Bug 407839: restrict globalStorage to same host. r=enndeakin, sr=jst, blocking1.9=pavlov

dom/src/storage/nsDOMStorage.cpp

@@ -44,6 +44,7 @@
 #include "nsUnicharUtils.h"
 #include "nsIDocument.h"
 #include "nsDOMStorage.h"
+#include "nsEscape.h"
 #include "nsContentUtils.h"
 #include "nsIScriptSecurityManager.h"
 #include "nsIPrincipal.h"
@@ -1046,12 +1047,29 @@ nsDOMStorageList::NamedItem(const nsAString& aDomain,
 {
   *aStorage = nsnull;
 
+  nsCAutoString requestedDomain;
+
+  nsresult rv;
+  // Normalize the requested domain
+  nsCOMPtr<nsIIDNService> idn = do_GetService(NS_IDNSERVICE_CONTRACTID);
+  if (idn) {
+    rv = idn->ConvertUTF8toACE(NS_ConvertUTF16toUTF8(aDomain),
+                               requestedDomain);
+    NS_ENSURE_SUCCESS(rv, rv);
+  } else {
+    // Don't have the IDN service, best we can do is URL escape.
+    NS_EscapeURL(NS_ConvertUTF16toUTF8(aDomain),
+                 esc_OnlyNonASCII | esc_AlwaysCopy,
+                 requestedDomain);
+  }
+  ToLowerCase(requestedDomain);
+
   nsIScriptSecurityManager* ssm = nsContentUtils::GetSecurityManager();
   if (!ssm)
     return NS_ERROR_FAILURE;
 
   nsCOMPtr<nsIPrincipal> subjectPrincipal;
-  nsresult rv = ssm->GetSubjectPrincipal(getter_AddRefs(subjectPrincipal));
+  rv = ssm->GetSubjectPrincipal(getter_AddRefs(subjectPrincipal));
   NS_ENSURE_SUCCESS(rv, rv);
 
   nsCOMPtr<nsIURI> uri;
@@ -1082,7 +1100,8 @@ nsDOMStorageList::NamedItem(const nsAString& aDomain,
     isSystem = PR_TRUE;
 
   if (isSystem || !currentDomain.IsEmpty()) {
-    return GetStorageForDomain(uri, aDomain, NS_ConvertUTF8toUTF16(currentDomain),
+    return GetStorageForDomain(uri, NS_ConvertUTF8toUTF16(requestedDomain),
+                               NS_ConvertUTF8toUTF16(currentDomain),
                                isSystem, aStorage);
   }
 
@@ -1094,44 +1113,7 @@ PRBool
 nsDOMStorageList::CanAccessDomain(const nsAString& aRequestedDomain,
                                   const nsAString& aCurrentDomain)
 {
-  PRNetAddr address;
+  return aRequestedDomain.Equals(aCurrentDomain);
-  PRStatus status = PR_StringToNetAddr(NS_ConvertUTF16toUTF8(aCurrentDomain).get(), &address);
-
-  if (status == PR_SUCCESS) {
-    // An IP address must match exactly. IPv6: when location is e.g. "::1" and we require
-    // "0:0:0:0:0:1" then access will be denied.
-    return aRequestedDomain == aCurrentDomain;
-  }
-
-  nsStringArray requestedDomainArray, currentDomainArray;
-  PRBool ok = ConvertDomainToArray(aRequestedDomain, &requestedDomainArray);
-  if (!ok)
-    return PR_FALSE;
-
-  ok = ConvertDomainToArray(aCurrentDomain, &currentDomainArray);
-  if (!ok)
-    return PR_FALSE;
-
-  if (currentDomainArray.Count() == 1)
-    currentDomainArray.AppendString(NS_LITERAL_STRING("localdomain"));
-
-  // need to use the shorter of the two arrays
-  PRInt32 currentPos = 0;
-  PRInt32 requestedPos = 0;
-  PRInt32 length = requestedDomainArray.Count();
-  if (currentDomainArray.Count() > length)
-    currentPos = currentDomainArray.Count() - length;
-  else if (currentDomainArray.Count() < length)
-    requestedPos = length - currentDomainArray.Count();
-
-  // If the current domain is different in any of the parts from the
-  // requested domain, a security exception is raised
-  for (; requestedPos < length; requestedPos++, currentPos++) {
-    if (*requestedDomainArray[requestedPos] != *currentDomainArray[currentPos])
-      return PR_FALSE;
-  }
-
-  return PR_TRUE;
 }
 
 nsresult
@@ -1141,14 +1123,6 @@ nsDOMStorageList::GetStorageForDomain(nsIURI* aURI,
                                       PRBool aNoCurrentDomainCheck,
                                       nsIDOMStorage** aStorage)
 {
-  // fail if the domain contains no periods.
-  // XXXndeakin update this when bug 342314 is fixed so that we can check
-  // for top-level domain names properly
-  nsAutoString trimmedDomain(aRequestedDomain);
-  trimmedDomain.Trim(".");
-  if (trimmedDomain.FindChar('.') == kNotFound)
-    return NS_ERROR_DOM_SECURITY_ERR;
-
   if (!aNoCurrentDomainCheck && !CanAccessDomain(aRequestedDomain,
                                                  aCurrentDomain)) {
     return NS_ERROR_DOM_SECURITY_ERR;

dom/tests/mochitest/bugs/Makefile.in

@@ -65,6 +65,9 @@ _TEST_FILES	= \
 		test_bug397571.html \
 		test_bug400204.html \
 		test_bug404748.html \
+		test_bug407839.html \
+		iframe_bug407839-1.html \
+		iframe_bug407839-2.html \
 		test_bug409349.html \
 		iframe_bug409349.html \
 		test_bug411103.html \

dom/tests/mochitest/bugs/iframe_bug407839-1.html

@@ -0,0 +1,68 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Child window at test1.example.org</title>
+  <script type="application/javascript">
+
+function run()
+{
+  var storage;
+
+  var message = "child-response";
+
+  // This script expects to be loaded as test1.example.org
+  if (window.location.host != "test1.example.org") {
+    message += "\n child not loaded as test1.example.org";
+  }
+
+  try {
+    storage = globalStorage["test1.example.org"];
+  }
+  catch (ex) {
+    message += "\n failed globalStorage[\"test1.example.org\"]";
+  }
+
+  try {
+    storage = globalStorage["test1.EXAMPLE.ORG"];
+  }
+  catch (ex) {
+    message += "\n failed globalStorage[\"test1.EXAMPLE.ORG\"]";
+  }
+
+  try {
+    storage = globalStorage["example.org"];
+    message += "\n passed globalStorage[\"example.org\"]";
+  }
+  catch (ex) {
+  }
+
+  try {
+    storage = globalStorage["org"];
+    message += "\n passed globalStorage[\"org\"]";
+  }
+  catch (ex) {
+  }
+
+  try {
+    storage = globalStorage["test2.test1.example.org"];
+    message += "\n passed globalStorage[\"test2.test1.example.org\"]";
+  }
+  catch (ex) {
+  }
+
+  try {
+    storage = globalStorage[""];
+    message += "\n passed globalStorage[\"\"]";
+  }
+  catch (ex) {
+  }
+
+  window.parent.postMessage(message);
+}
+
+window.addEventListener("load", run, false);
+  </script>
+</head>
+<body>
+</body>
+</html>

dom/tests/mochitest/bugs/iframe_bug407839-2.html

@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta http-equiv="Content-type" content="text/html;charset=UTF-8" />
+  <title>Child window at sub1.ält.example.org</title>
+  <script type="application/javascript">
+
+function run()
+{
+  var storage;
+
+  var message = "child-response";
+
+  // This script expects to be loaded as sub1.ält.example.org
+  if (window.location.host != "sub1.ält.example.org:8000") {
+    message += "\n child not loaded as sub1.ält.example.org:8000";
+  }
+
+  try {
+    storage = globalStorage["sub1.ält.example.org"];
+  }
+  catch (ex) {
+    message += "\n failed globalStorage[sub1.ält.example.org]";
+  }
+
+  window.parent.postMessage(message);
+}
+
+window.addEventListener("load", run, false);
+  </script>
+</head>
+<body>
+</body>
+</html>

dom/tests/mochitest/bugs/test_bug407839.html

@@ -0,0 +1,44 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=407839
+-->
+<head>
+  <title>Test for Bug 407839</title>
+  <meta http-equiv="Content-type" content="text/html;charset=UTF-8" />
+  <script type="text/javascript" src="/MochiKit/MochiKit.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>        
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=407839">Mozilla Bug 407839</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+  
+</div>
+
+<iframe name="child" src="http://TEST1.example.org/tests/dom/tests/mochitest/bugs/iframe_bug407839-1.html"></iframe>
+<iframe name="idn" src="http://sub1.ält.example.org:8000/tests/dom/tests/mochitest/bugs/iframe_bug407839-2.html"></iframe>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+/** Test for Bug 407839 **/
+
+SimpleTest.waitForExplicitFinish();
+
+var gNumMessages = 0;
+
+function receiveMessage(evt)
+{
+  is(evt.data, "child-response", "got wrong response");
+
+  if (++gNumMessages == 2) {
+    SimpleTest.finish();
+  }
+}
+
+document.addEventListener("message", receiveMessage, false);
+
+</script>
+</pre>
+</body>
+</html>