mozilla
/
pjs
зеркало из https://github.com/mozilla/pjs.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 407839: restrict globalStorage to same host. r=enndeakin, sr=jst, blocking1.9=pavlov

This commit is contained in:
dcamp@mozilla.com 2008-03-18 18:27:35 -07:00
Родитель b95f5ed844
Коммит b093bd6570
5 изменённых файлов: 171 добавлений и 48 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

70
dom/src/storage/nsDOMStorage.cpp
Просмотреть файл

@ -44,6 +44,7 @@
#include "nsUnicharUtils.h"
#include "nsIDocument.h"
#include "nsDOMStorage.h"
#include "nsEscape.h"
#include "nsContentUtils.h"
#include "nsIScriptSecurityManager.h"
#include "nsIPrincipal.h"
@ -1046,12 +1047,29 @@ nsDOMStorageList::NamedItem(const nsAString& aDomain,
{
*aStorage = nsnull;
nsCAutoString requestedDomain;
nsresult rv;
// Normalize the requested domain
nsCOMPtr<nsIIDNService> idn = do_GetService(NS_IDNSERVICE_CONTRACTID);
if (idn) {
rv = idn->ConvertUTF8toACE(NS_ConvertUTF16toUTF8(aDomain),
requestedDomain);
NS_ENSURE_SUCCESS(rv, rv);
} else {
// Don't have the IDN service, best we can do is URL escape.
NS_EscapeURL(NS_ConvertUTF16toUTF8(aDomain),
esc_OnlyNonASCII | esc_AlwaysCopy,
requestedDomain);
}
ToLowerCase(requestedDomain);
nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
if (!ssm)
return NS_ERROR_FAILURE;
nsCOMPtr<nsIPrincipal> subjectPrincipal;
nsresult rv = ssm->GetSubjectPrincipal(getter_AddRefs(subjectPrincipal));
rv = ssm->GetSubjectPrincipal(getter_AddRefs(subjectPrincipal));
NS_ENSURE_SUCCESS(rv, rv);
nsCOMPtr<nsIURI> uri;
@ -1082,7 +1100,8 @@ nsDOMStorageList::NamedItem(const nsAString& aDomain,
isSystem = PR_TRUE;
if (isSystem || !currentDomain.IsEmpty()) {
return GetStorageForDomain(uri, aDomain, NS_ConvertUTF8toUTF16(currentDomain),
return GetStorageForDomain(uri, NS_ConvertUTF8toUTF16(requestedDomain),
NS_ConvertUTF8toUTF16(currentDomain),
isSystem, aStorage);
}
@ -1094,44 +1113,7 @@ PRBool
nsDOMStorageList::CanAccessDomain(const nsAString& aRequestedDomain,
const nsAString& aCurrentDomain)
{
PRNetAddr address;
PRStatus status = PR_StringToNetAddr(NS_ConvertUTF16toUTF8(aCurrentDomain).get(), &address);
if (status == PR_SUCCESS) {
// An IP address must match exactly. IPv6: when location is e.g. "::1" and we require
// "0:0:0:0:0:1" then access will be denied.
return aRequestedDomain == aCurrentDomain;
}
nsStringArray requestedDomainArray, currentDomainArray;
PRBool ok = ConvertDomainToArray(aRequestedDomain, &requestedDomainArray);
if (!ok)
return PR_FALSE;
ok = ConvertDomainToArray(aCurrentDomain, &currentDomainArray);
if (!ok)
return PR_FALSE;
if (currentDomainArray.Count() == 1)
currentDomainArray.AppendString(NS_LITERAL_STRING("localdomain"));
// need to use the shorter of the two arrays
PRInt32 currentPos = 0;
PRInt32 requestedPos = 0;
PRInt32 length = requestedDomainArray.Count();
if (currentDomainArray.Count() > length)
currentPos = currentDomainArray.Count() - length;
else if (currentDomainArray.Count() < length)
requestedPos = length - currentDomainArray.Count();
// If the current domain is different in any of the parts from the
// requested domain, a security exception is raised
for (; requestedPos < length; requestedPos++, currentPos++) {
if (*requestedDomainArray[requestedPos] != *currentDomainArray[currentPos])
return PR_FALSE;
}
return PR_TRUE;
return aRequestedDomain.Equals(aCurrentDomain);
}
nsresult
@ -1141,14 +1123,6 @@ nsDOMStorageList::GetStorageForDomain(nsIURI* aURI,
PRBool aNoCurrentDomainCheck,
nsIDOMStorage** aStorage)
{
// fail if the domain contains no periods.
// XXXndeakin update this when bug 342314 is fixed so that we can check
// for top-level domain names properly
nsAutoString trimmedDomain(aRequestedDomain);
trimmedDomain.Trim(".");
if (trimmedDomain.FindChar('.') == kNotFound)
return NS_ERROR_DOM_SECURITY_ERR;
if (!aNoCurrentDomainCheck && !CanAccessDomain(aRequestedDomain,
aCurrentDomain)) {
return NS_ERROR_DOM_SECURITY_ERR;

3
dom/tests/mochitest/bugs/Makefile.in
Просмотреть файл

@ -65,6 +65,9 @@ _TEST_FILES = \
test_bug397571.html \
test_bug400204.html \
test_bug404748.html \
test_bug407839.html \
iframe_bug407839-1.html \
iframe_bug407839-2.html \
test_bug409349.html \
iframe_bug409349.html \
test_bug411103.html \

68
dom/tests/mochitest/bugs/iframe_bug407839-1.html Normal file
Просмотреть файл

@ -0,0 +1,68 @@
<!DOCTYPE html>
<html>
<head>
<title>Child window at test1.example.org</title>
<script type="application/javascript">
function run()
{
var storage;
var message = "child-response";
// This script expects to be loaded as test1.example.org
if (window.location.host != "test1.example.org") {
message += "\n child not loaded as test1.example.org";
}
try {
storage = globalStorage["test1.example.org"];
}
catch (ex) {
message += "\n failed globalStorage[\"test1.example.org\"]";
}
try {
storage = globalStorage["test1.EXAMPLE.ORG"];
}
catch (ex) {
message += "\n failed globalStorage[\"test1.EXAMPLE.ORG\"]";
}
try {
storage = globalStorage["example.org"];
message += "\n passed globalStorage[\"example.org\"]";
}
catch (ex) {
}
try {
storage = globalStorage["org"];
message += "\n passed globalStorage[\"org\"]";
}
catch (ex) {
}
try {
storage = globalStorage["test2.test1.example.org"];
message += "\n passed globalStorage[\"test2.test1.example.org\"]";
}
catch (ex) {
}
try {
storage = globalStorage[""];
message += "\n passed globalStorage[\"\"]";
}
catch (ex) {
}
window.parent.postMessage(message);
}
window.addEventListener("load", run, false);
</script>
</head>
<body>
</body>
</html>

34
dom/tests/mochitest/bugs/iframe_bug407839-2.html Normal file
Просмотреть файл

@ -0,0 +1,34 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8" />
<title>Child window at sub1.ält.example.org</title>
<script type="application/javascript">
function run()
{
var storage;
var message = "child-response";
// This script expects to be loaded as sub1.ält.example.org
if (window.location.host != "sub1.ält.example.org:8000") {
message += "\n child not loaded as sub1.ält.example.org:8000";
}
try {
storage = globalStorage["sub1.ält.example.org"];
}
catch (ex) {
message += "\n failed globalStorage[sub1.ält.example.org]";
}
window.parent.postMessage(message);
}
window.addEventListener("load", run, false);
</script>
</head>
<body>
</body>
</html>

44
dom/tests/mochitest/bugs/test_bug407839.html Normal file
Просмотреть файл

@ -0,0 +1,44 @@
<!DOCTYPE HTML>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=407839
-->
<head>
<title>Test for Bug 407839</title>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8" />
<script type="text/javascript" src="/MochiKit/MochiKit.js"></script>
<script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
</head>
<body>
<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=407839">Mozilla Bug 407839</a>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<iframe name="child" src="http://TEST1.example.org/tests/dom/tests/mochitest/bugs/iframe_bug407839-1.html"></iframe>
<iframe name="idn" src="http://sub1.ält.example.org:8000/tests/dom/tests/mochitest/bugs/iframe_bug407839-2.html"></iframe>
<pre id="test">
<script class="testbody" type="text/javascript">
/** Test for Bug 407839 **/
SimpleTest.waitForExplicitFinish();
var gNumMessages = 0;
function receiveMessage(evt)
{
is(evt.data, "child-response", "got wrong response");
if (++gNumMessages == 2) {
SimpleTest.finish();
}
}
document.addEventListener("message", receiveMessage, false);
</script>
</pre>
</body>
</html>