From 934bdc87654f7a27904ed6a88a3bcc96182d8489 Mon Sep 17 00:00:00 2001
From: Daniel Holbert <dholbert@cs.stanford.edu>
Date: Wed, 22 Jun 2011 22:21:47 -0700
Subject: [PATCH] Bug 665209: Disable recursive image loads in content(). r=bz

---
 content/base/src/nsDataDocumentContentPolicy.cpp | 14 ++++++++++++--
 layout/style/crashtests/665209-1.html            | 16 ++++++++++++++++
 layout/style/crashtests/crashtests.list          |  1 +
 3 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 layout/style/crashtests/665209-1.html

diff --git a/content/base/src/nsDataDocumentContentPolicy.cpp b/content/base/src/nsDataDocumentContentPolicy.cpp
index 36eec6bc5b3..bca3bdc19a0 100644
--- a/content/base/src/nsDataDocumentContentPolicy.cpp
+++ b/content/base/src/nsDataDocumentContentPolicy.cpp
@@ -86,9 +86,9 @@ nsDataDocumentContentPolicy::ShouldLoad(PRUint32 aContentType,
     return NS_OK;
   }
 
-  // Allow local resources for SVG-as-an-image documents, but disallow
-  // everything else, to prevent data leakage
   if (doc->IsBeingUsedAsImage()) {
+    // Allow local resources for SVG-as-an-image documents, but disallow
+    // everything else, to prevent data leakage
     PRBool hasFlags;
     nsresult rv = NS_URIChainHasFlags(aContentLocation,
                                       nsIProtocolHandler::URI_IS_LOCAL_RESOURCE,
@@ -108,6 +108,16 @@ nsDataDocumentContentPolicy::ShouldLoad(PRUint32 aContentType,
             aContentLocation);
         }
       }
+    } else if (aContentType == nsIContentPolicy::TYPE_IMAGE &&
+               doc->GetDocumentURI()) {
+      // Check for (& disallow) recursive image-loads
+      PRBool isRecursiveLoad;
+      rv = aContentLocation->EqualsExceptRef(doc->GetDocumentURI(),
+                                             &isRecursiveLoad);
+      if (NS_FAILED(rv) || isRecursiveLoad) {
+        NS_WARNING("Refusing to recursively load image");
+        *aDecision = nsIContentPolicy::REJECT_TYPE;
+      }
     }
     return NS_OK;
   }
diff --git a/layout/style/crashtests/665209-1.html b/layout/style/crashtests/665209-1.html
new file mode 100644
index 00000000000..30e8055ebb6
--- /dev/null
+++ b/layout/style/crashtests/665209-1.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html class="reftest-wait">
+<head>
+<script>
+function boom()
+{
+  var w = '<div xmlns="http://www.w3.org/1999/xhtml" style="content: url(#);" />';
+  var v = 'url("data:image/svg+xml,' + encodeURIComponent(w) + '")';
+  document.documentElement.style.content = v;
+  document.documentElement.className = "";
+}
+</script>
+</head>
+
+<body onload="boom();"></body>
+</html>
diff --git a/layout/style/crashtests/crashtests.list b/layout/style/crashtests/crashtests.list
index f02b5681d09..bae023528f9 100644
--- a/layout/style/crashtests/crashtests.list
+++ b/layout/style/crashtests/crashtests.list
@@ -68,3 +68,4 @@ load 605689-1.html
 load 645142.html
 load 611922-1.html
 == 645951-1.html 645951-1-ref.html
+load 665209-1.html