Bug 402788 - ensure web-based protocol handlers can't override gecko-internal stuff. r=gavin, r=dmose, a=blocking1.9+

browser/components/feeds/src/WebContentConverter.js

@@ -62,6 +62,7 @@ const PREF_CONTENTHANDLERS_BRANCH = "browser.contentHandlers.types.";
 const PREF_SELECTED_WEB = "browser.feeds.handlers.webservice";
 const PREF_SELECTED_ACTION = "browser.feeds.handler";
 const PREF_SELECTED_READER = "browser.feeds.handler.default";
+const PREF_HANDLER_EXTERNAL_PREFIX = "network.protocol-handler.external";
 const PREF_ALLOW_DIFFERENT_HOST = "gecko.handlerService.allowRegisterFromDifferentHost";
 
 const STRING_BUNDLE_URI = "chrome://browser/locale/feeds/subscribe.properties";
@@ -421,7 +422,21 @@ WebContentConverterRegistrar.prototype = {
       // isn't defined yet.
       throw("Permission denied to add " + aURIString + "as a protocol handler");
     }
- 
+
+    // check if it is in the black list
+    var pb = Cc["@mozilla.org/preferences-service;1"].getService(Ci.nsIPrefBranch);
+    var allowed;
+    try {
+      allowed = pb.getBoolPref(PREF_HANDLER_EXTERNAL_PREFIX + "." + aProtocol);
+    }
+    catch (e) {
+      allowed = pb.getBoolPref(PREF_HANDLER_EXTERNAL_PREFIX + "-default");
+    }
+    if (!allowed) {
+      // XXX this should be a "security exception" according to spec
+      throw("Not allowed to register a protocol handler for " + aProtocol);
+    }
+
     var uri = this._checkAndGetURI(aURIString, aContentWindow);
 
     var buttons, message;

browser/components/feeds/test/Makefile.in

@@ -51,6 +51,7 @@ _TEST_FILES =	test_bug408328.html \
 		bug408328-data.xml \
 		test_bug368464.html \
 		bug368464-data.xml \
+		test_registerHandler.html \
 		$(NULL)
 
 libs:: $(_TEST_FILES)

browser/components/feeds/test/test_registerHandler.html

@@ -0,0 +1,87 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=402788
+-->
+<head>
+  <title>Test for Bug 402788</title>
+  <script type="text/javascript" src="/MochiKit/MochiKit.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=402788">Mozilla Bug 402788</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+  
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Bug 402788 **/
+
+  // return false if an exception has been catched, true otherwise
+  function testRegisterHandler(aIsProtocol, aTxt, aUri, aTitle)
+  {
+    try {
+      if (aIsProtocol)
+        navigator.registerProtocolHandler(aTxt, aUri, aTitle);
+      else
+        navigator.registerContentHandler(aTxt, aUri, aTitle);
+    }
+    catch(e) {
+      dump(e);
+      return false;
+    }
+
+    return true;
+  }
+
+  ok(navigator.registerProtocolHandler, "navigator.registerProtocolHandler should be defined");
+  ok(navigator.registerContentHandler, "navigator.registerContentHandler should be defined");
+
+  // testing a generic case
+  is(true, testRegisterHandler(true, "foo", "http://localhost:8888/%s", "Foo handler"), "registering a foo protocol handler should work");
+  is(true, testRegisterHandler(false, "application/rss+xml", "http://localhost:8888/%s", "Foo handler"), "registering a foo content handler should work");
+
+  // testing with wrong uris
+  is(false, testRegisterHandler(true, "foo", "http://localhost:8888/", "Foo handler"), "a protocol handler uri should contain %s");
+  is(false, testRegisterHandler(false, "application/rss+xml", "http://localhost:8888/", "Foo handler"), "a content handler uri should contain %s");
+
+  // the spec says we should not throw here, but it probably needs to be changed
+  is(false, testRegisterHandler(true, "foo", "foo/%s", "Foo handler"), "a protocol handler uri should be valid");
+  is(false, testRegisterHandler(false, "application/rss+xml", "foo/%s", "Foo handler"), "a content handler uri should be valid");
+
+  // we should only accept to register when the handler has the same host as the current page (bug 402287)
+  is(false, testRegisterHandler(true, "foo", "http://remotehost:8888/%s", "Foo handler"), "registering a foo protocol handler with a different host should not work");
+  is(false, testRegisterHandler(false, "application/rss+xml", "http://remotehost:8888/%s", "Foo handler"), "registering a foo content handler with a different host should not work");
+
+  // restriction to http(s) for the uri of the handler (bug 401343)
+  // https should work (http already tested in the generic case)
+  is(true, testRegisterHandler(true, "foo", "https://localhost:8888/%s", "Foo handler"), "registering a foo protocol handler with https scheme should work");
+  is(true, testRegisterHandler(false, "application/rss+xml", "https://localhost:8888/%s", "Foo handler"), "registering a foo content handler with https scheme should work");
+  // ftp should not work
+  is(false, testRegisterHandler(true, "foo", "ftp://localhost:8888/%s", "Foo handler"), "registering a foo protocol handler with ftp scheme should not work");
+  is(false, testRegisterHandler(false, "application/rss+xml", "ftp://localhost:8888/%s", "Foo handler"), "registering a foo content handler with ftp scheme should not work");
+  // chrome should not work 
+  is(false, testRegisterHandler(true, "foo", "chrome://localhost:8888/%s", "Foo handler"), "registering a foo protocol handler with chrome scheme should not work");
+  is(false, testRegisterHandler(false, "application/rss+xml", "chrome://localhost:8888/%s", "Foo handler"), "registering a foo content handler with chrome scheme should not work");
+  // foo should not work 
+  is(false, testRegisterHandler(true, "foo", "foo://localhost:8888/%s", "Foo handler"), "registering a foo protocol handler with foo scheme should not work");
+  is(false, testRegisterHandler(false, "application/rss+xml", "foo://localhost:8888/%s", "Foo handler"), "registering a foo content handler with foo scheme should not work");
+
+  // for security reasons, protocol handlers should never be registered for some schemes (chrome, vbscript, ...) (bug 402788)
+  is(false, testRegisterHandler(true, "chrome", "http://localhost:8888/%s", "chrome handler"), "registering a chrome protocol handler should not work");
+  is(false, testRegisterHandler(true, "vbscript", "http://localhost:8888/%s", "vbscript handler"), "registering a vbscript protocol handler should not work");
+  is(false, testRegisterHandler(true, "javascript", "http://localhost:8888/%s", "javascript handler"), "registering a javascript protocol handler should not work");
+  is(false, testRegisterHandler(true, "moz-icon", "http://localhost:8888/%s", "moz-icon handler"), "registering a moz-icon protocol handler should not work");
+
+  // for security reasons, content handlers should never be registered for some types (html, ...)
+  is(true, testRegisterHandler(false, "application/rss+xml", "http://localhost:8888/%s", "Foo handler"), "registering rss content handlers should work");
+  is(true, testRegisterHandler(false, "application/atom+xml", "http://localhost:8888/%s", "Foo handler"), "registering atom content handlers should work");
+  todo(false, testRegisterHandler(false, "text/html", "http://localhost:8888/%s", "Foo handler"), "registering html content handlers should not work"); // bug 403798
+
+</script>
+</pre>
+</body>
+</html>