Bug 665209: Disable recursive image loads in content(). r=bz

content/base/src/nsDataDocumentContentPolicy.cpp

@@ -86,9 +86,9 @@ nsDataDocumentContentPolicy::ShouldLoad(PRUint32 aContentType,
     return NS_OK;
   }
 
+  if (doc->IsBeingUsedAsImage()) {
     // Allow local resources for SVG-as-an-image documents, but disallow
     // everything else, to prevent data leakage
-  if (doc->IsBeingUsedAsImage()) {
     PRBool hasFlags;
     nsresult rv = NS_URIChainHasFlags(aContentLocation,
                                       nsIProtocolHandler::URI_IS_LOCAL_RESOURCE,
@@ -108,6 +108,16 @@ nsDataDocumentContentPolicy::ShouldLoad(PRUint32 aContentType,
             aContentLocation);
         }
       }
+    } else if (aContentType == nsIContentPolicy::TYPE_IMAGE &&
+               doc->GetDocumentURI()) {
+      // Check for (& disallow) recursive image-loads
+      PRBool isRecursiveLoad;
+      rv = aContentLocation->EqualsExceptRef(doc->GetDocumentURI(),
+                                             &isRecursiveLoad);
+      if (NS_FAILED(rv) || isRecursiveLoad) {
+        NS_WARNING("Refusing to recursively load image");
+        *aDecision = nsIContentPolicy::REJECT_TYPE;
+      }
     }
     return NS_OK;
   }

layout/style/crashtests/665209-1.html

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html class="reftest-wait">
+<head>
+<script>
+function boom()
+{
+  var w = '<div xmlns="http://www.w3.org/1999/xhtml" style="content: url(#);" />';
+  var v = 'url("data:image/svg+xml,' + encodeURIComponent(w) + '")';
+  document.documentElement.style.content = v;
+  document.documentElement.className = "";
+}
+</script>
+</head>
+
+<body onload="boom();"></body>
+</html>

layout/style/crashtests/crashtests.list

@@ -68,3 +68,4 @@ load 605689-1.html
 load 645142.html
 load 611922-1.html
 == 645951-1.html 645951-1-ref.html
+load 665209-1.html