell->LoadURL(absURL.GetUnicode(),
nsnull, PR_TRUE,
nsIChannel::LOAD_NORMAL,
0,
nsnull,
referrer.Length() > 0 ? referrer.GetUnicode()
: nsnull);
*/
rv = webShell->LoadURL(absURL.GetUnicode(),
nsnull, PR_TRUE,
nsIChannel::LOAD_NORMAL,
0,
nsnull,
referrer.Length() > 0 ? referrer.GetUnicode()
: nsnull);
}
} else {
mCreatingViewer = PR_TRUE;

74
layout/html/document/src/nsHTMLDocument.cpp
Просмотреть файл

@ -65,6 +65,8 @@
#include "nsDOMError.h"
#include "nsICodebasePrincipal.h"
#include "nsIScriptSecurityManager.h"
#include "nsJSUtils.h"
#include "nsDOMPropEnums.h"
#include "nsIIOService.h"
#include "nsICookieService.h"
@ -2532,18 +2534,25 @@ nsHTMLDocument::FindNamedItem(nsIContent *aContent,
}
NS_IMETHODIMP
nsHTMLDocument::NamedItem(const nsString& aName, nsIDOMElement** aReturn)
nsHTMLDocument::NamedItem(JSContext* cx, jsval* argv, PRUint32 argc,
jsval* aReturn)
{
nsresult result = NS_OK;
nsIContent *content = nsnull;
if (argc < 1)
return NS_ERROR_DOM_TOO_FEW_PARAMETERS_ERR;
char *str = JS_GetStringBytes(JS_ValueToString(cx, argv[0]));
nsAutoString name(str);
// XXX If we have a parser, it means that we're still loading the
// document. Since there's still content coming in (and not all
// may yet have been explicitly added to the document), we do
// a depth-first search rather than build up a table.
// Obviously, this may be inefficient for large documents.
if (nsnull != mParser) {
content = FindNamedItem(mRootContent, aName, PR_FALSE);
content = FindNamedItem(mRootContent, name, PR_FALSE);
}
else {
// If the document has completed loading, we build a table and
@ -2555,18 +2564,39 @@ nsHTMLDocument::NamedItem(const nsString& aName, nsIDOMElement** aReturn)
RegisterNamedItems(mRootContent, PR_FALSE);
}
char *str = aName.ToNewCString();
content = (nsIContent *)PL_HashTableLookup(mNamedItems, str);
Recycle(str);
}
nsIScriptContext *context = (nsIScriptContext*)JS_GetContextPrivate(cx);
JSObject *scriptObject;
result = GetScriptObject(context, (void **)&scriptObject);
if (NS_FAILED(result))
return result;
if (nsnull != content) {
result = content->QueryInterface(kIDOMElementIID, (void **)aReturn);
nsIScriptSecurityManager *sm = nsJSUtils::nsGetSecurityManager(cx, scriptObject);
result = sm->CheckScriptAccess(cx, scriptObject,
NS_DOM_PROP_NSHTMLFORMELEMENT_NAMEDITEM,
PR_FALSE);
if (NS_SUCCEEDED(result)) {
nsCOMPtr<nsIScriptObjectOwner> owner = do_QueryInterface(content);
JSObject* obj;
result = owner->GetScriptObject(context, (void**)&obj);
if (NS_FAILED(result)) {
return result;
}
*aReturn = OBJECT_TO_JSVAL(obj);
}
return result;
}
else {
*aReturn = nsnull;
nsISupports *supports;
result = this->QueryInterface(NS_GET_IID(nsISupports), (void **) &supports);
if (NS_SUCCEEDED(result)) {
result = nsJSUtils::nsCallJSScriptObjectGetProperty(supports, cx, scriptObject,
argv[0], aReturn);
NS_RELEASE(supports);
}
return result;
}
@ -2621,29 +2651,15 @@ nsHTMLDocument::Resolve(JSContext *aContext, JSObject *aObj, jsval aID)
}
nsresult result;
nsCOMPtr<nsIDOMElement> element;
char* str = JS_GetStringBytes(JSVAL_TO_STRING(aID));
nsAutoString name(str);
PRBool ret = PR_TRUE;
jsval val = 0;
result = NamedItem(name, getter_AddRefs(element));
if (NS_SUCCEEDED(result) && element) {
nsCOMPtr<nsIScriptObjectOwner> owner = do_QueryInterface(element);
if (owner) {
nsCOMPtr<nsIScriptContext> scriptContext;
nsLayoutUtils::GetStaticScriptContext(aContext, aObj,
getter_AddRefs(scriptContext));
if (scriptContext) {
JSObject* obj;
result = owner->GetScriptObject(scriptContext, (void**)&obj);
if (NS_SUCCEEDED(result) && obj) {
ret = ::JS_DefineProperty(aContext, aObj,
str, OBJECT_TO_JSVAL(obj),
nsnull, nsnull, 0);
}
}
}
result = NamedItem(aContext, &aID, 1, &val);
if (NS_SUCCEEDED(result) && val) {
char *str = JS_GetStringBytes(JSVAL_TO_STRING(aID));
ret = ::JS_DefineProperty(aContext, aObj,
str, val,
nsnull, nsnull, 0);
}
if (NS_FAILED(result)) {
ret = PR_FALSE;

12
modules/libpref/src/init/all.js
Просмотреть файл

@ -416,6 +416,18 @@ pref("security.policy.default.nshtmldocument.writeln", "sameOrigin");
pref("security.policy.default.eventtarget.addeventlistener", "sameOrigin");
pref("security.policy.default.element.getattribute", "sameOrigin");
pref("security.policy.default.element.getattributenode", "sameOrigin");
pref("security.policy.default.element.getelementsbytagname", "sameOrigin");
pref("security.policy.default.element.normalize", "sameOrigin");
pref("security.policy.default.element.removeattribute", "sameOrigin");
pref("security.policy.default.element.removeattributenode", "sameOrigin");
pref("security.policy.default.element.setattribute", "sameOrigin");
pref("security.policy.default.element.setattributenode", "sameOrigin");
pref("security.policy.default.element.tagname", "sameOrigin");
pref("security.policy.default.nshtmlformelement.nameditem", "sameOrigin");
pref("security.policy.default.history.current.read", "UniversalBrowserRead");
pref("security.policy.default.history.next.read", "UniversalBrowserRead");
pref("security.policy.default.history.previous.read", "UniversalBrowserRead");

4
webshell/src/nsWebShell.cpp
Просмотреть файл

@ -1245,8 +1245,8 @@ nsWebShell::DoLoadURL(nsIURI * aUri,
}
// Fix for bug 1646. Change the notion of current url and referrer only after
// the document load succeeds.
if (NS_SUCCEEDED(rv)) {
// the document load succeeds (but only if we're not targeting another window).
if (NS_SUCCEEDED(rv) && !aWindowTarget) {
SetCurrentURI(aUri);
SetReferrer(aReferrer);
}