From 80c639aa0a87b816610eb152b18a7c5f79e3e7c5 Mon Sep 17 00:00:00 2001 From: Daniel Holbert Date: Mon, 7 Nov 2011 13:45:42 -0800 Subject: [PATCH] Bug 693940: Restrict SVG-as-an-image to being able to load (local) URIs that have either the URI_INHERITS_SECURITY_CONTEXT or URI_LOADABLE_BY_SUBSUMERS flags. r=bz --- .../base/src/nsDataDocumentContentPolicy.cpp | 40 +++++++++++----- .../svg/as-image/img-blobBuilder-1.html | 37 +++++++++++++++ .../svg/as-image/img-blobBuilder-2.html | 46 +++++++++++++++++++ layout/reftests/svg/as-image/reftest.list | 6 ++- 4 files changed, 115 insertions(+), 14 deletions(-) create mode 100644 layout/reftests/svg/as-image/img-blobBuilder-1.html create mode 100644 layout/reftests/svg/as-image/img-blobBuilder-2.html diff --git a/content/base/src/nsDataDocumentContentPolicy.cpp b/content/base/src/nsDataDocumentContentPolicy.cpp index b0c52ed97dc..67e46621070 100644 --- a/content/base/src/nsDataDocumentContentPolicy.cpp +++ b/content/base/src/nsDataDocumentContentPolicy.cpp @@ -51,6 +51,17 @@ NS_IMPL_ISUPPORTS1(nsDataDocumentContentPolicy, nsIContentPolicy) +// Helper method for ShouldLoad() +// Checks a URI for the given flags. Returns true if the URI has the flags, +// and false if not (or if we weren't able to tell). +static bool +HasFlags(nsIURI* aURI, PRUint32 aURIFlags) +{ + bool hasFlags; + nsresult rv = NS_URIChainHasFlags(aURI, aURIFlags, &hasFlags); + return NS_SUCCEEDED(rv) && hasFlags; +} + NS_IMETHODIMP nsDataDocumentContentPolicy::ShouldLoad(PRUint32 aContentType, nsIURI *aContentLocation, @@ -87,21 +98,26 @@ nsDataDocumentContentPolicy::ShouldLoad(PRUint32 aContentType, } if (doc->IsBeingUsedAsImage()) { - // Allow local resources for SVG-as-an-image documents, but disallow - // everything else, to prevent data leakage - bool hasFlags; - nsresult rv = NS_URIChainHasFlags(aContentLocation, - nsIProtocolHandler::URI_IS_LOCAL_RESOURCE, - &hasFlags); - if (NS_FAILED(rv) || !hasFlags) { - // resource is not local (or we couldn't tell) - reject! + // We only allow SVG images to load content from URIs that are local and + // also satisfy one of the following conditions: + // - URI inherits security context, e.g. data URIs + // OR + // - URI loadable by subsumers, e.g. moz-filedata URIs + // Any URI that doesn't meet these requirements will be rejected below. + if (!HasFlags(aContentLocation, + nsIProtocolHandler::URI_IS_LOCAL_RESOURCE) || + (!HasFlags(aContentLocation, + nsIProtocolHandler::URI_INHERITS_SECURITY_CONTEXT) && + !HasFlags(aContentLocation, + nsIProtocolHandler::URI_LOADABLE_BY_SUBSUMERS))) { *aDecision = nsIContentPolicy::REJECT_TYPE; - // report error, if we can. + // Report error, if we can. if (node) { nsIPrincipal* requestingPrincipal = node->NodePrincipal(); nsRefPtr principalURI; - rv = requestingPrincipal->GetURI(getter_AddRefs(principalURI)); + nsresult rv = + requestingPrincipal->GetURI(getter_AddRefs(principalURI)); if (NS_SUCCEEDED(rv) && principalURI) { nsScriptSecurityManager::ReportError( nsnull, NS_LITERAL_STRING("CheckSameOriginError"), principalURI, @@ -112,8 +128,8 @@ nsDataDocumentContentPolicy::ShouldLoad(PRUint32 aContentType, doc->GetDocumentURI()) { // Check for (& disallow) recursive image-loads bool isRecursiveLoad; - rv = aContentLocation->EqualsExceptRef(doc->GetDocumentURI(), - &isRecursiveLoad); + nsresult rv = aContentLocation->EqualsExceptRef(doc->GetDocumentURI(), + &isRecursiveLoad); if (NS_FAILED(rv) || isRecursiveLoad) { NS_WARNING("Refusing to recursively load image"); *aDecision = nsIContentPolicy::REJECT_TYPE; diff --git a/layout/reftests/svg/as-image/img-blobBuilder-1.html b/layout/reftests/svg/as-image/img-blobBuilder-1.html new file mode 100644 index 00000000000..572eed811ed --- /dev/null +++ b/layout/reftests/svg/as-image/img-blobBuilder-1.html @@ -0,0 +1,37 @@ + + + + + + + + + + diff --git a/layout/reftests/svg/as-image/img-blobBuilder-2.html b/layout/reftests/svg/as-image/img-blobBuilder-2.html new file mode 100644 index 00000000000..3d0690881e6 --- /dev/null +++ b/layout/reftests/svg/as-image/img-blobBuilder-2.html @@ -0,0 +1,46 @@ + + + + + + + + + + diff --git a/layout/reftests/svg/as-image/reftest.list b/layout/reftests/svg/as-image/reftest.list index 319691044ce..c82bbc713ce 100644 --- a/layout/reftests/svg/as-image/reftest.list +++ b/layout/reftests/svg/as-image/reftest.list @@ -55,6 +55,8 @@ fails == canvas-drawImage-slice-1b.html lime100x100-ref.html # XXX all edges fuz random == img-and-image-1.html img-and-image-1-ref.svg # bug 645267 # More complex tests +== img-blobBuilder-1.html lime100x100-ref.html +== img-blobBuilder-2.html lime100x100-ref.html == img-content-outside-viewBox-1.html img-content-outside-viewBox-1-ref.html == img-dyn-1.html img-dyn-1-ref.html == img-foreignObject-1.html lime100x100-ref.html @@ -120,11 +122,11 @@ random == img-and-image-1.html img-and-image-1-ref.svg # bug 645267 # tests for external resources vs. data URIs in SVG as an image == svg-image-datauri-1.html lime100x100.svg HTTP == svg-image-datauri-1.html lime100x100.svg -fails-if(Android) == svg-image-external-1.html lime100x100.svg +== svg-image-external-1.html blue100x100.svg HTTP == svg-image-external-1.html blue100x100.svg == svg-stylesheet-datauri-1.html lime100x100.svg HTTP == svg-stylesheet-datauri-1.html lime100x100.svg -random == svg-stylesheet-external-1.html lime100x100.svg # see bug 629885 comment 9 +== svg-stylesheet-external-1.html blue100x100.svg HTTP == svg-stylesheet-external-1.html blue100x100.svg # test that :visited status is ignored in image documents