Checking in for mccabe, since he had to leave town. Partial fix for bug 41429. Adding a new interface that components can implement to control the capabilities needed for XPConnect access to them - default is UniversalXPConnect. r=vidur

2000-06-23 14:32:38 +00:00 · 2000-06-23 14:32:38 +00:00 · b22731f07d
--- a/caps/idl/MANIFEST
+++ b/caps/idl/MANIFEST
@ -1,6 +0,0 @@
-nsICertificatePrincipal.idl
-nsICodebasePrincipal.idl
-nsIPrincipal.idl
-nsIScriptSecurityManager.idl
-nsISignatureVerifier.idl
-
--- a/caps/idl/Makefile.in
+++ b/caps/idl/Makefile.in
@ -35,6 +35,7 @@ XPIDLSRCS	= \
 		nsICertificatePrincipal.idl \
 		nsIAggregatePrincipal.idl \
 		nsISignatureVerifier.idl \
+		nsISecurityCheckedComponent.idl \
 		$(NULL)

 include $(topsrcdir)/config/rules.mk
--- a/caps/idl/makefile.win
+++ b/caps/idl/makefile.win
@ -1,35 +0,0 @@
-#!gmake
-#
-# The contents of this file are subject to the Netscape Public
-# License Version 1.1 (the "License"); you may not use this file
-# except in compliance with the License. You may obtain a copy of
-# the License at http://www.mozilla.org/NPL/
-#
-# Software distributed under the License is distributed on an "AS
-# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-# implied. See the License for the specific language governing
-# rights and limitations under the License.
-#
-# The Original Code is mozilla.org code.
-#
-# The Initial Developer of the Original Code is Netscape
-# Communications Corporation.  Portions created by Netscape are
-# Copyright (C) 1999 Netscape Communications Corporation. All
-# Rights Reserved.
-#
-# Contributor(s): 
-
-DEPTH=..\..
-
-MODULE=caps
-
-XPIDLSRCS=                                \
-           .\nsIScriptSecurityManager.idl \
-           .\nsIPrincipal.idl             \
-           .\nsICertificatePrincipal.idl  \
-           .\nsICodebasePrincipal.idl     \
-           .\nsIAggregatePrincipal.idl    \
-           .\nsISignatureVerifier.idl     \
-            $(NULL)
-
-include <$(DEPTH)\config\rules.mak>
--- a/caps/idl/nsISecurityCheckedComponent.idl
+++ b/caps/idl/nsISecurityCheckedComponent.idl
@ -0,0 +1,49 @@
+/* -*- Mode: IDL; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+ *
+ * The contents of this file are subject to the Netscape Public
+ * License Version 1.1 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of
+ * the License at http://www.mozilla.org/NPL/
+ *
+ * Software distributed under the License is distributed on an "AS
+ * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * rights and limitations under the License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is Netscape
+ * Communications Corporation.  Portions created by Netscape are
+ * Copyright (C) 1998 Netscape Communications Corporation. All
+ * Rights Reserved.
+ *
+ * Contributor(s): 
+ */
+
+/*
+ * Interface checked by caps to determine the capability needed to
+ * call methods on a component from potentially untrusted code.
+ *
+ * See also foo, which advertises whether untrusted code can get
+ * services and create instances.
+*/
+
+#include "nsISupports.idl"
+
+/**
+ * Each method of this interface should return a string representing the
+ * script capability needed to perform the operation on the target component.
+ *
+ * Return values of 'AllAccess' or 'NoAccess' unconditionally allow or deny
+ * access to the operation.
+ */
+[uuid(0dad9e8c-a12d-4dcb-9a6f-7d09839356e1)]
+interface nsISecurityCheckedComponent : nsISupports {
+  string canCreateWrapper(in nsIIDPtr iid);
+  string canCallMethod(in nsIIDPtr iid, in wstring methodName);
+  string canGetProperty(in nsIIDPtr iid, in wstring propertyName);
+  string canSetProperty(in nsIIDPtr iid, in wstring propertyName);
+};
+
+// could put %{ block here containing macro'ed implementations of this
+// interface for component developers' convenience.
--- a/caps/include/nsScriptSecurityManager.h
+++ b/caps/include/nsScriptSecurityManager.h
@ -121,6 +121,9 @@ private:
    GetPrefName(nsIPrincipal *principal, nsDOMProp domProp, 
                nsCString &result);

+    nsresult 
+    CheckXPCCapability(JSContext *aJSContext, const char *aCapability);
+ 
    NS_IMETHOD
    CheckXPCPermissions(JSContext *cx, nsISupports* aObj);

--- a/caps/src/nsScriptSecurityManager.cpp
+++ b/caps/src/nsScriptSecurityManager.cpp
@ -90,6 +90,8 @@ GetCurrentContext() {
    return cx;
 }

+#if 0
+// unused.
 static JSContext *
 GetSafeContext() {
    // Get the "safe" JSContext: our JSContext of last resort
@ -104,8 +106,7 @@ GetSafeContext() {
        return nsnull;
    return cx;
 }
-
-
+#endif

 static nsDOMProp 
 findDomProp(const char *propName, int n);
@ -1229,28 +1230,95 @@ nsScriptSecurityManager::SetCanEnableCapability(const char* certificateID,
 // Methods implementing nsIXPCSecurityManager //
 ////////////////////////////////////////////////

+#include "nsISecurityCheckedComponent.h"
+
+nsresult
+nsScriptSecurityManager::CheckXPCCapability(JSContext *aJSContext, const char *aCapability) 
+{
+    // Check for the carte blanche before anything else.
+    if (aCapability) {
+        if (PL_strcasecmp(aCapability, "AllAccess") == 0)
+            return NS_OK;
+        else if (PL_strcasecmp(aCapability, "NoAccess") != 0) {
+            PRBool canAccess;
+            if (NS_FAILED(IsCapabilityEnabled(aCapability, &canAccess)))
+                return NS_ERROR_FAILURE;
+            if (canAccess)
+                return NS_OK;
+        }
+    }
+
+    static const char msg[] = "Access to XPConnect service denied.";
+    JS_SetPendingException(aJSContext, 
+                           STRING_TO_JSVAL(JS_NewStringCopyZ(aJSContext, msg)));
+    return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
+}    
+
 NS_IMETHODIMP
 nsScriptSecurityManager::CanCreateWrapper(JSContext *aJSContext, 
                                          const nsIID &aIID, 
                                          nsISupports *aObj)
 {
-	if (aIID.Equals(NS_GET_IID(nsIXPCException)))
-		return NS_OK;		
-    return CheckXPCPermissions(aJSContext, aObj);
+    // XXX could un-special-case-this
+    if (aIID.Equals(NS_GET_IID(nsIXPCException)))
+        return NS_OK;		
+
+    nsresult rv;
+    rv = CheckXPCPermissions(aJSContext, aObj);
+    if (NS_SUCCEEDED(rv))
+        return rv;
+
+    // If check fails, QI to interface that lets scomponents advertise
+    // their own security requirements.
+    nsCOMPtr<nsISecurityCheckedComponent> checkedComponent =
+        do_QueryInterface(aObj, &rv);
+
+    nsXPIDLCString capability;
+    if (NS_SUCCEEDED(rv) && checkedComponent) {
+        checkedComponent->CanCreateWrapper((nsIID *)&aIID,
+                                           getter_Copies(capability));
+    }
+
+    return CheckXPCCapability(aJSContext, capability);
 }

 NS_IMETHODIMP
 nsScriptSecurityManager::CanCreateInstance(JSContext *aJSContext, 
                                           const nsCID &aCID)
 {
-    return CheckXPCPermissions(aJSContext, nsnull);
+    nsresult rv;
+    rv = CheckXPCPermissions(aJSContext, nsnull);
+    if (NS_SUCCEEDED(rv))
+        return rv;
+
+    static const char msg[] = "Access to XPConnect service denied.";
+    JS_SetPendingException(aJSContext, 
+                           STRING_TO_JSVAL(JS_NewStringCopyZ(aJSContext, msg)));
+    return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
 }

 NS_IMETHODIMP
 nsScriptSecurityManager::CanGetService(JSContext *aJSContext, 
                                       const nsCID &aCID)
 {
-    return CheckXPCPermissions(aJSContext, nsnull);
+    nsresult rv;
+    rv = CheckXPCPermissions(aJSContext, nsnull);
+    if (NS_SUCCEEDED(rv))
+        return rv;
+
+    static const char msg[] = "Access to XPConnect service denied.";
+    JS_SetPendingException(aJSContext, 
+                           STRING_TO_JSVAL(JS_NewStringCopyZ(aJSContext, msg)));
+    return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
+}
+
+// Result of this function should not be freed.
+static const PRUnichar *
+JSIDToString(JSContext *aJSContext, const jsid id) {
+    jsval v;
+    JS_IdToValue(aJSContext, id, &v);
+    JSString *str = JS_ValueToString(aJSContext, v);
+    return NS_REINTERPRET_CAST(PRUnichar*, JS_GetStringChars(str));
 }

 NS_IMETHODIMP
@ -1261,7 +1329,24 @@ nsScriptSecurityManager::CanCallMethod(JSContext *aJSContext,
                                       PRUint16 aMethodIndex, 
                                       const jsid aName)
 {
-    return CheckXPCPermissions(aJSContext, aObj);
+    nsresult rv;
+    rv = CheckXPCPermissions(aJSContext, aObj);
+    if (NS_SUCCEEDED(rv))
+        return rv;
+
+    // If check fails, QI to interface that lets scomponents advertise
+    // their own security requirements.
+    nsCOMPtr<nsISecurityCheckedComponent> checkedComponent =
+        do_QueryInterface(aObj, &rv);
+
+    nsXPIDLCString capability;
+    if (NS_SUCCEEDED(rv) && checkedComponent) {
+        checkedComponent->CanCallMethod((const nsIID *)&aIID,
+                                             JSIDToString(aJSContext, aName),
+                                             getter_Copies(capability));
+    }
+
+    return CheckXPCCapability(aJSContext, capability);
 }

 NS_IMETHODIMP
@ -1272,7 +1357,24 @@ nsScriptSecurityManager::CanGetProperty(JSContext *aJSContext,
                                        PRUint16 aMethodIndex, 
                                        const jsid aName)
 {
-    return CheckXPCPermissions(aJSContext, aObj);
+    nsresult rv;
+    rv = CheckXPCPermissions(aJSContext, aObj);
+    if (NS_SUCCEEDED(rv))
+        return rv;
+
+    // If check fails, QI to interface that lets scomponents advertise
+    // their own security requirements.
+    nsCOMPtr<nsISecurityCheckedComponent> checkedComponent =
+        do_QueryInterface(aObj, &rv);
+
+    nsXPIDLCString capability;
+    if (NS_SUCCEEDED(rv) && checkedComponent) {
+        checkedComponent->CanGetProperty((const nsIID *)&aIID,
+                                         JSIDToString(aJSContext, aName),
+                                         getter_Copies(capability));
+    }
+
+    return CheckXPCCapability(aJSContext, capability);
 }

 NS_IMETHODIMP
@ -1283,7 +1385,24 @@ nsScriptSecurityManager::CanSetProperty(JSContext *aJSContext,
                                        PRUint16 aMethodIndex, 
                                        const jsid aName)
 {
-    return CheckXPCPermissions(aJSContext, aObj);
+    nsresult rv;
+    rv = CheckXPCPermissions(aJSContext, aObj);
+    if (NS_SUCCEEDED(rv))
+        return rv;
+
+    // If check fails, QI to interface that lets scomponents advertise
+    // their own security requirements.
+    nsCOMPtr<nsISecurityCheckedComponent> checkedComponent =
+        do_QueryInterface(aObj, &rv);
+
+    nsXPIDLCString capability;
+    if (NS_SUCCEEDED(rv) && checkedComponent) {
+        checkedComponent->CanSetProperty((const nsIID *)&aIID,
+                                         JSIDToString(aJSContext, aName),
+                                         getter_Copies(capability));
+    }
+
+    return CheckXPCCapability(aJSContext, capability);
 }

 ///////////////////
@ -1356,7 +1475,6 @@ nsScriptSecurityManager::GetSubjectPrincipal(JSContext *cx,
    return GetPrincipalAndFrame(cx, result, &fp);
 }

-
 NS_IMETHODIMP
 nsScriptSecurityManager::GetObjectPrincipal(JSContext *aCx, JSObject *aObj, 
                                            nsIPrincipal **result)
@ -1509,9 +1627,6 @@ nsScriptSecurityManager::CheckXPCPermissions(JSContext *aJSContext,
                    return NS_OK;
            }
        }
-		static const char msg[] = "Access denied to XPConnect service.";
-		JS_SetPendingException(aJSContext, 
-			                   STRING_TO_JSVAL(JS_NewStringCopyZ(aJSContext, msg)));
        return NS_ERROR_DOM_XPCONNECT_ACCESS_DENIED;
    }
    return NS_OK;