summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@wolfbeast.com>2019-05-26 17:55:44 +0200
committerwolfbeast <mcwerewolf@wolfbeast.com>2019-05-26 17:55:44 +0200
commit5b5743eeeb799cfcbb7386a36fc92dd3c31ac678 (patch)
treeb7b2248347b432c44cca463f3ba342616d676e5b
parenta38cc1a2f5177ea18b4c2c3e260e527250283c57 (diff)
downloadUXP-5b5743eeeb799cfcbb7386a36fc92dd3c31ac678.tar
UXP-5b5743eeeb799cfcbb7386a36fc92dd3c31ac678.tar.gz
UXP-5b5743eeeb799cfcbb7386a36fc92dd3c31ac678.tar.lz
UXP-5b5743eeeb799cfcbb7386a36fc92dd3c31ac678.tar.xz
UXP-5b5743eeeb799cfcbb7386a36fc92dd3c31ac678.zip
[places] Prevent some abuse of smart queries.
-rw-r--r--dom/events/DataTransfer.cpp8
-rw-r--r--toolkit/components/places/PlacesUtils.jsm10
2 files changed, 14 insertions, 4 deletions
diff --git a/dom/events/DataTransfer.cpp b/dom/events/DataTransfer.cpp
index 40a0f42e6..35e80fea4 100644
--- a/dom/events/DataTransfer.cpp
+++ b/dom/events/DataTransfer.cpp
@@ -39,6 +39,7 @@
#include "mozilla/dom/OSFileSystem.h"
#include "mozilla/dom/Promise.h"
#include "nsNetUtil.h"
+#include "nsReadableUtils.h"
namespace mozilla {
namespace dom {
@@ -644,6 +645,13 @@ DataTransfer::PrincipalMaySetData(const nsAString& aType,
NS_WARNING("Disallowing adding x-moz-file or x-moz-file-promize types to DataTransfer");
return false;
}
+
+ // Disallow content from creating x-moz-place flavors, so that it cannot
+ // create fake Places smart queries exposing user data.
+ if (StringBeginsWith(aType, NS_LITERAL_STRING("text/x-moz-place"))) {
+ NS_WARNING("Disallowing adding moz-place types to DataTransfer");
+ return false;
+ }
}
return true;
}
diff --git a/toolkit/components/places/PlacesUtils.jsm b/toolkit/components/places/PlacesUtils.jsm
index fc303ca8a..323fa41a1 100644
--- a/toolkit/components/places/PlacesUtils.jsm
+++ b/toolkit/components/places/PlacesUtils.jsm
@@ -908,6 +908,7 @@ this.PlacesUtils = {
* @param type
* The content type of the blob.
* @returns An array of objects representing each item contained by the source.
+ * @throws if the blob contains invalid data.
*/
unwrapNodes: function PU_unwrapNodes(blob, type) {
// We split on "\n" because the transferable system converts "\r\n" to "\n"
@@ -939,7 +940,7 @@ this.PlacesUtils = {
catch (e) {}
}
// note: this._uri() will throw if uriString is not a valid URI
- if (this._uri(uriString)) {
+ if (this._uri(uriString) && this._uri(uriString).scheme != "place") {
nodes.push({ uri: uriString,
title: titleString ? titleString : uriString,
type: this.TYPE_X_MOZ_URL });
@@ -952,11 +953,12 @@ this.PlacesUtils = {
for (let i = 0; i < parts.length; i++) {
let uriString = parts[i];
// text/uri-list is converted to TYPE_UNICODE but it could contain
- // comments line prepended by #, we should skip them
- if (uriString.substr(0, 1) == '\x23')
+ // comments line prepended by #, we should skip them, as well as
+ // empty URIs
+ if (uriString.substr(0, 1) == '\x23' || uriString == "")
continue;
// note: this._uri() will throw if uriString is not a valid URI
- if (uriString != "" && this._uri(uriString))
+ if (this._uri(uriString).scheme != "place")
nodes.push({ uri: uriString,
title: uriString,
type: this.TYPE_X_MOZ_URL });