From 8c2929e38d922ac59fc2d43fc3ec939babf02530 Mon Sep 17 00:00:00 2001 From: "darin%meer.net" Date: Thu, 12 May 2005 15:20:43 +0000 Subject: [PATCH] fixes bug 290982 "Disallow viewsource:javascript and jar:viewsource URLs" r=dveditz sr=jst a=dbaron --- modules/libjar/nsJARChannel.cpp | 16 ++++++++++++++++ .../viewsource/src/nsViewSourceChannel.cpp | 11 +++++++++++ 2 files changed, 27 insertions(+) diff --git a/modules/libjar/nsJARChannel.cpp b/modules/libjar/nsJARChannel.cpp index c3a17cc3e98..2148027b5bf 100644 --- a/modules/libjar/nsJARChannel.cpp +++ b/modules/libjar/nsJARChannel.cpp @@ -227,6 +227,22 @@ nsJARChannel::Init(nsIURI *uri) { nsresult rv; mJarURI = do_QueryInterface(uri, &rv); + if (NS_FAILED(rv)) + return rv; + + // Prevent loading jar:javascript URIs (see bug 290982). + nsCOMPtr innerURI; + rv = mJarURI->GetJARFile(getter_AddRefs(innerURI)); + if (NS_FAILED(rv)) + return rv; + PRBool isJS; + rv = innerURI->SchemeIs("javascript", &isJS); + if (NS_FAILED(rv)) + return rv; + if (isJS) { + NS_WARNING("blocking jar:javascript:"); + return NS_ERROR_INVALID_ARG; + } #if defined(PR_LOGGING) mJarURI->GetSpec(mSpec); diff --git a/netwerk/protocol/viewsource/src/nsViewSourceChannel.cpp b/netwerk/protocol/viewsource/src/nsViewSourceChannel.cpp index 4409952e905..1d9237d5aa7 100644 --- a/netwerk/protocol/viewsource/src/nsViewSourceChannel.cpp +++ b/netwerk/protocol/viewsource/src/nsViewSourceChannel.cpp @@ -80,6 +80,17 @@ nsViewSourceChannel::Init(nsIURI* uri) nsCOMPtr pService(do_GetIOService(&rv)); if (NS_FAILED(rv)) return rv; + nsCAutoString scheme; + rv = pService->ExtractScheme(path, scheme); + if (NS_FAILED(rv)) + return rv; + + // prevent viewing source of javascript URIs (see bug 204779) + if (scheme.LowerCaseEqualsLiteral("javascript")) { + NS_WARNING("blocking view-source:javascript:"); + return NS_ERROR_INVALID_ARG; + } + rv = pService->NewChannel(path, nsnull, nsnull, getter_AddRefs(mChannel)); if (NS_FAILED(rv)) return rv;