b=193170 PSM must disallow using NSS database with wrong profile

r=ccarlen sr=jag a=asa

profile/public/nsIProfileChangeStatus.idl

@@ -127,6 +127,17 @@
 interface nsIProfileChangeStatus : nsISupports {
         
     void vetoChange();
+    
+   /**
+    * Called by a profile change observer when a fatal error
+    * occurred during the attempt to switch the profile.
+    *
+    * The profile should be considered in an unsafe condition,
+    * and the profile manager should inform the user and
+    * exit immediately.
+    *
+    */
+    void changeFailed();
 
 };
 

profile/resources/content/profileSelection.js

@@ -229,6 +229,7 @@ function onStart()
   catch (ex) {
 	  var brandName = gBrandBundle.getString("brandShortName");    
     var message;
+    var fatalError = false;
     switch (ex.result) {
       case Components.results.NS_ERROR_FILE_ACCESS_DENIED:
         message = gProfileManagerBundle.getFormattedString("profDirLocked", [brandName, profilename]);
@@ -238,11 +239,24 @@ function onStart()
         message = gProfileManagerBundle.getFormattedString("profDirMissing", [brandName, profilename]);
         message = message.replace(/\s*<html:br\/>/g,"\n");
         break;
+      case Components.results.NS_ERROR_ABORT:
+        message = gProfileManagerBundle.getFormattedString("profileSwitchFailed", [brandName, profilename, brandName, brandName]);
+        message = message.replace(/\s*<html:br\/>/g,"\n");
+        fatalError = true;
+        break;
       default:
         message = ex.message;
         break;
   }
       promptService.alert(window, null, message);
+
+      if (fatalError)
+      {
+        var appShellService = Components.classes["@mozilla.org/appshell/appShellService;1"]
+                              .getService(Components.interfaces.nsIAppShellService);
+        appShellService.quit(Components.interfaces.nsIAppShellService.eForceQuit);
+      }
+
       return false;
   }
   

profile/resources/locale/en-US/profileManager.properties

@@ -38,6 +38,7 @@ profileExists=A profile with this name already exists. Please choose another nam
 profileExistsTitle=Profile Exists
 profDirMissing=%S cannot use the profile "%S" because the directory containing the profile cannot be found.<html:br/><html:br/> Please choose another profile or create a new one.
 profDirLocked=%S cannot use the profile "%S" because it is in use.<html:br/><html:br/> Please choose another profile or create a new one.
+profileSwitchFailed=%S cannot switch to profile "%S" automatically.<html:br/><html:br/>%S will now exit.<html:br/><html:br/>Please start %S again.
 
 
 sourceProfileDirMissing=This profile cannot be migrated because the directory containing the profile information could not be found. Choose another profile or create a new one.

profile/src/nsProfile.cpp

@@ -246,6 +246,9 @@ nsProfile::nsProfile()
     mIsContentLocaleSpecified = PR_FALSE;
     
     mShutdownProfileToreDownNetwork = PR_FALSE;
+    
+    mProfileChangeVetoed = PR_FALSE;
+    mProfileChangeFailed = PR_FALSE;
 }
 
 nsProfile::~nsProfile() 
@@ -1217,6 +1220,8 @@ nsProfile::SetCurrentProfile(const PRUnichar * aCurrentProfile)
         
         // Phase 3: Notify observers of a profile change
         observerService->NotifyObservers(subject, "profile-before-change", context.get());        
+        if (mProfileChangeFailed)
+          return NS_ERROR_ABORT;
         
         UpdateCurrentProfileModTime(PR_FALSE);        
     }
@@ -1245,21 +1250,29 @@ nsProfile::SetCurrentProfile(const PRUnichar * aCurrentProfile)
         // Bring network back online
         observerService->NotifyObservers(subject, "profile-change-net-restore", context.get());
         mShutdownProfileToreDownNetwork = PR_FALSE;
+        if (mProfileChangeFailed)
+          return NS_ERROR_ABORT;
     }
 
     // Phase 4: Notify observers that the profile has changed - Here they respond to new profile
     observerService->NotifyObservers(subject, "profile-do-change", context.get());
+    if (mProfileChangeFailed)
+      return NS_ERROR_ABORT;
 
     // Phase 5: Now observers can respond to something another observer did in phase 4
     observerService->NotifyObservers(subject, "profile-after-change", context.get());
-      
+    if (mProfileChangeFailed)
+      return NS_ERROR_ABORT;
+
     // Now that a profile is established, set the profile defaults dir for the locale of this profile
     rv = DefineLocaleDefaultsDir();
     NS_ASSERTION(NS_SUCCEEDED(rv), "nsProfile::DefineLocaleDefaultsDir failed");
 
     // Phase 6: One last notification after the new profile is established
     observerService->NotifyObservers(subject, "profile-initial-state", context.get());
-      
+    if (mProfileChangeFailed)
+      return NS_ERROR_ABORT;
+
     return NS_OK;
 }
 
@@ -2460,6 +2473,11 @@ NS_IMETHODIMP nsProfile::VetoChange()
     return NS_OK;
 }
 
+NS_IMETHODIMP nsProfile::ChangeFailed()
+{
+    mProfileChangeFailed = PR_TRUE;
+    return NS_OK;
+}
 
 NS_IMETHODIMP
 nsProfile::GetRegStrings(const PRUnichar *aProfileName, 

profile/src/nsProfile.h

@@ -90,6 +90,7 @@ private:
     PRBool mOutofDiskSpace;
     PRBool mDiskSpaceErrorQuitCalled;
     PRBool mProfileChangeVetoed;
+    PRBool mProfileChangeFailed;
 
     nsString mCurrentProfileName;
     PRBool mCurrentProfileAvailable;

security/manager/ssl/src/nsNSSComponent.cpp

@@ -1033,7 +1033,7 @@ nsNSSComponent::TryCFM2MachOMigration(nsIFile *cfmPath, nsIFile *machoPath)
 #endif
 
 nsresult
-nsNSSComponent::InitializeNSS()
+nsNSSComponent::InitializeNSS(PRBool showWarningBox)
 {
   // Can be called both during init and profile change.
   // Needs mutex protection.
@@ -1215,7 +1215,9 @@ nsNSSComponent::InitializeNSS()
 
     // We might want to use different messages, depending on what failed.
     // For now, let's use the same message.
-    ShowAlert(ai_nss_init_problem);
+    if (showWarningBox) {
+      ShowAlert(ai_nss_init_problem);
+    }
   }
 
   return NS_OK;
@@ -1230,6 +1232,7 @@ nsNSSComponent::ShutdownNSS()
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("nsNSSComponent::ShutdownNSS\n"));
 
   nsAutoLock lock(mutex);
+  nsresult rv = NS_OK;
 
   if (hashTableCerts) {
     PL_HashTableEnumerateEntries(hashTableCerts, certHashtable_clearEntry, 0);
@@ -1252,13 +1255,14 @@ nsNSSComponent::ShutdownNSS()
     mShutdownObjectList->evaporateAllNSSResources();
     if (SECSuccess != ::NSS_Shutdown()) {
       PR_LOG(gPIPNSSLog, PR_LOG_ALWAYS, ("NSS SHUTDOWN FAILURE\n"));
+      rv = NS_ERROR_FAILURE;
     }
     else {
       PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("NSS shutdown =====>> OK <<=====\n"));
     }
   }
 
-  return NS_OK;
+  return rv;
 }
  
 NS_IMETHODIMP
@@ -1284,7 +1288,7 @@ nsNSSComponent::Init()
   // Do that before NSS init, to make sure we won't get unloaded.
   RegisterObservers();
 
-  rv = InitializeNSS();
+  rv = InitializeNSS(PR_TRUE); // ok to show a warning box on failure
   if (NS_FAILED(rv)) {
     PR_LOG(gPIPNSSLog, PR_LOG_ERROR, ("Unable to Initialize NSS.\n"));
     return rv;
@@ -1607,7 +1611,12 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic,
     StopCRLUpdateTimer();
 
     if (needsCleanup) {
-      ShutdownNSS();
+      if (NS_FAILED(ShutdownNSS())) {
+        nsCOMPtr<nsIProfileChangeStatus> status = do_QueryInterface(aSubject);
+        if (status) {
+          status->ChangeFailed();
+        }
+      }
     }
     mShutdownObjectList->allowUI();
 
@@ -1627,8 +1636,12 @@ nsNSSComponent::Observe(nsISupports *aSubject, const char *aTopic,
     }
     
     if (needsInit) {
-      if (NS_FAILED(InitializeNSS())) {
+      if (NS_FAILED(InitializeNSS(PR_FALSE))) { // do not show a warning box on failure
         PR_LOG(gPIPNSSLog, PR_LOG_ERROR, ("Unable to Initialize NSS after profile switch.\n"));
+        nsCOMPtr<nsIProfileChangeStatus> status = do_QueryInterface(aSubject);
+        if (status) {
+          status->ChangeFailed();
+        }
       }
     }
 

security/manager/ssl/src/nsNSSComponent.h

@@ -176,7 +176,7 @@ public:
 
 private:
 
-  nsresult InitializeNSS();
+  nsresult InitializeNSS(PRBool showWarningBox);
   nsresult ShutdownNSS();
 
 #ifdef XP_MACOSX